pf buggy on 6.1-STABLE?

Scott Ullrich sullrich at gmail.com
Wed Jun 7 23:35:31 PDT 2006


On 6/7/06, Mark Morley <mark at islandnet.com> wrote:
> Hi folks,
>
> Wondering if this rings any bells for anyone:
>
> After upgrading a handful of web servers from FreeBSD 4.11 with ipfw
> to 6.1-STABLE with pf, customers started reporting that occasionally
> their server side scripts would fail to connect to the SQL servers
> (which are still 4.11 and are attached via a separate dedicated
> gigabit network).
>
> A test page that makes 10,000 rapid SQL connections which connected 100%
> of the time before, now will usually see anywhere from one or two failed
> connections to a dozen or so (per 10,000)
>
> After trying many other things first, we finally found that 'pf' seems
> to be the culprit.
>
> Disabling pf with pfctl -d allows 100% of all connections to work, and
> as soon as we enable it we see connection failures again.
>
> I've tried changing the pf rule set in different ways, with and without
> scrubbing, with and without queues, even to the point where I have a single
> rule that just allows everything.  It doesn't seem to matter what the rules
> actually are, just whether or not pf is enabled.
>
> I recompiled the kernel with pf disabled and ipfw enabled, and it works
> fine with 100% successful connections.  We have no funky compiler options
> or anything like that.
>
> Any thoughts?

Did you increase the default state count from 10,000 to something higher?

Add this to your pf.conf:

set limit states 100000

Scott


More information about the freebsd-pf mailing list