Date: Mon, 2 Jan 2006 17:18:30 +0100 From: TYBERGHIEN Eric TRANSPAC <eric.tyberghien@francetelecom.com> To: freebsd-pf@freebsd.org Subject: PF/FreeBSD 6 and FIN_WAIT2 TCP exhaustion Message-ID: <OFC94C0503.15AA3760-ONC12570EA.0058265D@ftgin.com>
next in thread | raw e-mail | index | archive | help
Hi and Happy new year
I have some problems with FreeBSD 6 et PF.
This is my test config :
set limit ( states 600000, frags 5000 )
pass quick on { $internal_if $external_if } proto tcp keep state
pass quick on { $internal_if $external_if } proto udp keep state
nat on $ext_if from $internal_net to $external_net -> $external_nat
The UDP's performances are excellent (more than 500 000 contexts without=0D
packet loss).
In TCP, using a simple test with ab ( apache bench ) failed very quickly :
- loosing between 2 and 3 sessions/1000 (serial number mode)
After analysing tcpdump traces; it seems that the problem is the=0D
non-releasing of TCP contexts after the end of the TCP session.
These contexts remained in PF during 90 secs after the end of the TCP=0D
session with the FIN_WAIT2 state.
Can you help me to solve this feature. Is it a bug, a mechanism of DOS=0D
auto-protection or a mis-understood of the PF features ?
Best Regards=0D
Eric Tyberghien
FT/TPC/DO/DIT/S=E9curite
Tel : 02 23 28 31 00
Port : 06 82 81 51 85=0D
Fax : 02 23 28 45 81
Email : eric.tyberghien@francetelecom.com
***************************************************************************=
***************************************************************************=
**************************
Ce message et toutes les pieces jointes (ci-apres le "message") sont=0D
confidentiels et etablis a l'intention exclusive de ses=0D
destinataires.Toute utilisation ou diffusion non autorisee est=0D
interdite.Tout message electronique est susceptible d'alteration. Le=0D
Groupe France Telecom decline toute responsabilite au titre de ce message=0D
s'il a ete altere, deforme ou falsifie.
Si vous n'etes pas destinataire de ce message, merci de le detruire=0D
immediatement et d'avertir l'expediteur.
***************************************************************************=
***************************************************************************=
**************************
This message and any attachments (the "message") are confidential and=0D
intended solely for the addressees. Any unauthorised use or dissemination=0D
is prohibited.Messages are susceptible to alteration. France Telecom Group=
=0D
shall not be liable for the message if altered, changed or falsified.
If you are not receiver of this message, please cancel it immediately and=0D
inform the sender.
***************************************************************************=
***************************************************************************=
**************************
********************************
Ce message et toutes les pieces jointes (ci-apres le "message") sont=
confidentiels et etablis a l'intention exclusive de
ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite.
Tout message electronique est susceptible d'alteration. Le Groupe France=
Telecom decline toute responsabilite au titre de
ce message s'il a ete altere, deforme ou falsifie.
Si vous n'etes pas destinataire de ce message, merci de le detruire=
immediatement et d'avertir l'expediteur.
*********************************
This message and any attachments (the "message") are confidential and=
intended solely for the addressees. Any unauthorised
use or dissemination is prohibited.
Messages are susceptible to alteration. France Telecom Group shall not be=
liable for the message if altered, changed or
falsified.
If you are not the intended addressee of this message, please cancel it=
immediately and inform the sender.
********************************
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OFC94C0503.15AA3760-ONC12570EA.0058265D>