> On 21 Apr 2017, at 14:22, Sjöholm Per-Olov <p...@incedo.org> wrote: > > >> On 21 Apr 2017, at 10:34, Stuart Henderson <s...@spacehopper.org> wrote: >> >> On 2017-04-20, Sjöholm Per-Olov <p...@incedo.org> wrote: >>> Could it be any buffers that is causing this in 6.1 but not in 6.0 ? >> >> There were changes that would allow larger TCP buffers in 6.1. This >> would not have made a difference to normal or natted connections from >> non-OpenBSD going through PF to non-OpenBSD but could possibly affect >> some configurations with proxies (though only if PF rules were already >> dodgy - you would have active states in "pfctl -ss|grep -A1 tcp" >> without wscale values if this was the case). >> >> Might be worth bumping up the pf log level and seeing if system logs >> give you more clues. Default is "error", you need "notice" to get the >> ones which might give useful clues (loose state match warnings or >> state mismatch errors). (On a busy machine, be ready to back-off on >> the debug level in case it causes too much load). >> >> > > Another addition… This is what the problem actually looks like > > ## 1 ## When the problem is ongoing…. Telnet from internet to DMZ server FAIL > [sjoholmp@dewey ~]$ telnet mail.dyn.incedo.org 25 > Trying 155.4.8.28... > ^C > > ## 2 ## This looks like this > Apr 21 14:06:28.751796 rule 573/(match) pass in on em3: 168.235.89.110.42126 > > 192.168.1.12.25: S 2597688027:2597688027(0) win 29200 <mss > 1460,sackOK,timestamp 668227520 0,nop,wscale 6> (DF) > Apr 21 14:06:28.751824 rule 63/(match) block out on em3: 155.4.8.28.25 > > 168.235.89.110.42126: R 0:0(0) ack 2597688028 win 0 (DF) > > > ## 3 ## Reload PF > root@xanadu:/var/log#pfctl -f /etc/pf.conf > root@xanadu:/var/log# > > > ## 4 ## Telnet from internet again WORKS > [sjoholmp@dewey ~]$ telnet mail.dyn.incedo.org 25 > Trying 155.4.8.28... > Connected to mail.dyn.incedo.org. > Escape character is '^]'. > 220 mail.dyn.incedo.org ESMTP Sendmail; Fri, 21 Apr 2017 14:08:16 +0200 > > > ## 5 ## Looks like this > Apr 21 14:08:16.239213 rule 573/(match) pass in on em3: 168.235.89.110.42168 > > 192.168.1.12.25: S 4285065753:4285065753(0) win 29200 <mss > 1460,sackOK,timestamp 668335004 0,nop,wscale 6> (DF) > Apr 21 14:08:16.239267 rule 89/(match) pass out on vlan3: > 168.235.89.110.42168 > 192.168.1.12.25: S 4285065753:4285065753(0) win 29200 > <mss 1460,sackOK,timestamp 668335004 0,nop,wscale 6> (DF) > > ## 6 ## After a few hours the same problem occurs again which requires a PF > reload > > The dmesg extra output ater pfctl -x notice only shows.. > pf: pf_map_addr: selected address 155.4.8.28 > > > I have serious problems with 6.1. I will probably go back to 6.0. I will > giveit to the end of this day and check what I can… > > Peo >
I downgraded to 6.0 stable again and all problems are gone. As I cleaned up sysctl and reduced the ruleset to basic and still had the problem, I guess there eventually could be a problem with 6.1 kernel. I tried both UNI and MP kernel with same problem. /Peo
