From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 06:35:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24D0516DBA3 for ; Thu, 8 Jun 2006 03:51:57 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA71E43D46 for ; Thu, 8 Jun 2006 03:51:56 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so329905wra for ; Wed, 07 Jun 2006 20:51:56 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=c387lDMfid6NVyYQOduVf3ligIVR2so4EntxitafpSmp8I0H/W8JJRz2g/8jVQyinrithOoXPu1aQlfwieUzDM3t/uxC6WK+Gq8GuBPn35Wtm4MBMYzK5IG+KHy6BqvyB9bHuo5j/KYc2fhuzoESD2g/WWhnbdG4uYAzUrchtMo= Received: by 10.54.120.7 with SMTP id s7mr373268wrc; Wed, 07 Jun 2006 20:49:25 -0700 (PDT) Received: by 10.54.126.19 with HTTP; Wed, 7 Jun 2006 20:51:55 -0700 (PDT) Message-ID: Date: Wed, 7 Jun 2006 23:51:55 -0400 From: "Scott Ullrich" To: "Mark Morley" In-Reply-To: <44876071-491e@helpdesk.islandnet.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44876071-491e@helpdesk.islandnet.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 06:35:31 -0000 On 6/7/06, Mark Morley wrote: > Hi folks, > > Wondering if this rings any bells for anyone: > > After upgrading a handful of web servers from FreeBSD 4.11 with ipfw > to 6.1-STABLE with pf, customers started reporting that occasionally > their server side scripts would fail to connect to the SQL servers > (which are still 4.11 and are attached via a separate dedicated > gigabit network). > > A test page that makes 10,000 rapid SQL connections which connected 100% > of the time before, now will usually see anywhere from one or two failed > connections to a dozen or so (per 10,000) > > After trying many other things first, we finally found that 'pf' seems > to be the culprit. > > Disabling pf with pfctl -d allows 100% of all connections to work, and > as soon as we enable it we see connection failures again. > > I've tried changing the pf rule set in different ways, with and without > scrubbing, with and without queues, even to the point where I have a single > rule that just allows everything. It doesn't seem to matter what the rules > actually are, just whether or not pf is enabled. > > I recompiled the kernel with pf disabled and ipfw enabled, and it works > fine with 100% successful connections. We have no funky compiler options > or anything like that. > > Any thoughts? Did you increase the default state count from 10,000 to something higher? Add this to your pf.conf: set limit states 100000 Scott