From owner-freebsd-pf@FreeBSD.ORG Sat Mar 3 19:06:41 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 33B8E16A401 for ; Sat, 3 Mar 2007 19:06:41 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id B631A13C467 for ; Sat, 3 Mar 2007 19:06:40 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.49.220] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1HNZYx26BO-00015V; Sat, 03 Mar 2007 20:06:37 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 3 Mar 2007 20:06:27 +0100 User-Agent: KMail/1.9.5 References: <45E8D523.9010205@innter.net> <7D241F60-205C-4C1E-9054-C7E6DBDFE6F6@ekalb.net> <45E99722.6030706@innter.net> In-Reply-To: <45E99722.6030706@innter.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2084667.5KlCpX29Tu"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200703032006.34064.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX18jQPk3EZnv/20Oetfj2kzGqfs3HgZkSEYbJQR 1xz+NzpiFDH5hNvsdwCx1iejN/uwQDm0ocpyo1AHsQhcJZiH+g n+iHnGe+egMl3YqA/XR8A== Cc: Subject: Re: PF performance problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Mar 2007 19:06:41 -0000 --nextPart2084667.5KlCpX29Tu Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 03 March 2007 16:41, Sergey N. Romanov wrote: > Blake Covarrubias wrote: > > Have you tried adjusting your state limit to a higher value in your > > PF options? > > Yes, I have adjusted frags, src-nodes and states. Now this is possible > to make about 400-500 requests/s. But this is not 4500 requests/s and > too low for us in any case. How do you test? Are you by chance using abench (or similar) from one=20 probe box? In this case you are most likely exhausting your ephemeral=20 portrange. pf might be too restrictive in enforcing this rule, but you=20 can change the behavior by chaning the value for tcp.closed. Note that=20 this is purely due to the test setup and is unlikely to present itself in=20 a realworld situation - though some stupid reverse webcache setups are=20 prone to it as well. In order to verify that this is the cause, you should enable debugging=20 output (pfctl -xm) and watch the console while testing. "pfctl -si" is=20 your friend as well. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2084667.5KlCpX29Tu Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF6cc6XyyEoT62BG0RApABAJ4/I7iAWPx5BqPgE64zV5sH+uMZowCaA/jt hyiOAF41qACuzqqTz4RySX4= =eB+e -----END PGP SIGNATURE----- --nextPart2084667.5KlCpX29Tu--