From owner-freebsd-pf@FreeBSD.ORG Fri Sep 29 07:42:06 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFD0016A492 for ; Fri, 29 Sep 2006 07:42:06 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12C3943D9C for ; Fri, 29 Sep 2006 07:42:05 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k8T7g3KT028161 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 29 Sep 2006 09:42:04 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k8T7fxCh013200; Fri, 29 Sep 2006 09:41:59 +0200 (MEST) Date: Fri, 29 Sep 2006 09:41:59 +0200 From: Daniel Hartmeier To: Rolf Grossmann Message-ID: <20060929074159.GD25341@insomnia.benzedrine.cx> References: <200609282130.k8SLUmU8089296@progtech.net> <20060928215208.GC25341@insomnia.benzedrine.cx> <451C540E.2010005@PROGTECH.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <451C540E.2010005@PROGTECH.net> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: BAD state/State failure with large number of requests X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 07:42:07 -0000 On Fri, Sep 29, 2006 at 01:00:30AM +0200, Rolf Grossmann wrote: > I've been suspecting that the test is flawed, but I couldn't put my > finger on it. However, I also need a way to actually test my > application with a lot of requests and I wouldn't want to buy another > server farm for that ;) You could give the client multiple IP aliases and bind different concurrent client instances to different aliases (all on the same single client host), that would multiply the number of available source ports by the number of IP aliases. It seems ab doesn't have a command line option to make it bind to a specific source address, you could either add a hack for that, or try using jail to bind instances to aliases (if it can do that, not sure). > That timeout seems awfully long to me. Is there some standard that > mandates such a long timeout? At least for testing I will definitely > lower that, too. Yes, the original TCP RFC 793 [1] uses an MSL of two minutes, even. In a local LAN test the MSL (Maximum Segment Lifetime), the time a TCP packet can spend travelling through the network, is obviously much shorter. On the internet, different packets could take different routes through different paths between peers. If you send packets with TTL 255 (allowing up to 255 intermediate hops decrementing TTL by one when forwarding packets), and assume latencies in the order of hundreds of milliseconds between hops, I guess you can end up with MSL in the order of minutes in the worst case. That's hardly an issue on a local ethernet segment ;) Daniel. [1] http://www.faqs.org/rfcs/rfc793.html