From owner-freebsd-stable@FreeBSD.ORG  Thu Jun  8 10:40:47 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5505416F6E4;
	Thu,  8 Jun 2006 09:12:00 +0000 (UTC)
	(envelope-from dom@helenmarks.co.uk)
Received: from mail.goodforbusiness.co.uk (mail.goodforbusiness.co.uk
	[81.19.179.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C5FCA43D60;
	Thu,  8 Jun 2006 09:11:53 +0000 (GMT)
	(envelope-from dom@helenmarks.co.uk)
Received: from localhost (localhost [127.0.0.1])
	by mail.goodforbusiness.co.uk (Postfix) with ESMTP id 696DD11480;
	Thu,  8 Jun 2006 10:11:52 +0100 (BST)
X-Virus-Scanned: mail.goodforbusiness.co.uk
Received: from mail.goodforbusiness.co.uk ([127.0.0.1])
	by localhost (mail.goodforbusiness.co.uk [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id D3nxtSDg16-q; Thu,  8 Jun 2006 10:11:51 +0100 (BST)
Received: from mail.helenmarks.co.uk (unknown [192.168.100.1])
	by mail.goodforbusiness.co.uk (Postfix) with ESMTP id 9BB991147F;
	Thu,  8 Jun 2006 10:11:51 +0100 (BST)
Received: from localhost (localhost [127.0.0.1])
	by mail.helenmarks.co.uk (Postfix) with ESMTP id 50F2517095;
	Thu,  8 Jun 2006 10:11:51 +0100 (BST)
X-Virus-Scanned: amavisd-new at helenmarks.co.uk
Received: from mail.helenmarks.co.uk ([127.0.0.1])
	by localhost (mail.helenmarks.co.uk [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id kzL8OXqhJzH1; Thu,  8 Jun 2006 10:11:48 +0100 (BST)
Received: by mail.helenmarks.co.uk (Postfix, from userid 80)
	id 4F1551704D; Thu,  8 Jun 2006 10:11:04 +0100 (BST)
Received: from mailhost.graphdata.co.uk ([195.12.22.194])
	(SquirrelMail authenticated user dom)
	by mail.helenmarks.co.uk with HTTP;
	Thu, 8 Jun 2006 10:11:04 +0100 (BST)
Message-ID: <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk>
In-Reply-To: <44876071-491e@helpdesk.islandnet.com>
References: <44876071-491e@helpdesk.islandnet.com>
Date: Thu, 8 Jun 2006 10:11:04 +0100 (BST)
From: "Dominic Marks" <dom@helenmarks.co.uk>
To: "Mark Morley" <mark@islandnet.com>
User-Agent: SquirrelMail/1.4.6
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-15
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org
Subject: Re: pf buggy on 6.1-STABLE?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2006 10:41:09 -0000

Mark Morley wrote:
> Hi folks,
>
> Wondering if this rings any bells for anyone:
>
> After upgrading a handful of web servers from FreeBSD 4.11 with ipfw
> to 6.1-STABLE with pf, customers started reporting that occasionally
> their server side scripts would fail to connect to the SQL servers
> (which are still 4.11 and are attached via a separate dedicated
> gigabit network).
>
> A test page that makes 10,000 rapid SQL connections which connected
> 100%
> of the time before, now will usually see anywhere from one or two
> failed
> connections to a dozen or so (per 10,000)
>
> After trying many other things first, we finally found that 'pf' seems
> to be the culprit.

I've experienced the same. If you have a lot of concurrent connections
going on it seems that every so often an connection will be blocked,
even if it doesnt match any rule. In my case I experienced this with
apache22 acting as a reverse proxy/virtual host.

Symptoms:

1. Sudden burst of traffic to a specific virtual host.
2. After some time, normally <30 seconds one of the connection
attempts is reset.
3. Apache immediately stops proxying for any subsequent connections
and returning a 'too busy message'.

The project this was related to got shelved so it hasn't bothered me
again yet, but I didn't find any workaround.

> Disabling pf with pfctl -d allows 100% of all connections to work, and
> as soon as we enable it we see connection failures again.

Snap.

> I've tried changing the pf rule set in different ways, with and
> without
> scrubbing, with and without queues, even to the point where I have a
> single
> rule that just allows everything.  It doesn't seem to matter what the
> rules
> actually are, just whether or not pf is enabled.

Same as me.

> I recompiled the kernel with pf disabled and ipfw enabled, and it
> works
> fine with 100% successful connections.  We have no funky compiler
> options
> or anything like that.
>
> Any thoughts?
>
> Mark
>
> --
> Mark Morley
> Owner / Administrator
> Islandnet.com
>
>
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
> "freebsd-stable-unsubscribe@freebsd.org"
>

Cheers,
Dom