Date: Thu, 8 Jun 2006 08:54:27 +0200 From: phoemix@harmless.hu (Gergely CZUCZY) To: Mark Morley <mark@islandnet.com> Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? Message-ID: <20060608065427.GA7985@marvin.harmless.hu> In-Reply-To: <44876071-491e@helpdesk.islandnet.com> References: <44876071-491e@helpdesk.islandnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--uAKRQypu60I7Lcqm Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 07, 2006 at 04:25:37PM -0700, Mark Morley wrote: > Hi folks, >=20 > Wondering if this rings any bells for anyone: >=20 > After upgrading a handful of web servers from FreeBSD 4.11 with ipfw > to 6.1-STABLE with pf, customers started reporting that occasionally > their server side scripts would fail to connect to the SQL servers > (which are still 4.11 and are attached via a separate dedicated > gigabit network). >=20 > A test page that makes 10,000 rapid SQL connections which connected 100% > of the time before, now will usually see anywhere from one or two failed > connections to a dozen or so (per 10,000) >=20 > After trying many other things first, we finally found that 'pf' seems > to be the culprit. >=20 > Disabling pf with pfctl -d allows 100% of all connections to work, and > as soon as we enable it we see connection failures again. >=20 > I've tried changing the pf rule set in different ways, with and without > scrubbing, with and without queues, even to the point where I have a sing= le > rule that just allows everything. It doesn't seem to matter what the rul= es > actually are, just whether or not pf is enabled. >=20 > I recompiled the kernel with pf disabled and ipfw enabled, and it works > fine with 100% successful connections. We have no funky compiler options > or anything like that. >=20 > Any thoughts? could you show us the followings: - pf.conf - kernel configuration file - uname -a next time please include technical information along with the textual description of your problem Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEh8mjbBsEN0U7BV0RAleyAKD1Ibe/HW0ODP9Y7mACLtS5k9jjmgCg3N+M WXSuAnVg78pn5GyLSXq1to0= =lSX8 -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060608065427.GA7985>