Date: Sun, 04 Mar 2007 02:07:42 +0600 From: "Sergey N. Romanov" <sr@innter.net> To: freebsd-pf@freebsd.org Subject: Re: PF performance problems Message-ID: <45E9D58E.1060705@innter.net> In-Reply-To: <200703032006.34064.max@love2party.net> References: <45E8D523.9010205@innter.net> <7D241F60-205C-4C1E-9054-C7E6DBDFE6F6@ekalb.net> <45E99722.6030706@innter.net> <200703032006.34064.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Max Laier wrote:
> How do you test? Are you by chance using abench (or similar) from one
> probe box?
I use bench software on another server. In case if I use bench software
on the same server we have about 2500 requests/s.
> ... but you can change the behavior by chaning the value for tcp.closed.
This is changed already. I have added in my config these lines
set limit { frags 64000, src-nodes 128000, states 128000 }
set timeout { tcp.closed 15 }
After this we have about 400-500 requests/s during tests.
> In order to verify that this is the cause, you should enable debugging
> output (pfctl -xm) and watch the console while testing. "pfctl -si" is
> your friend as well.
With "pfctl -si" I can see that state-mismatch counter grow.
With "pfctl -xm" I can see messages like this :
20:51:43 [0d] pf: State failure on: 1 | 5
20:51:43 [0d] pf: BAD state: TCP x.x.x.x:80 x.x.x.x:80 y.y.y.y:55186
[lo=655302705 high=655369312 win=33304 modulator=0 wscale=1]
[lo=783251017 high=783317625 win=33304 modulator=0 wscale=1] 9:9 S
seq=659466254 ack=783251017 len=0 ackskew=0 pkts=5:4 dir=in,fwd
That this mean?
--
Best regards,
Sergey N. Romanov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45E9D58E.1060705>