Date: Wed, 25 Jul 2007 13:38:24 +0200 From: Gergely CZUCZY <phoemix@harmless.hu> To: freebsd-pf@freebsd.org Subject: connection refused on heavy usage Message-ID: <20070725113824.GB26977@harmless.hu>
next in thread | raw e-mail | index | archive | help
--/NkBOFFp2J2Af1nK Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Good morning, I've got a problem that disappeared by disabling pf. =46rom the beginning. I'm testing an http reverse proxy[pound], at the moment. I've got two gateways in a pfsync+carp+pound configuration and two web backends. I'm doing performance testing on the proxy with apache benchmarks, this involves hordes of simultaneous connections in and out. connections are recieved by pound on the gateway and it connects to a given web-backend to make the actual request. The problem is that, periodically it's unable to connect to some backends, or just to one of them and renders it DEAD. When this happens there's a "connect: operation not permitted" message in the syslog. Nor I'm able to connect to the backends directly with elinks from the gateway, it also says "operation not permitted". After waiting a few seconds it works again. So, the proxy can accept client's connections but it's unable to connect forward to the actual web-backends. When I disabled pf with pfctl -d these symptons stopped immedietly. I tried playing around with different tcp timeout values, but that failed to help. My pf.conf is the following: --- chop with axe here --- if_ext=3D"em0" if_vvv=3D"fxp0" if_sync=3D"em1" ip_pub=3D"192.168.4.55" ip_vvv=3D"10.0.0.254" ip_vvv1=3D"10.0.0.1" ip_vvv2=3D"10.0.0.2" ip_vvv3=3D"10.0.0.3" table <vvv> {$ip_vvv1, $ip_vvv2, $ip_vvv3} # Options: tune the behavior of pf, default values are given. #set timeout { interval 5, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 30, tcp.closed 60 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 70000, adaptive.end 120000 } set limit { states 100000, frags 2000 } #set loginterface none set block-policy return set require-order yes set fingerprints "/etc/pf.os" set debug misc set skip on lo0 #scrub in all rdr on $if_ext proto tcp from any to $ip_pub port 10001 -> $ip_vvv1 port 22 rdr on $if_ext proto tcp from any to $ip_pub port 10002 -> $ip_vvv2 port 22 rdr on $if_ext proto tcp from any to $ip_pub port 10003 -> $ip_vvv3 port 22 block in log on $if_ext all pass in quick on {$if_ext,$if_vvv} proto vrrp pass out quick on {$if_ext,$if_vvv} proto vrrp pass out quick on $if_ext proto udp from any to 192.168.4.200 port 123 keep= state pass in quick on $if_ext proto tcp from any to $if_ext:0 port 22 flags S/SA= synproxy state (no-sync) pass in quick on $if_ext proto tcp from any to $ip_pub port 80 flags S/SA m= odulate state (no-sync) label "2" pass out quick on $if_ext proto udp from $if_ext:0 to port 53 keep state (n= o-sync) pass out quick on $if_ext proto udp from any to port 53 keep state pass out quick on $if_ext proto tcp from $if_ext:0 to port 80 flags S/SA ke= ep state (no-sync) pass out quick on $if_ext proto tcp from any to port 80 flags S/SA keep sta= te pass in quick on $if_ext proto tcp from any to <vvv> port 22 flags S/SA syn= proxy state pass out quick on $if_vvv proto tcp from ($if_vvv) to <vvv> port 80 flags S= /SA keep state (no-sync) --- chop with axe here --- FreeBSD lvs1.in.publishing.hu 6.2-RELEASE-p6 FreeBSD 6.2-RELEASE-p6 #1: Tue= Jul 24 08:07:07 UTC 2007 toor@pointyhat.office:/usr/obj/usr/src/sys/LV= S i386 I'm played with the followings without any success: set timeout { tcp.closing 900, tcp.finwait 30, tcp.closed 60 } set timeout { adaptive.start 70000, adaptive.end 120000 } What can cause this issue? How could this be fixed? [pound] http://www.apsis.ch/pound/ Sincerely, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --/NkBOFFp2J2Af1nK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owGlV89vJMUVXkAhUkkIIf6Bp1lLBu10T/eMPbYnGZZl7V0ckaBgwx5WCGq6q2cK d1c1VdUznl05XDkgFOUUaYUUKYcoB6IcOOWScy4c8gdE4ggHbtzzXnXPbNtrYFls S+569er9+N5Xr6r++NwzV55+4ct/fnH32id/evDU58/fmXSLyjk1DQpu5lIFcRTF QX+4t7MTxHEwiIY7W3u78TAWe3vpbnbrb8PoplZOKBccL0sxAidOXa/MuVS/gmTG jRVuXLks2GUrvX1pS22lk1qNQKpcKrGeOzZc2UyY4EAlOpVqOoIPK+1EGpRGKscn uWDsttYpFNoonO8ydrg5FzDVDjiURqNGAW7GHaTS8rIU3IgUJks/nKCzKZRZyNh4 a2g0aQqYiKlUZCyEw00UCetIjSuYOVeCEXOBaZDx0+XdUlcqfbcL3DFaW+gC46aF TRBuoWHKnVjwpcXsKKjMLlVyLeGmvOZXQ6JVJqeV4YQB4yihVQsxgQlPToRKbR1J qn24wmTaFFwlYh2bVj5yHxIspJsxXvLE56KSGZbuxHZRQ1IIc53PhYWZNin+0xlY WVS540roylIsSiQUCOn6YHSFCbXlCCGikEgEwkNZZ9HE0CQLtFI61qyz4DTmPpVz oSizoMmMxAU/EX4pT1zFczT9YYV5YVGO65x8DTF2KmOX8pfIhYTn+RI9bFqoFBGB TDXe6NNiJdgKvy5oAx9U1s9oJSht9Fj4KA1qYEXRFuwf3NgP2Z2ZUDVaM2KMIs/C CPTEodO4GIHGQHzFQGGdcVBIh8zsQCGs5VPBZA2IXdpcI5d+hyFQFS+J1bOuCRWJ idi6vKmjQIqeWMhW5Gzg7VK0PLeYJxGr833BhHAjc8KwBZc1iSETC7ACnac+44VG bgCf4gZFwI90t0WkBCnPk0SUDpJcIq83z/NjUrkLBViVG5ChC27SVXJNZVuFR0p7 mA+bjYhMKrM65TLD9CFIaaUl/IrSkTvrNFYDWVUUIpUCIcKID8EZSYtzvvQJGk9G MoSWM+wdGDe4pAQnC2S4gznPkV5dHz0ximVcknsMdSbyEm3+dkk9gXZlzTqB6eS5 XlD/YUEQYCPTZe2CnwogbgCKmczew243Hux3RBF1aDifz2mYnZb1mHZ+PR93GJPl e2U1oXG81w/j4W64FW5vd0jeLIyjkH7721u1Oorjljxe6fbbyivhoCUc4HrfLuHX OPMK3N9orHWh+eqvvwZnjF2FN0tfZOzglRJNX5zxuUQW4+Ypsy6kIuPYOBpAfVfw +ztkV7HLr/G+j30EKYhasN1FIvMpDCI4u6iEJQozaXCLxv2o64dIamrDqF6PsSlQ y7YzrNbucCsiK48aSXI8TXDVXtQsy6Qi+q/NkAJaGF4SRJWughiiMo3IFKI2aIbU KWWJgstWy6RYLacU/FAYg4jFl2hraiotb/W45a8WnPd43gRPOVZpLkIExjjYiSLK eS2l/opgRmugcoltAdehOp4cGFW9gGpioV/r+SixYfmiZRwPGYUN0y+f5Do5CUqd y2SJXdNVRnk5NWxsWgGdKAaWwnopwj4Vxp/T2KB6wiU93FXadvxsKibVFAppE+bH 9kSWdITkOkL22cRUE39c5jljJjU0tVHvL2pO1FZwS/uuyNWS9u5GvZvwMEIkKLMY gldWlI5rcb//hLb6LVv9n2lr0LI1WNtiHlxKGbFvW/UIlNz62wPijEo4e7+Z7m7U Xeas8T43pqy1iSGPp36J/vmUkPjnUnrYrZAzTWL9AZwIUY5ZTa5LQv4xmPzsKFoh AllOrDzqHd0go0tVn0neOrykdEC99OWf7qZVjd2o5QSKMdNplZP5C04g5xORQwc7 6+Nj9TAhlHp32zVEa+vor53ETyjAo+Z+PLA1Eo8Gdh6HEzFmrSgfN8aLSF9qubY7 Zk9AkPrcepQcRI0xa5Hj+6DA9RdNv9TIX77g4GHYY9YO/BwgP3ARYLeMEK8d7UM+ t3GINyukHJ1b9KaYVTAM+8FbB28c3Dg6CMohrJQviK/GIziusBjwmyqH/hZEu6No B//g7eOb1K13gH6c1ubVEl8GbomXmVBnmUzEqFdZ09OTD/x/a5Ie3kJ7b7wzZkcA crA7pGdS4S9NorksnbvmWC8jCAl9W+El0NrRzz1sn/zwwis5vuDoPprwyormKWNt Ja6z1/UCb6VVntbSCaYhT0V6nbHmceafbaNeb7FYhLy00obJrOenenjjlfiOMiJf 4svxtjBT/IKb96rk3pIVeC90egTTWhwmXvwqPmKLHOHASjIkwbgfsTsCLyp4oNJz LITbOMAg8cJKL63VA6Z+vuAtSVoRso+vP/OLK/RaXr21X3j62U+v/OXz6//96N53 //n23+//+ez3ev+z/h/uqisPfrl5+I9vHjx39vX/zv769d9f/NfGs7e++j8= =TthG -----END PGP SIGNATURE----- --/NkBOFFp2J2Af1nK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070725113824.GB26977>