|
pf woes
Anon
2013-Feb-28 4:26 pm
FreeBSD 9.1 EAGAIN with news client and pf rules enabledI have a weird problem where if I have my pf rules enabled, with nzbget I see the following errors during fetching of articles: ERROR Thu Feb 28 09:20:42 2013 - Could not receive data on socket: ErrNo 35, Resource temporarily unavailable If I use SSL, I get a different error, but likely the same root cause: ERROR Thu Feb 28 09:30:20 2013 - Could not read from TLS-socket: cannot read from TLS connection: the operation timed out If I disable pf, I do not get these errors. However, monitoring pflog while nzbget is runnig, I do not see any messages from pflog when these errors occur. How can I find out which pf rule is causing this or if it's pf itself? FWIW, the only limiting rule in my pf.conf is the following (which should not apply given I'm limiting it to dst port 22 inbound): pass in on $eif proto tcp from !<allowed> to $nat port 22 flags S/SA keep state (max-src-conn 10, max-src-conn-rate 10/30, overload flush global) Thoughts? |
|
BinkVillains... knock off all that evil join:2006-05-14 Colorado |
Bink
Member
2013-Feb-28 9:27 pm
Whats the output of pfctl si when this happens? |
|
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA |
pflog
MVM
2013-Mar-1 11:52 am
I see the same thing as the OP. I disabled pf then enabled it with an empty pf.conf. pfctl -s rules shows nothing: # pfctl -s rules root@pflog:~# pfctl -si just after enabling the empty rules shows: Status: Enabled for 0 days 00:00:19 Debug: Urgent
State Table Total Rate current entries 125 searches 890080 46846.3/s inserts 24381 1283.2/s removals 24509 1289.9/s Counters match 29459 1550.5/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 1 0.1/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 4 0.2/s proto-cksum 0 0.0/s state-mismatch 11 0.6/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 7 0.4/s synproxy 0 0.0/s
And after I've seen a few errors (I tested with SSL fwiw): Status: Enabled for 0 days 00:02:40 Debug: Urgent
State Table Total Rate current entries 59 searches 1524441 9527.8/s inserts 24381 152.4/s removals 24575 153.6/s Counters match 662108 4138.2/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 1 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 4 0.0/s proto-cksum 0 0.0/s state-mismatch 11 0.1/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 7 0.0/s synproxy 0 0.0/s
Don't see anything obvious in there. I'm wondering if it has something to do with socket resuse and a bug in pf? I asked how long this has been going on and it sounded like it may have started for my buddy when he updated to 9.0 (and persists in 9.1). |
|
|
pf woes to Bink
Anon
2013-Mar-1 2:31 pm
to Bink
Same as with pflog, no real changes in pfctl -si with all "pass" rules in pf.conf but with pf enabled. |
|
koitsu MVM join:2002-07-16 Mountain View, CA Humax BGW320-500
|
to pf woes
Submit this entire problem to freebsd-pf@freebsd.org. You will need to contain the following data:
1. uname -a 2. Your pf.conf 3. /etc/sysctl.conf 4. ifconfig -a 5. netstat -m 6. netstat -inb 7. netstat -s 8. dmesg 9. Full details of your setup, e.g. anything you consider relevant
Finally I must stress this: do not modify or hide any information from any of the above output, especially pf.conf -- it matters greatly. I cannot stress this enough. For example, I can see from the single line of the OP's post NAT is involved yet that isn't disclosed anywhere (it matters).
The only folks who can help rectify/solve this are on that mailing list. |
|
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA |
pflog
MVM
2013-Mar-1 7:39 pm
I can file this if the OP doesn't/can't/won't. I just hope I don't then label myself as a pirate for submitting it! haha
Question though. When I reproduced this for my friend, my pf.conf was literally an empty file. I agree that rule shows they're dong nat/rdr of some kind, but it doesn't explain an empty pf.conf causing it if it's nat related does it? |
|
koitsu MVM join:2002-07-16 Mountain View, CA Humax BGW320-500
|
I could speculate all day and night about what the problem is, but I'd rather not. I'd rather verbose details be provided to freebsd-pf@ and let the maintainers figure it out. Yes, please be sure (especially at the top) to explain that disabling pf entirely somehow "resolves" the problem. I should note that if someone can provide a full 100% reliable test case for this and provide actual step-by-step reproduction methods, that would be best to provide in the mail as well. For example, the OP's two errors are for two different things (those two errors are completely different) and the latter could be explained by a lot of things unrelated to pf. Gotta use static IPs rather than DNS and hope that whatever the IP is doesn't rely on a network using anycast, else if it's a IP/TCP stack problem (or firewall-related problem) it's hard to track down. I would also strongly suggest you start making use of the set loginterface {iface} option in your pf.conf so that you can see the number of passed/blocked packets. Validation: root@omake:~ # pfctl -s info
Status: Enabled for 57 days 15:26:05 Debug: Urgent
Interface Stats for em0 IPv4 IPv6
Bytes In 4448753616 0
Bytes Out 5546471952 152
Packets In
Passed 61899593 0
Blocked 41705 0
Packets Out
Passed 61966122 0
Blocked 6 2
State Table Total Rate
current entries 22
searches 123901838 24.9/s
inserts 2302335 0.5/s
removals 2302313 0.5/s
Counters
match 2340304 0.5/s
bad-offset 0 0.0/s
fragment 864 0.0/s
short 0 0.0/s
normalize 19 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 156 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
Use that, and if you see dropped being incremented *every time* you encounter the problem, then there is further debugging that can be done. But again: all this should go to freebsd-pf@freebsd.org. |
|
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA |
pflog
MVM
2013-Mar-2 4:20 pm
Well, pf can be ruled out. I put together a little reporting script that would run the commands you requested (and I prepended a timestamp for correlation with the news client's log file). I figured I would grab the logs for the case when pf was disabled for comparison and in doing so I saw the same failures, even with pf disabled.
