Date: Wed, 7 Jun 2006 23:51:55 -0400 From: "Scott Ullrich" <sullrich@gmail.com> To: "Mark Morley" <mark@islandnet.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? Message-ID: <d5992baf0606072051q786670a2na8f89e8904d85d23@mail.gmail.com> In-Reply-To: <44876071-491e@helpdesk.islandnet.com> References: <44876071-491e@helpdesk.islandnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/7/06, Mark Morley <mark@islandnet.com> wrote: > Hi folks, > > Wondering if this rings any bells for anyone: > > After upgrading a handful of web servers from FreeBSD 4.11 with ipfw > to 6.1-STABLE with pf, customers started reporting that occasionally > their server side scripts would fail to connect to the SQL servers > (which are still 4.11 and are attached via a separate dedicated > gigabit network). > > A test page that makes 10,000 rapid SQL connections which connected 100% > of the time before, now will usually see anywhere from one or two failed > connections to a dozen or so (per 10,000) > > After trying many other things first, we finally found that 'pf' seems > to be the culprit. > > Disabling pf with pfctl -d allows 100% of all connections to work, and > as soon as we enable it we see connection failures again. > > I've tried changing the pf rule set in different ways, with and without > scrubbing, with and without queues, even to the point where I have a single > rule that just allows everything. It doesn't seem to matter what the rules > actually are, just whether or not pf is enabled. > > I recompiled the kernel with pf disabled and ipfw enabled, and it works > fine with 100% successful connections. We have no funky compiler options > or anything like that. > > Any thoughts? Did you increase the default state count from 10,000 to something higher? Add this to your pf.conf: set limit states 100000 Scott
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d5992baf0606072051q786670a2na8f89e8904d85d23>