Date: Thu, 8 Jun 2006 10:11:04 +0100 (BST) From: "Dominic Marks" <dom@helenmarks.co.uk> To: "Mark Morley" <mark@islandnet.com> Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? Message-ID: <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk> In-Reply-To: <44876071-491e@helpdesk.islandnet.com> References: <44876071-491e@helpdesk.islandnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Morley wrote: > Hi folks, > > Wondering if this rings any bells for anyone: > > After upgrading a handful of web servers from FreeBSD 4.11 with ipfw > to 6.1-STABLE with pf, customers started reporting that occasionally > their server side scripts would fail to connect to the SQL servers > (which are still 4.11 and are attached via a separate dedicated > gigabit network). > > A test page that makes 10,000 rapid SQL connections which connected > 100% > of the time before, now will usually see anywhere from one or two > failed > connections to a dozen or so (per 10,000) > > After trying many other things first, we finally found that 'pf' seems > to be the culprit. I've experienced the same. If you have a lot of concurrent connections going on it seems that every so often an connection will be blocked, even if it doesnt match any rule. In my case I experienced this with apache22 acting as a reverse proxy/virtual host. Symptoms: 1. Sudden burst of traffic to a specific virtual host. 2. After some time, normally <30 seconds one of the connection attempts is reset. 3. Apache immediately stops proxying for any subsequent connections and returning a 'too busy message'. The project this was related to got shelved so it hasn't bothered me again yet, but I didn't find any workaround. > Disabling pf with pfctl -d allows 100% of all connections to work, and > as soon as we enable it we see connection failures again. Snap. > I've tried changing the pf rule set in different ways, with and > without > scrubbing, with and without queues, even to the point where I have a > single > rule that just allows everything. It doesn't seem to matter what the > rules > actually are, just whether or not pf is enabled. Same as me. > I recompiled the kernel with pf disabled and ipfw enabled, and it > works > fine with 100% successful connections. We have no funky compiler > options > or anything like that. > > Any thoughts? > > Mark > > -- > Mark Morley > Owner / Administrator > Islandnet.com > > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org" > Cheers, Dom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4459.195.12.22.194.1149757864.squirrel>