Date: Wed, 25 Jul 2007 13:38:24 +0200 From: Gergely CZUCZY <phoemix@harmless.hu> To: freebsd-pf@freebsd.org Subject: connection refused on heavy usage Message-ID: <20070725113824.GB26977@harmless.hu>
next in thread | raw e-mail | index | archive | help
--/NkBOFFp2J2Af1nK
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Good morning,
I've got a problem that disappeared by disabling pf.
=46rom the beginning. I'm testing an http reverse proxy[pound], at
the moment. I've got two gateways in a pfsync+carp+pound configuration
and two web backends. I'm doing performance testing on the proxy with
apache benchmarks, this involves hordes of simultaneous connections in
and out. connections are recieved by pound on the gateway and it
connects to a given web-backend to make the actual request.
The problem is that, periodically it's unable to connect to some
backends, or just to one of them and renders it DEAD.
When this happens there's a "connect: operation not permitted" message
in the syslog. Nor I'm able to connect to the backends directly with
elinks from the gateway, it also says "operation not permitted". After
waiting a few seconds it works again.
So, the proxy can accept client's connections but it's unable to
connect forward to the actual web-backends. When I disabled pf with
pfctl -d these symptons stopped immedietly.
I tried playing around with different tcp timeout values, but that
failed to help.
My pf.conf is the following:
--- chop with axe here ---
if_ext=3D"em0"
if_vvv=3D"fxp0"
if_sync=3D"em1"
ip_pub=3D"192.168.4.55"
ip_vvv=3D"10.0.0.254"
ip_vvv1=3D"10.0.0.1"
ip_vvv2=3D"10.0.0.2"
ip_vvv3=3D"10.0.0.3"
table <vvv> {$ip_vvv1, $ip_vvv2, $ip_vvv3}
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 5, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 30, tcp.closed 60 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 70000, adaptive.end 120000 }
set limit { states 100000, frags 2000 }
#set loginterface none
set block-policy return
set require-order yes
set fingerprints "/etc/pf.os"
set debug misc
set skip on lo0
#scrub in all
rdr on $if_ext proto tcp from any to $ip_pub port 10001 -> $ip_vvv1 port 22
rdr on $if_ext proto tcp from any to $ip_pub port 10002 -> $ip_vvv2 port 22
rdr on $if_ext proto tcp from any to $ip_pub port 10003 -> $ip_vvv3 port 22
block in log on $if_ext all
pass in quick on {$if_ext,$if_vvv} proto vrrp
pass out quick on {$if_ext,$if_vvv} proto vrrp
pass out quick on $if_ext proto udp from any to 192.168.4.200 port 123 keep=
state
pass in quick on $if_ext proto tcp from any to $if_ext:0 port 22 flags S/SA=
synproxy state (no-sync)
pass in quick on $if_ext proto tcp from any to $ip_pub port 80 flags S/SA m=
odulate state (no-sync) label "2"
pass out quick on $if_ext proto udp from $if_ext:0 to port 53 keep state (n=
o-sync)
pass out quick on $if_ext proto udp from any to port 53 keep state
pass out quick on $if_ext proto tcp from $if_ext:0 to port 80 flags S/SA ke=
ep state (no-sync)
pass out quick on $if_ext proto tcp from any to port 80 flags S/SA keep sta=
te
pass in quick on $if_ext proto tcp from any to <vvv> port 22 flags S/SA syn=
proxy state
pass out quick on $if_vvv proto tcp from ($if_vvv) to <vvv> port 80 flags S=
/SA keep state (no-sync)
--- chop with axe here ---
FreeBSD lvs1.in.publishing.hu 6.2-RELEASE-p6 FreeBSD 6.2-RELEASE-p6 #1: Tue=
Jul 24 08:07:07 UTC 2007 toor@pointyhat.office:/usr/obj/usr/src/sys/LV=
S i386
I'm played with the followings without any success:
set timeout { tcp.closing 900, tcp.finwait 30, tcp.closed 60 }
set timeout { adaptive.start 70000, adaptive.end 120000 }
What can cause this issue?
How could this be fixed?
[pound] http://www.apsis.ch/pound/
Sincerely,
Gergely Czuczy
mailto: gergely.czuczy@harmless.hu
--=20
Weenies test. Geniuses solve problems that arise.
