pf slows traffic extremely down
I am running a web and mail server on FreeBSD 9.1. The system is installed on a KVM vServer. Everything works fine - until I enable pf(4). My weblog becomes unconscionably slow. So does all the other traffic, but this is not that annoying.
So it would be great if someone can tell me where the problem might be.
Thanks in advance!
A test with benchmarks/iperf returns the following results:
Disabled pf:
Client connecting to 109.193.XXX.XXX, TCP port 5001
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[ 3] local 46.38.XXX.XXX port 31302 connected with 109.193.XXX.XXX port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 15.1 MBytes 12.6 Mbits/sec
Enabled pf:
------------------------------------------------------------
Client connecting to 109.193.XXX.XXX, TCP port 5001
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[ 3] local 46.38.XXX.XXX port 61377 connected with 109.193.XXX.XXX port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-18.1 sec 128 KBytes 58.1 Kbits/sec
This is my pf.conf:
### INTERFACES ###
if = "{ em0 }"
### SETTINGS ###
set block-policy drop
### PORTS ###
tcp_pass = "{ 25 80 465 993}"
udp_pass = "{ 25 80 465 993}"
icmp_types = "echoreq"
### NORMALISATION ###
scrub in all
antispoof for $if
### RULES ###
block all
pass in on $if proto tcp from any to any port $tcp_pass flags S/SA keep state
pass in on $if proto udp to any port $udp_pass keep state
pass out quick all keep state
# PING #
pass in on $if inet proto icmp all icmp-type $icmp_types keep state
# TRACEROUTE #
pass in on $if inet proto udp from any to any port 33433 >< 33626 keep state
This is rc.conf: ... pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" pflog_logfile="/var/log/pflog" ...
The 9.0 branch seems to be particularly sensitive to odd configurations where TCP Segmentation Offload is involved. This can be "corrected" by disabling TSO:
ifconfig em0 -tso