我在 FreeBSD 9.1 上运行 Web 和邮件服务器。系统安装在 KVM vServer 上。一切正常 - 直到我启用 pf(4)。我的网络日志变得异常缓慢。其他流量也是如此,但这并不那么烦人。
如果有人能告诉我问题可能出在哪里就好了。
提前致谢!
使用 benchmarks/iperf 进行测试返回以下结果:
已禁用 pf:
Client connecting to 109.193.XXX.XXX, TCP port 5001
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[ 3] local 46.38.XXX.XXX port 31302 connected with 109.193.XXX.XXX port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 15.1 MBytes 12.6 Mbits/sec
已启用 pf:
------------------------------------------------------------
Client connecting to 109.193.XXX.XXX, TCP port 5001
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[ 3] local 46.38.XXX.XXX port 61377 connected with 109.193.XXX.XXX port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-18.1 sec 128 KBytes 58.1 Kbits/sec
这是我的 pf.conf:
### INTERFACES ###
if = "{ em0 }"
### SETTINGS ###
set block-policy drop
### PORTS ###
tcp_pass = "{ 25 80 465 993}"
udp_pass = "{ 25 80 465 993}"
icmp_types = "echoreq"
### NORMALISATION ###
scrub in all
antispoof for $if
### RULES ###
block all
pass in on $if proto tcp from any to any port $tcp_pass flags S/SA keep state
pass in on $if proto udp to any port $udp_pass keep state
pass out quick all keep state
# PING #
pass in on $if inet proto icmp all icmp-type $icmp_types keep state
# TRACEROUTE #
pass in on $if inet proto udp from any to any port 33433 >< 33626 keep state
这是 rc.conf: ... pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" pflog_logfile="/var/log/pflog" ...
答案1
9.0 分支似乎对涉及 TCP 分段卸载的奇怪配置特别敏感。可以通过禁用 TSO 来“纠正”此问题:
ifconfig em0 -tso