From owner-freebsd-pf@FreeBSD.ORG Thu Sep 28 21:30:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2EEE16A40F for ; Thu, 28 Sep 2006 21:30:53 +0000 (UTC) (envelope-from grossman@progtech.net) Received: from ptserver.progtech.net (ppp-88-217-36-202.dynamic.mnet-online.de [88.217.36.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3108643D55 for ; Thu, 28 Sep 2006 21:30:52 +0000 (GMT) (envelope-from grossman@progtech.net) Received: from progtech.net (isis.muc.progtech.intern [10.25.0.100]) by ptserver.progtech.net (8.13.3/8.12.11) with ESMTP id k8SLUnlX066176; Thu, 28 Sep 2006 23:30:49 +0200 (CEST) (envelope-from grossman@progtech.net) Received: (from grossman@localhost) by progtech.net (8.13.4/8.13.6/Submit) id k8SLUmU8089296; Thu, 28 Sep 2006 23:30:48 +0200 (CEST) (envelope-from grossman) Date: Thu, 28 Sep 2006 23:30:48 +0200 (CEST) Message-Id: <200609282130.k8SLUmU8089296@progtech.net> From: Rolf Grossmann MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-pf@freebsd.org X-Mailer: VM 7.19 under Emacs 21.3.1 Subject: BAD state/State failure with large number of requests X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2006 21:30:54 -0000 Hi, I'm trying to use pf in a load-balancing setup, but it's giving me touble. So I have set up a simple test scenario that looks like this (not really balancing anything ;)): Client -- Balancer -- Server 10.25.0.100 em0: 10.25.0.41 em1: 10.1.1.1 10.1.1.2 On the server I'm running apache (on port 8080) with a static page. On the Client, I'm running Apache's ab benchmark to generate a lot of requests. Now, if have a route to 10.1.1.2 and I'm running ab -n 10000 -c 100 http://10.1.1.2:8080/index.html.en (i.e. not using the nat/rdr rule, see below) everything works fine. However, if I'm running ab -n 10000 -c 100 http://10.25.0.41:8080/index.html.en it hangs around between 1000 and 3000 requests and on the balancer I get lots of messages like those: Sep 28 23:56:56 balancer kernel: pf: BAD state: TCP 10.1.1.2:8080 10.25.0.41:8080 10.25.0.100:52209 [lo=2341692840 high=2341759447 win=33304 modulator=0 wscale=1] [lo=2919421554 high=2919488162 win=33304 modulator=0 wscale=1] 9:9 S seq=2345137961 ack=2919421554 len=0 ackskew=0 pkts=6:5 dir=in,fwd Sep 28 23:56:56 balancer kernel: pf: State failure on: 1 | 5 (Values for lo, high, seq and ack (obviously) and sometimes pkts are varying.) I've been searching the 'net and looking at similar reports, but so far I haven't found any suggestions. I've of course increased the states limit to handle the number of requests (see ruleset below), however I can't figure out if it's a bug or a limit or what else I'm running into here. Anyone, help, please? Thanks, Rolf. Here's the pf.conf: # tables (for load balancing) table persist { 10.1.1.2 } table persist { 10.25.0.41 } # options set optimization conservative set block-policy drop set limit states 200000 set debug misc # load balancing rdr inet proto tcp to port 8080 -> port 8080 round-robin # filter rules # we're not trying to be a firewall, so just allow all traffic pass all