Date: Sat, 3 Mar 2007 20:06:27 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: PF performance problems Message-ID: <200703032006.34064.max@love2party.net> In-Reply-To: <45E99722.6030706@innter.net> References: <45E8D523.9010205@innter.net> <7D241F60-205C-4C1E-9054-C7E6DBDFE6F6@ekalb.net> <45E99722.6030706@innter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Saturday 03 March 2007 16:41, Sergey N. Romanov wrote: > Blake Covarrubias wrote: > > Have you tried adjusting your state limit to a higher value in your > > PF options? > > Yes, I have adjusted frags, src-nodes and states. Now this is possible > to make about 400-500 requests/s. But this is not 4500 requests/s and > too low for us in any case. How do you test? Are you by chance using abench (or similar) from one probe box? In this case you are most likely exhausting your ephemeral portrange. pf might be too restrictive in enforcing this rule, but you can change the behavior by chaning the value for tcp.closed. Note that this is purely due to the test setup and is unlikely to present itself in a realworld situation - though some stupid reverse webcache setups are prone to it as well. In order to verify that this is the cause, you should enable debugging output (pfctl -xm) and watch the console while testing. "pfctl -si" is your friend as well. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF6cc6XyyEoT62BG0RApABAJ4/I7iAWPx5BqPgE64zV5sH+uMZowCaA/jt hyiOAF41qACuzqqTz4RySX4= =eB+e -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703032006.34064.max>