--/NkBOFFp2J2Af1nK
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
owGlV89vJMUVXkAhUkkIIf6Bp1lLBu10T/eMPbYnGZZl7V0ckaBgwx5WCGq6q2cK
d1c1VdUznl05XDkgFOUUaYUUKYcoB6IcOOWScy4c8gdE4ggHbtzzXnXPbNtrYFls
S+569er9+N5Xr6r++NwzV55+4ct/fnH32id/evDU58/fmXSLyjk1DQpu5lIFcRTF
QX+4t7MTxHEwiIY7W3u78TAWe3vpbnbrb8PoplZOKBccL0sxAidOXa/MuVS/gmTG
jRVuXLks2GUrvX1pS22lk1qNQKpcKrGeOzZc2UyY4EAlOpVqOoIPK+1EGpRGKscn
uWDsttYpFNoonO8ydrg5FzDVDjiURqNGAW7GHaTS8rIU3IgUJks/nKCzKZRZyNh4
a2g0aQqYiKlUZCyEw00UCetIjSuYOVeCEXOBaZDx0+XdUlcqfbcL3DFaW+gC46aF
TRBuoWHKnVjwpcXsKKjMLlVyLeGmvOZXQ6JVJqeV4YQB4yihVQsxgQlPToRKbR1J
qn24wmTaFFwlYh2bVj5yHxIspJsxXvLE56KSGZbuxHZRQ1IIc53PhYWZNin+0xlY
WVS540roylIsSiQUCOn6YHSFCbXlCCGikEgEwkNZZ9HE0CQLtFI61qyz4DTmPpVz
oSizoMmMxAU/EX4pT1zFczT9YYV5YVGO65x8DTF2KmOX8pfIhYTn+RI9bFqoFBGB
TDXe6NNiJdgKvy5oAx9U1s9oJSht9Fj4KA1qYEXRFuwf3NgP2Z2ZUDVaM2KMIs/C
CPTEodO4GIHGQHzFQGGdcVBIh8zsQCGs5VPBZA2IXdpcI5d+hyFQFS+J1bOuCRWJ
idi6vKmjQIqeWMhW5Gzg7VK0PLeYJxGr833BhHAjc8KwBZc1iSETC7ACnac+44VG
bgCf4gZFwI90t0WkBCnPk0SUDpJcIq83z/NjUrkLBViVG5ChC27SVXJNZVuFR0p7
mA+bjYhMKrM65TLD9CFIaaUl/IrSkTvrNFYDWVUUIpUCIcKID8EZSYtzvvQJGk9G
MoSWM+wdGDe4pAQnC2S4gznPkV5dHz0ximVcknsMdSbyEm3+dkk9gXZlzTqB6eS5
XlD/YUEQYCPTZe2CnwogbgCKmczew243Hux3RBF1aDifz2mYnZb1mHZ+PR93GJPl
e2U1oXG81w/j4W64FW5vd0jeLIyjkH7721u1Oorjljxe6fbbyivhoCUc4HrfLuHX
OPMK3N9orHWh+eqvvwZnjF2FN0tfZOzglRJNX5zxuUQW4+Ypsy6kIuPYOBpAfVfw
+ztkV7HLr/G+j30EKYhasN1FIvMpDCI4u6iEJQozaXCLxv2o64dIamrDqF6PsSlQ
y7YzrNbucCsiK48aSXI8TXDVXtQsy6Qi+q/NkAJaGF4SRJWughiiMo3IFKI2aIbU
KWWJgstWy6RYLacU/FAYg4jFl2hraiotb/W45a8WnPd43gRPOVZpLkIExjjYiSLK
eS2l/opgRmugcoltAdehOp4cGFW9gGpioV/r+SixYfmiZRwPGYUN0y+f5Do5CUqd
y2SJXdNVRnk5NWxsWgGdKAaWwnopwj4Vxp/T2KB6wiU93FXadvxsKibVFAppE+bH
9kSWdITkOkL22cRUE39c5jljJjU0tVHvL2pO1FZwS/uuyNWS9u5GvZvwMEIkKLMY
gldWlI5rcb//hLb6LVv9n2lr0LI1WNtiHlxKGbFvW/UIlNz62wPijEo4e7+Z7m7U
Xeas8T43pqy1iSGPp36J/vmUkPjnUnrYrZAzTWL9AZwIUY5ZTa5LQv4xmPzsKFoh
AllOrDzqHd0go0tVn0neOrykdEC99OWf7qZVjd2o5QSKMdNplZP5C04g5xORQwc7
6+Nj9TAhlHp32zVEa+vor53ETyjAo+Z+PLA1Eo8Gdh6HEzFmrSgfN8aLSF9qubY7
Zk9AkPrcepQcRI0xa5Hj+6DA9RdNv9TIX77g4GHYY9YO/BwgP3ARYLeMEK8d7UM+
t3GINyukHJ1b9KaYVTAM+8FbB28c3Dg6CMohrJQviK/GIziusBjwmyqH/hZEu6No
B//g7eOb1K13gH6c1ubVEl8GbomXmVBnmUzEqFdZ09OTD/x/a5Ie3kJ7b7wzZkcA
crA7pGdS4S9NorksnbvmWC8jCAl9W+El0NrRzz1sn/zwwis5vuDoPprwyormKWNt
Ja6z1/UCb6VVntbSCaYhT0V6nbHmceafbaNeb7FYhLy00obJrOenenjjlfiOMiJf
4svxtjBT/IKb96rk3pIVeC90egTTWhwmXvwqPmKLHOHASjIkwbgfsTsCLyp4oNJz
LITbOMAg8cJKL63VA6Z+vuAtSVoRso+vP/OLK/RaXr21X3j62U+v/OXz6//96N53
//n23+//+ez3ev+z/h/uqisPfrl5+I9vHjx39vX/zv769d9f/NfGs7e++j8=
=TthG
-----END PGP SIGNATURE-----
--/NkBOFFp2J2Af1nK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070725113824.GB26977>