[FUG-BR] PF com falha ICMP
Renata Dias
renatchinha em gmail.com
Sábado Abril 3 01:54:18 BRT 2010
Pessoal,
Consegui resolver essa falha aumentando a banda na minha fila "pai" total
e total_out, pois ambas estavam definidas em 34Mb que e o trafego estava no
limite... por isso a mensagem de "no buffer space". Aumentei pra 80Mb
(embora eu não tenha todo esse link de saída pra internet) e alterei algumas
sysctl tbm.
# PF + ALTQ
net.inet.ip.intr_queue_maxlen=200
kern.ipc.somaxconn=512
kern.ipc.maxsockbuf=1048576
Sistema está agora 100% funcional!! Estou editando um template de PF para
Cati pra medir o trafego de cada uma das filas porque não achei pronto
nenhum :(
Valew !!
Em 23 de março de 2010 12:22, Renata Dias <renatchinha em gmail.com> escreveu:
>
>
> Em 19 de março de 2010 16:34, Aline Freitas <aline em bsd.com.br> escreveu:
>
>> Renata,
>>
>>
>> Eu já fiquei com minha rede assim devido a otimizações mal feitas no
>> sysctl.conf. O que você tem nele?
>>
>> []'s
>> Aline
>>
>>
>>
>> On Mar 19, 2010, at 10:37 AM, Renata Dias wrote:
>>
>> > Caros,
>> >
>> > Encontrei varias discussões a respeito da minha dúvida, porém
>> > nenhuma
>> > com solução!
>> >
>> > Eu ativo o pf e a rede passa a responder com "No buffer space
>> > available".
>> > Testei algumas opções que encontrei na internet, como: set limit
>> > { states
>> > 1000000000, src-nodes 1000000000, frags 50000000 } , porém sem
>> > sucesso.
>> >
>> > Segue meu pf.conf
>> >
>> > if_wan_upload="em0"
>> > if_lan_download="em1"
>> >
>> > table <rede_interna> { 192.168.0.0/24, 10.0.10.0/24 }
>> >
>> > altq on $if_wan_upload hfsc bandwidth 100% queue total_out
>> > queue total_out bandwidth 34Mb hfsc(upperlimit 34Mb) { ping_out
>> > voip_out
>> > dns_out http-https_out pop_out smtp_out ssh_out outros_out p2p_out }
>> > queue ping_out bandwidth 6% priority 9 hfsc(upperlimit 100%
>> > realtime 6%
>> > ecn red)
>> > queue voip_out bandwidth 5% priority 8 hfsc(upperlimit 100%
>> > realtime 5%
>> > ecn red)
>> > queue dns_out bandwidth 2% priority 7 hfsc(upperlimit 100% realtime
>> > 2% ecn
>> > red)
>> > queue http-https_out bandwidth 60% priority 6 hfsc(upperlimit 100%
>> > realtime 60% ecn red)
>> > queue ssh_out bandwidth 2% priority 5 hfsc(upperlimit 100% realtime
>> > 2% ecn
>> > red)
>> > queue smtp_out bandwidth 5% priority 4 hfsc(upperlimit 100%
>> > realtime 5%
>> > ecn red)
>> > queue pop_out bandwidth 5% priority 3 hfsc(upperlimit 100% realtime
>> > 5% ecn
>> > red)
>> > queue outros_out bandwidth 10% priority 2 hfsc(upperlimit 95%
>> > realtime 10%
>> > ecn red default)
>> > queue p2p_out bandwidth 5% priority 1 hfsc(upperlimit 80% realtime
>> > 5% ecn
>> > red)
>> >
>> > altq on $if_lan_download hfsc bandwidth 100Mb queue total
>> > queue total bandwidth 34Mb hfsc(upperlimit 34Mb) { ping voip dns
>> > http-https
>> > ssh smtp pop outros p2p }
>> > queue ping bandwidth 6% priority 9 hfsc(upperlimit 100% realtime 6%
>> > ecn
>> > red)
>> > queue voip bandwidth 5% priority 8 hfsc(upperlimit 100% realtime 5%
>> > ecn
>> > red)
>> > queue dns bandwidth 2% priority 7 hfsc(upperlimit 100% realtime 2%
>> > ecn
>> > red)
>> > queue http-https bandwidth 60% priority 6 hfsc(upperlimit 100%
>> > realtime
>> > 60% ecn red)
>> > queue ssh bandwidth 2% priority 5 hfsc(upperlimit 100% realtime 2%
>> > ecn
>> > red)
>> > queue smtp bandwidth 5% priority 4 hfsc(upperlimit 100% realtime 5%
>> > ecn
>> > red)
>> > queue pop bandwidth 5% priority 3 hfsc(upperlimit 100% realtime 5%
>> > ecn
>> > red)
>> > queue outros bandwidth 10% priority 2 hfsc(upperlimit 95% realtime
>> > 10% ecn
>> > red default)
>> > queue p2p bandwidth 5% priority 1 hfsc(upperlimit 80% realtime 5%
>> > ecn red)
>> >
>> > pass in quick on $if_wan_upload proto icmp from <rede_interna> to
>> > any keep
>> > state queue ping_out
>> > pass in quick on $if_lan_download proto icmp from <rede_interna> to
>> > any keep
>> > state queue ping
>> >
>> > pass in quick on $if_wan_upload proto { tcp, udp } from
>> > <rede_interna> to
>> > any port 53 keep state queue dns_out
>> > pass in quick on $if_lan_download proto { tcp, udp } from
>> > <rede_interna> to
>> > any port 53 keep state queue dns
>> >
>> > pass in quick on $if_wan_upload proto tcp from <rede_interna> to any
>> > port {
>> > 80, 443 } keep state queue http-https_out
>> > pass in quick on $if_lan_download proto tcp from <rede_interna> to
>> > any port
>> > { 80, 443 } keep state queue http-https
>> >
>> > pass in quick on $if_wan_upload proto tcp from <rede_interna> to any
>> > port
>> > 110 keep state queue pop_out
>> > pass in quick on $if_lan_download proto tcp from <rede_interna> to
>> > any port
>> > 110 keep state queue pop
>> >
>> > pass in quick on $if_wan_upload proto tcp from <rede_interna> to any
>> > port 25
>> > keep state queue smtp_out
>> > pass in quick on $if_lan_download proto tcp from <rede_interna> to
>> > any port
>> > 25 keep state queue smtp
>> >
>> > pass in quick on $if_wan_upload proto tcp from <rede_interna> to any
>> > port 22
>> > keep state queue ssh_out
>> > pass in quick on $if_lan_download proto tcp from <rede_interna> to
>> > any port
>> > 22 keep state queue ssh
>> >
>> >
>> >
>> > --
>> > Renata Dias
>> > -------------------------
>> > Histórico: http://www.fug.com.br/historico/html/freebsd/
>> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>
>
>
> Oi Aline,
>
> # MAC - Layer 2
> net.link.ether.ipfw=1
>
> Apenas habilito a camada 2 para as regras de MAC do IPFW. Porém, para
> testes, eu desabilitei essa sysctl e ativei o PF... o resultado foi o mesmo
> (no buffer space) no meio das respostas de ping.
>
> Obrigada.
>
> --
> Renata Dias
>
>
--
Renata Dias
Mais detalhes sobre a lista de discussão freebsd