pf buggy on 6.1-STABLE?

Mark Morley mark at islandnet.com
Wed Jun 7 18:45:05 PDT 2006


Hi folks,

Wondering if this rings any bells for anyone:

After upgrading a handful of web servers from FreeBSD 4.11 with ipfw
to 6.1-STABLE with pf, customers started reporting that occasionally
their server side scripts would fail to connect to the SQL servers
(which are still 4.11 and are attached via a separate dedicated
gigabit network).

A test page that makes 10,000 rapid SQL connections which connected 100%
of the time before, now will usually see anywhere from one or two failed
connections to a dozen or so (per 10,000)

After trying many other things first, we finally found that 'pf' seems
to be the culprit.

Disabling pf with pfctl -d allows 100% of all connections to work, and
as soon as we enable it we see connection failures again.

I've tried changing the pf rule set in different ways, with and without
scrubbing, with and without queues, even to the point where I have a single
rule that just allows everything.  It doesn't seem to matter what the rules
actually are, just whether or not pf is enabled.

I recompiled the kernel with pf disabled and ipfw enabled, and it works
fine with 100% successful connections.  We have no funky compiler options
or anything like that.

Any thoughts?

Mark

--
Mark Morley
Owner / Administrator
Islandnet.com




More information about the freebsd-pf mailing list