Date: Thu, 8 Jun 2006 07:06:00 -0700 From: "Kian Mohageri" <kian.mohageri@gmail.com> To: "Dominic Marks" <dom@helenmarks.co.uk> Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? Message-ID: <fee88ee40606080706u1adc618eo2c8ed889e7e3199f@mail.gmail.com> In-Reply-To: <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk> References: <44876071-491e@helpdesk.islandnet.com> <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Same issue here when using keep state. Specifically, it happened with PHP scripts accessing a remote MySQL database. I think it also happened with Qmail LDAP lookups. This happened even when I did not specify 'flags S/SA' 'pass quick' (non-stateful) fixed the problems but I wasn't satisfied with that for obvious reasons. Client reusing source port before state expired seems like a good explanation for this. I should test that. Kian On 6/8/06, Dominic Marks <dom@helenmarks.co.uk> wrote: > > Mark Morley wrote: > > Hi folks, > > > > Wondering if this rings any bells for anyone: > > > > After upgrading a handful of web servers from FreeBSD 4.11 with ipfw > > to 6.1-STABLE with pf, customers started reporting that occasionally > > their server side scripts would fail to connect to the SQL servers > > (which are still 4.11 and are attached via a separate dedicated > > gigabit network). > > > > A test page that makes 10,000 rapid SQL connections which connected > > 100% > > of the time before, now will usually see anywhere from one or two > > failed > > connections to a dozen or so (per 10,000) > > > > After trying many other things first, we finally found that 'pf' seems > > to be the culprit. > > I've experienced the same. If you have a lot of concurrent connections > going on it seems that every so often an connection will be blocked, > even if it doesnt match any rule. In my case I experienced this with > apache22 acting as a reverse proxy/virtual host. > > Symptoms: > > 1. Sudden burst of traffic to a specific virtual host. > 2. After some time, normally <30 seconds one of the connection > attempts is reset. > 3. Apache immediately stops proxying for any subsequent connections > and returning a 'too busy message'. > > The project this was related to got shelved so it hasn't bothered me > again yet, but I didn't find any workaround. > > > Disabling pf with pfctl -d allows 100% of all connections to work, and > > as soon as we enable it we see connection failures again. > > Snap. > > > I've tried changing the pf rule set in different ways, with and > > without > > scrubbing, with and without queues, even to the point where I have a > > single > > rule that just allows everything. It doesn't seem to matter what the > > rules > > actually are, just whether or not pf is enabled. > > Same as me. > > > I recompiled the kernel with pf disabled and ipfw enabled, and it > > works > > fine with 100% successful connections. We have no funky compiler > > options > > or anything like that. > > > > Any thoughts? > > > > Mark > > > > -- > > Mark Morley > > Owner / Administrator > > Islandnet.com > > > > > > _______________________________________________ > > freebsd-stable@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to > > "freebsd-stable-unsubscribe@freebsd.org" > > > > Cheers, > Dom > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fee88ee40606080706u1adc618eo2c8ed889e7e3199f>