pf buggy on 6.1-STABLE?

Dominic Marks dom at helenmarks.co.uk
Thu Jun 8 03:41:18 PDT 2006


Mark Morley wrote:
> Hi folks,
>
> Wondering if this rings any bells for anyone:
>
> After upgrading a handful of web servers from FreeBSD 4.11 with ipfw
> to 6.1-STABLE with pf, customers started reporting that occasionally
> their server side scripts would fail to connect to the SQL servers
> (which are still 4.11 and are attached via a separate dedicated
> gigabit network).
>
> A test page that makes 10,000 rapid SQL connections which connected
> 100%
> of the time before, now will usually see anywhere from one or two
> failed
> connections to a dozen or so (per 10,000)
>
> After trying many other things first, we finally found that 'pf' seems
> to be the culprit.

I've experienced the same. If you have a lot of concurrent connections
going on it seems that every so often an connection will be blocked,
even if it doesnt match any rule. In my case I experienced this with
apache22 acting as a reverse proxy/virtual host.

Symptoms:

1. Sudden burst of traffic to a specific virtual host.
2. After some time, normally <30 seconds one of the connection
attempts is reset.
3. Apache immediately stops proxying for any subsequent connections
and returning a 'too busy message'.

The project this was related to got shelved so it hasn't bothered me
again yet, but I didn't find any workaround.

> Disabling pf with pfctl -d allows 100% of all connections to work, and
> as soon as we enable it we see connection failures again.

Snap.

> I've tried changing the pf rule set in different ways, with and
> without
> scrubbing, with and without queues, even to the point where I have a
> single
> rule that just allows everything.  It doesn't seem to matter what the
> rules
> actually are, just whether or not pf is enabled.

Same as me.

> I recompiled the kernel with pf disabled and ipfw enabled, and it
> works
> fine with 100% successful connections.  We have no funky compiler
> options
> or anything like that.
>
> Any thoughts?
>
> Mark
>
> --
> Mark Morley
> Owner / Administrator
> Islandnet.com
>
>
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
> "freebsd-stable-unsubscribe at freebsd.org"
>

Cheers,
Dom


More information about the freebsd-pf mailing list