After further investigation, it seems that the mbuf leakage may be
correlated to IPsec usage. I have turned off Tor, and everything else
on the system is vanilla OpenBSD 5.6. The only notable services I run
from base are unbound with the stock config and an L2TP/IPsec VPN.
Local traffic doesn't seem to affect the mbuf count significantly, but
opening new TCP connections via the VPN makes it climb noticably. I'm
scratching my head over this one - this setup has worked quite well for
some time until the VPN started seeing heavier utilization under 5.6.
I'm not sure if it's relevant, but primary users of the VPN are running
the latest version of OS X and using the native VPN client to route all
traffic. I'll be happy to provide more output - I'm just not where to
start looking.
Thanks!
My ipsec.conf is as follows:
ike passive esp transport proto udp from egress to 0.0.0.0/0 port 1701 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group modp1024 psk XXX
My ipsec.conf is as follows:
ike passive esp transport proto udp from egress to 0.0.0.0/0 port 1701 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group modp1024 psk XXX
npppd.conf:
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
authentication-method pap chap mschapv2
}
ipcp IPCP {
pool-address 10.50.0.2-10.50.0.254
dns-servers 10.50.0.1
allow-user-selected-address no
}
interface pppx0 address 10.50.0.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
npppd-users:
user:\
:password=PaSsWoRd"\
:framed-ip-address=10.50.0.129:
selected pf.conf lines:
table <abuse> persist
ext_if="vr0"
int_if="vr1"
vpn_net="10.50.0.0/24"
set loginterface all
set skip on lo
match in all scrub (no-df random-id reassemble tcp max-mss 1440)
queue int_root on $int_if bandwidth 100M
queue p_std parent int_root bandwidth 100M default
queue ext_root on $ext_if bandwidth 45M max 45M
queue services parent ext_root bandwidth 10M min 10M
queue s_ssh parent services bandwidth 1M
queue s_ext parent services bandwidth 7M default
queue s_dns parent services bandwidth 1M
queue s_ack parent services bandwidth 1M
queue vpn parent ext_root bandwidth 5M min 5M
queue vpn_ext parent vpn bandwidth 4M
queue vpn_ack parent vpn bandwidth 1M
match out on $ext_if from { $vpn_net $int_if:network } nat-to ($ext_if:0)
anchor "authpf/*"
antispoof quick for $int_if
pass quick proto { esp, ah } from any to any
pass in quick on $ext_if proto udp from any to \
any port { 500, 4500, 1701 } synproxy state \
( max-src-conn-rate 1 / 5, overload <abuse> flush global )
pass quick on enc0 from any to any keep state (if-bound) tag VPN
block all
block in quick from <abuse>
block quick on $int_if from $int_if:network to $vpn_net
block quick from $vpn_net to $int_if:network
pass out on $ext_if proto { tcp udp } from ($ext_if) to any port domain \
modulate state set queue ( s_dns )
pass out on $ext_if proto tcp from ($ext_if) to any port ssh \
modulate state set queue ( s_ssh s_ack )
pass out on $ext_if proto tcp from ($ext_if) to any \
modulate state set queue ( s_ext s_ack )
pass out on $ext_if proto { udp icmp } from ($ext_if) to any \
modulate state set queue ( s_ack )
pass out on $ext_if proto tcp from ($ext_if) to any tagged VPN \
modulate state set queue ( vpn_ext vpn_ack )
pass out on $ext_if proto { udp icmp } from ($ext_if) to any \
tagged VPN modulate state set queue ( vpn_ack )
pass in on $int_if proto tcp from $int_if:network to !($int_if) port ssh \
modulate state set queue ( s_ext s_ssh )
pass in on $int_if from $int_if:network to !($int_if) \
modulate state set queue ( s_ext s_ack )
pass out on $int_if from any to $int_if:network modulate state
pass from $vpn_net to !$int_if:network
sysctl.conf:
net.inet.ip.forwarding=1
net.pipex.enable=1
dmesg:
OpenBSD 5.6 (GENERIC) #0: Fri Dec 12 15:51:37 UTC 2014
root@XXX:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem = 536375296 (511MB)
avail mem = 515162112 (491MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/70/03, BIOS32 rev. 0 @ 0xfac40
pcibios0 at bios0: rev 2.0 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0: (uniprocessor)
mtrr: K6-family MTRR support (2 registers)
amdmsr0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
0:20:0: io address conflict 0x6100/0x100
0:20:0: io address conflict 0x6200/0x200
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address
00:00:24:cb:55:34
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address
00:00:24:cb:55:35
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address
00:00:24:cb:55:36
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address
00:00:24:cb:55:37
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
3579545Hz timer, watchdog, gpio, i2c
gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 1: <TS32GSSD25S-M>
wd0: 1-sector PIO, LBA, 30560MB, 62586880 sectors
wd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0,
legacy support
ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a swap on wd0b dump on wd0b