Any idea which list it would go to instead? OP doesn't seem like they are going to do this (although I haven't looked at the pf mailing list archives today yet). |
|
|
koitsu MVM join:2002-07-16 Mountain View, CA Humax BGW320-500
|
Probably freebsd-net@freebsd.org or freebsd-stable@freebsd.org (although should state that the issue appears to affect 9.1-RELEASE, assuming the OP and/or you are running that). As for the data to provide: everything I mentioned here except for #2. |
|
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA |
pflog
MVM
2013-Mar-4 2:01 pm
Tangential question: are there public NNTP servers with LEGAL large files on them I can use to create a testcase and capture data.
I'm sure my friend doesn't mind me using his news provider to test, and I did find ubuntu ISOs I can use for testing, but I am still weary of connecting to these kinds of things.
So unless I can find such a thing, I'm going to point my friend to this thread (although I'd have to walk him through it probably) or hopefully the OP sends the problem in. |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
Be more specific about exactly what you want to do on a public news server and you might get specific recommendations. |
|
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA |
pflog
MVM
2013-Mar-4 2:36 pm
said by graysonf:Be more specific about exactly what you want to do on a public news server and you might get specific recommendations. I need two downloads, at least 500 MB. They must be distinct I think in order to queue up 2 of them. So perhaps a Linux/FreeBSD/etc ISO? I don't know all the lingo, but I guess I would need to "nzb" files corresponding to these files to feed into this application. |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
There are no single individual "files" (articles) that large in Usenet. The max allowed by the standard is 1MB including encoding overhead. |
|
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA |
pflog
MVM
2013-Mar-4 2:43 pm
said by graysonf:There are no single individual "files" (articles) that large in Usenet. The max allowed by the standard is 1MB including encoding overhead. Oh ok. I'm guessing this nzb file somehow combines them then? Obviously there are things on there larger than 1MB... *edit* yep |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
An nzb is a text file containing a list of the individual articles that make up a complete multipart post. You need an nzb capable news reader or binary news downloader to use them. You can search the binary newsgroups for content you might be interested in at the web site » www.binsearch.infoYou you still need a free server to download from? |
|
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA |
pflog
MVM
2013-Mar-4 2:58 pm
So is there a public/free server that would have legal files then or not? This will help me find something to download, thanks. But I'm hesitant to test against a known "illegal" news host. If there's no way around that, then as I said I'll help my friend do it from his connection/host. |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
It's up to you to decide what legal content is or isn't. Use the site I suggested to search for what you consider to be legal content or browse some of the available groups to see what's out there. There is no such thing as an illegal news host. I'd venture to say that every server that carries binary content contains some posts that infringe on somebody's intellectual property rights. You can get somewhat crippled free news service here, just sign up for it. » xsusenet.com/ |
|
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA |
pflog
MVM
2013-Mar-4 3:09 pm
I found legal content to download. Ok, so not an "illegal news host", but obviously my friend's company isn't there so people can browse text news groups. So what I'm asking is if there are public news servers that index LEGAL binary content such as ubuntu ISOs above and explicitly delete/prevent (as much as they can) illegal content or not? Just trying to cover my ass here. |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
There are news servers that offer free accounts with certain limitations, such as you can not post, the data rate is limited, retention is limited, and the number of simultaneous connections and/or hosts you can connect with are limited, etc. I suggested one such service where you can get such limited free service. Go there and sign up for a free account.
I'm not aware of any news service that actively prevents illegal content on their servers. They all have mechanisms in place where the actual owners of copyrighted material (or their representatives) can demand that their material be removed from the server. And law enforcement can act to have illegal content such as child porn removed. But all this happens on a case by case basis, one request at a time. Requesting the removal of content on one server does not get it removed from the many, many of thousands of other servers out there. It's basically impossible to prevent illegal content and even more impossible to get it universally removed everywhere it may be found.
You need not worry about connecting to a server that holds illegal content. Even downloading illegal content might not in itself be illegal. Uploading illegal content is where you can get into trouble. But you don't seem to be wanting to do that. |
|
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA |
pflog
MVM
2013-Mar-4 3:44 pm
Thanks for the explanation. I guess I'm just being overly paranoid. |
|
pflog |
to koitsu
I guess the OP is gone. In any event, I got curious if the new TCP stack caused the problem so I've tried (in a VM):
- FreeBSD 7.4 (afaik does not have the new stack backported, right?) - FreeBSD 8.3 - FreeBSD 9.1
All exhibit the same problem. So I guess it's likely that it's an application bug or the code does something that does not work properly with FreeBSD. |
|
koitsu MVM join:2002-07-16 Mountain View, CA |
I wasn't aware there was a "new TCP stack".
If someone could tell me exactly how to set up + reproduce this (I tend to test such things under VMware Workstation) I can try to track it down with ktrace and some other tools. |
|
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA |
pflog
MVM
2013-Mar-8 5:29 pm
said by koitsu:I wasn't aware there was a "new TCP stack". I was probably thinking of the modular congestion control. I thought prior to that there were some major TCP stack changes, I could be wrong. |
|
pflog |
to pf woes
If you're still out there OP, I signed up for a trial service and tested my friend's configuration and it worked fine with the same nzbget configuration and number of connections. So I think this is a problem on the server side or at least something about the FBSD system the remote server doesn't like. |
|
pflog |
to koitsu
Well, crap. I just had this happen on the trial news provider, too. So I'm starting to think it's our connections. We're in the same relative area both with comcast business class. I don't think my friend has the same speed plan as me, though I'm not sure that would matter. |
|