Date: Sat, 3 Mar 2007 16:09:20 -0500 From: "Chris Buechler" <cbuechler@gmail.com> To: "Sergey N. Romanov" <sr@innter.net> Cc: freebsd-pf@freebsd.org Subject: Re: PF performance problems Message-ID: <d64aa1760703031309n6ec4a83dq740462076abddae7@mail.gmail.com> In-Reply-To: <45E9D58E.1060705@innter.net> References: <45E8D523.9010205@innter.net> <7D241F60-205C-4C1E-9054-C7E6DBDFE6F6@ekalb.net> <45E99722.6030706@innter.net> <200703032006.34064.max@love2party.net> <45E9D58E.1060705@innter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/3/07, Sergey N. Romanov <sr@innter.net> wrote: > Max Laier wrote: > > > How do you test? Are you by chance using abench (or similar) from one > > probe box? > > I use bench software on another server. > That's exactly what Max is talking about - this is a very poor way to test a web server, especially behind a stateful firewall, because you're going to exhaust your ephemeral port range. It's not anything you're going to see in real usage of the server, unless real usage is thousands of requests per second from the same IP. > With "pfctl -si" I can see that state-mismatch counter grow. > Likely because you're re-using ephemeral ports before the previous state is closed, as Max suggested. A new packet comes in from the same source IP with the same source and destination ports as a previous TCP connection, but this one doesn't match the connection that already exists in the state table because it's a new connection. You should really find a better way to test your server, like using multiple simultaneous probes or a single one binding to numerous different source IP's. Either/or should eliminate your perceived performance problem, and is a much more realistic test of the actual load the server will see. There are probably some state-related settings you could tweak for this specific test, but someone else will have to chime in on that because I don't know for sure. I would leave it as is and fix your test. -Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d64aa1760703031309n6ec4a83dq740462076abddae7>