Date: Fri, 7 Mar 2008 18:55:52 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: Res: Dropped Packets Message-ID: <200803071855.58986.max@love2party.net> In-Reply-To: <745345.9793.qm@web53704.mail.re2.yahoo.com> References: <745345.9793.qm@web53704.mail.re2.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1625571.DsbZ511TKX Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ please don't top-post ] On Friday 07 March 2008, Lorenz Helleis wrote: > I don't think that is a hardware problem, sometimes the "congestion > rate" increase to 1500,0/s and the "state-mismatch" to 300.0/s.. I > don't know if it is normal... > > I think that the conections is being droped when increase a lot the > number of packets on the network. > > > > can you tell me about your firewall ? I will need to install a biggest > one here, and I'm a little afraid to do. Can you show me some > configuration? the traffic of you network?, hardware? conections ? > > look some configurations.... do i need to increase something ? > > > # pfctl -sm > states hard limit 100000 > src-nodes hard limit 10000 > frags hard limit 5000 > tables hard limit 1000 > table-entries hard limit 200000 > > > # top > > load averages: 0.20, 0.12, 0.09 =20 > 13:29:40 35 processes: 34 idle, 1 on processor > CPU0 states: 0.6% user, 0.0% nice, 0.7% system, 0.0% interrupt, > 98.7% idle CPU1 states: 0.1% user, 0.0% nice, 0.2% system, 0.0% > interrupt, 99.7% idle > > # vmstat -i > > interrupt total rate > irq0/clock 257506609 199 > irq0/ipi 183393879 142 > irq81/em0 8638587188 6706 > irq83/skc0 6011660768 4667 > irq80/fxp0 2292732543 1779 These interrupt numbers don't seem to match up with the above load=20 numbers. I'd expect a higher interrupt load. You could also try to=20 replace the sk(4) adapter with another em(4) or the like? I have had=20 trouble with sk(4) in the past. > irq64/ahc0 7012560 5 > irq112/pckbc0 8 0 > Total 17390893555 13501 > > # pfctl -si > > State Table Total Rate > current entries 5005 > searches 30026832082 441000.4/s 441kpps are quite a load! And this is with only 5000 connections. While=20 =46reeBSD can forward 1Mpps and more on commodity hardware 500-700kpps is=20 probably the limit with (sensible) firewalling. It'd be surprised if you=20 could do significantly better with anything else. N.B. that this could=20 be improved by using fine grained locking for pf - this is on my TODO=20 list for quite some time, but I didn't yet get to it. > inserts 406964726 5977.0/s > removals 406959721 5977.0/s > Counters > match 417436387 6130.8/s > bad-offset 0 0.0/s > fragment 1939 0.0/s > short 154 0.0/s > normalize 34858 0.5/s > memory 0 0.0/s > bad-timestamp 0 0.0/s > congestion 834349 12.3/s > ip-option 24 0.0/s > proto-cksum 5572 0.1/s > state-mismatch 491286 7.2/s > > > > > > Prov=C3=A9rbios 1:27 > > Mas Deus escolheu as coisas loucas deste mundo para confundir as > s=C3=A1bias; e Deus escolheu as coisas fracas deste mundo para confundir = as > fortes; > > ----- Mensagem original ---- > De: Chris Marlatt <cmarlatt@rxsec.com> > Para: Lorenz Helleis <lorenzhelleis@yahoo.com.br> > Cc: freebsd-pf@freebsd.org > Enviadas: Sexta-feira, 7 de Mar=C3=A7o de 2008 12:26:03 > Assunto: Re: Dropped Packets > > Lorenz Helleis wrote: > > hello. > > > > I have a firewall with 75.000 simultaneous conections, and i set the > > limit to 100.000. > > > > I think the hardware is OK, but when increase the traffic on the > > network, some connections is dropped. I did not increase other > > value, like table, src-nodes.... How do I know if is everthing ok > > with the other values ? > > > > what happen if the number of connections touch the limit of 100.000 ? > > it will drop the idle conections ? or what ? > > From my experience new connections will appear to timeout as PF has no > more sessions available for new connections. As sessions die off > organically new connections will be permitted but there is nothing > actively killing old / idle connections to make way for new sessions if > the limit is reached. > > > Depending on how much memory you have you should be fine increasing the > max session limit. I've had some of my firewalls over 1,000,000 > sessions without a problem. > > You may want to check your switch for errors and watch your interface > (netstat -I IFACE -nd 1) to see when/where your drops are. What kind of > cpu usage are you seeing when you start dropping the packets? > > Regards, > > Chris > > > > > > > Abra sua conta no Yahoo! Mail, o =C3=BAnico sem limite de espa=C3= =A7o para > armazenamento! http://br.mail.yahoo.com/ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1625571.DsbZ511TKX Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBH0YGuXyyEoT62BG0RAnTEAJ0WUjYE8Nuezc2TpmJ2LfAViUFSOwCdGorD 6Ve+CregFKwXlz7aVJiw1XM= =iNSe -----END PGP SIGNATURE----- --nextPart1625571.DsbZ511TKX--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803071855.58986.max>