From owner-freebsd-stable@FreeBSD.ORG  Thu Jun  8 01:45:04 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9BE9616B670;
	Wed,  7 Jun 2006 23:25:38 +0000 (UTC)
	(envelope-from mark@islandnet.com)
Received: from cluster.islandnet.com (cluster.islandnet.com [199.175.106.55])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6E9BC43D48;
	Wed,  7 Jun 2006 23:25:38 +0000 (GMT)
	(envelope-from mark@islandnet.com)
Received: from [199.175.106.221] (port=20797 helo=helpdesk.islandnet.com)
	by cluster06.islandnet.com with SMTP id 1Fo7P7-00096n-MO ;
	Wed, 07 Jun 2006 16:25:37 -0700
Date: Wed, 7 Jun 2006 16:25:37 -0700
Message-ID: <44876071-491e@helpdesk.islandnet.com>
From: Mark Morley <mark@islandnet.com>
To: freebsd-pf@freebsd.org,freebsd-stable@freebsd.org
Content-type: text/plain
MIME-Version: 1.0
X-Priority: 3
X-Mailer: Helpdesk Webmail (http://helpdesk.islandnet.com)
X-Originating-IP: [199.175.106.243]
X-GeoIP: CA Canada 
Cc: 
Subject: pf buggy on 6.1-STABLE?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Mark Morley <mark@islandnet.com>
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2006 01:45:05 -0000

Hi folks,

Wondering if this rings any bells for anyone:

After upgrading a handful of web servers from FreeBSD 4.11 with ipfw
to 6.1-STABLE with pf, customers started reporting that occasionally
their server side scripts would fail to connect to the SQL servers
(which are still 4.11 and are attached via a separate dedicated
gigabit network).

A test page that makes 10,000 rapid SQL connections which connected 100%
of the time before, now will usually see anywhere from one or two failed
connections to a dozen or so (per 10,000)

After trying many other things first, we finally found that 'pf' seems
to be the culprit.

Disabling pf with pfctl -d allows 100% of all connections to work, and
as soon as we enable it we see connection failures again.

I've tried changing the pf rule set in different ways, with and without
scrubbing, with and without queues, even to the point where I have a single
rule that just allows everything.  It doesn't seem to matter what the rules
actually are, just whether or not pf is enabled.

I recompiled the kernel with pf disabled and ipfw enabled, and it works
fine with 100% successful connections.  We have no funky compiler options
or anything like that.

Any thoughts?

Mark

--
Mark Morley
Owner / Administrator
Islandnet.com