Date: Mon, 2 Jan 2006 17:18:30 +0100 From: TYBERGHIEN Eric TRANSPAC <eric.tyberghien@francetelecom.com> To: freebsd-pf@freebsd.org Subject: PF/FreeBSD 6 and FIN_WAIT2 TCP exhaustion Message-ID: <OFC94C0503.15AA3760-ONC12570EA.0058265D@ftgin.com>
next in thread | raw e-mail | index | archive | help
Hi and Happy new year
I have some problems with FreeBSD 6 et PF.
This is my test config :
set limit ( states 600000, frags 5000 )
pass quick on { $internal_if $external_if } proto tcp keep state
pass quick on { $internal_if $external_if } proto udp keep state
nat on $ext_if from $internal_net to $external_net -> $external_nat
The UDP's performances are excellent (more than 500 000 contexts without
packet loss).
In TCP, using a simple test with ab ( apache bench ) failed very quickly :
- loosing between 2 and 3 sessions/1000 (serial number mode)
After analysing tcpdump traces; it seems that the problem is the
non-releasing of TCP contexts after the end of the TCP session.
These contexts remained in PF during 90 secs after the end of the TCP
session with the FIN_WAIT2 state.
Can you help me to solve this feature. Is it a bug, a mechanism of DOS
auto-protection or a mis-understood of the PF features ?
Best Regards
Eric Tyberghien
FT/TPC/DO/DIT/Sécurite
Tel : 02 23 28 31 00
Port : 06 82 81 51 85
Fax : 02 23 28 45 81
Email : eric.tyberghien@francetelecom.com
********************************************************************************************************************************************************************************
Ce message et toutes les pieces jointes (ci-apres le "message") sont
confidentiels et etablis a l'intention exclusive de ses
destinataires.Toute utilisation ou diffusion non autorisee est
interdite.Tout message electronique est susceptible d'alteration. Le
Groupe France Telecom decline toute responsabilite au titre de ce message
s'il a ete altere, deforme ou falsifie.
Si vous n'etes pas destinataire de ce message, merci de le detruire
immediatement et d'avertir l'expediteur.
********************************************************************************************************************************************************************************
This message and any attachments (the "message") are confidential and
intended solely for the addressees. Any unauthorised use or dissemination
is prohibited.Messages are susceptible to alteration. France Telecom Group
shall not be liable for the message if altered, changed or falsified.
If you are not receiver of this message, please cancel it immediately and
inform the sender.
********************************************************************************************************************************************************************************
********************************
Ce message et toutes les pieces jointes (ci-apres le "message") sont confidentiels et etablis a l'intention exclusive de
ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite.
Tout message electronique est susceptible d'alteration. Le Groupe France Telecom decline toute responsabilite au titre de
ce message s'il a ete altere, deforme ou falsifie.
Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur.
*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised
use or dissemination is prohibited.
Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or
falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OFC94C0503.15AA3760-ONC12570EA.0058265D>