From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 09:07:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F9E616E0AA; Thu, 8 Jun 2006 06:54:32 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADC2A43D45; Thu, 8 Jun 2006 06:54:31 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id 7886B20001CC; Thu, 8 Jun 2006 08:54:29 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29193-01; Thu, 8 Jun 2006 08:54:28 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id DC92820001C9; Thu, 8 Jun 2006 08:54:27 +0200 (CEST) Date: Thu, 8 Jun 2006 08:54:27 +0200 To: Mark Morley Message-ID: <20060608065427.GA7985@marvin.harmless.hu> References: <44876071-491e@helpdesk.islandnet.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline In-Reply-To: <44876071-491e@helpdesk.islandnet.com> User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 09:07:35 -0000 --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 07, 2006 at 04:25:37PM -0700, Mark Morley wrote: > Hi folks, >=20 > Wondering if this rings any bells for anyone: >=20 > After upgrading a handful of web servers from FreeBSD 4.11 with ipfw > to 6.1-STABLE with pf, customers started reporting that occasionally > their server side scripts would fail to connect to the SQL servers > (which are still 4.11 and are attached via a separate dedicated > gigabit network). >=20 > A test page that makes 10,000 rapid SQL connections which connected 100% > of the time before, now will usually see anywhere from one or two failed > connections to a dozen or so (per 10,000) >=20 > After trying many other things first, we finally found that 'pf' seems > to be the culprit. >=20 > Disabling pf with pfctl -d allows 100% of all connections to work, and > as soon as we enable it we see connection failures again. >=20 > I've tried changing the pf rule set in different ways, with and without > scrubbing, with and without queues, even to the point where I have a sing= le > rule that just allows everything. It doesn't seem to matter what the rul= es > actually are, just whether or not pf is enabled. >=20 > I recompiled the kernel with pf disabled and ipfw enabled, and it works > fine with 100% successful connections. We have no funky compiler options > or anything like that. >=20 > Any thoughts? could you show us the followings: - pf.conf - kernel configuration file - uname -a next time please include technical information along with the textual description of your problem Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEh8mjbBsEN0U7BV0RAleyAKD1Ibe/HW0ODP9Y7mACLtS5k9jjmgCg3N+M WXSuAnVg78pn5GyLSXq1to0= =lSX8 -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm--