pf buggy on 6.1-STABLE?

Kian Mohageri kian.mohageri at gmail.com
Thu Jun 8 15:27:31 UTC 2006


Same issue here when using keep state.  Specifically, it happened with PHP
scripts accessing a remote MySQL database.  I think it also happened with
Qmail LDAP lookups.  This happened even when I did not specify 'flags S/SA'

'pass quick' (non-stateful) fixed the problems but I wasn't satisfied with
that for obvious reasons.

Client reusing source port before state expired seems like a good
explanation for this.  I should test that.

Kian

On 6/8/06, Dominic Marks <dom at helenmarks.co.uk> wrote:
>
> Mark Morley wrote:
> > Hi folks,
> >
> > Wondering if this rings any bells for anyone:
> >
> > After upgrading a handful of web servers from FreeBSD 4.11 with ipfw
> > to 6.1-STABLE with pf, customers started reporting that occasionally
> > their server side scripts would fail to connect to the SQL servers
> > (which are still 4.11 and are attached via a separate dedicated
> > gigabit network).
> >
> > A test page that makes 10,000 rapid SQL connections which connected
> > 100%
> > of the time before, now will usually see anywhere from one or two
> > failed
> > connections to a dozen or so (per 10,000)
> >
> > After trying many other things first, we finally found that 'pf' seems
> > to be the culprit.
>
> I've experienced the same. If you have a lot of concurrent connections
> going on it seems that every so often an connection will be blocked,
> even if it doesnt match any rule. In my case I experienced this with
> apache22 acting as a reverse proxy/virtual host.
>
> Symptoms:
>
> 1. Sudden burst of traffic to a specific virtual host.
> 2. After some time, normally <30 seconds one of the connection
> attempts is reset.
> 3. Apache immediately stops proxying for any subsequent connections
> and returning a 'too busy message'.
>
> The project this was related to got shelved so it hasn't bothered me
> again yet, but I didn't find any workaround.
>
> > Disabling pf with pfctl -d allows 100% of all connections to work, and
> > as soon as we enable it we see connection failures again.
>
> Snap.
>
> > I've tried changing the pf rule set in different ways, with and
> > without
> > scrubbing, with and without queues, even to the point where I have a
> > single
> > rule that just allows everything.  It doesn't seem to matter what the
> > rules
> > actually are, just whether or not pf is enabled.
>
> Same as me.
>
> > I recompiled the kernel with pf disabled and ipfw enabled, and it
> > works
> > fine with 100% successful connections.  We have no funky compiler
> > options
> > or anything like that.
> >
> > Any thoughts?
> >
> > Mark
> >
> > --
> > Mark Morley
> > Owner / Administrator
> > Islandnet.com
> >
> >
> > _______________________________________________
> > freebsd-stable at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to
> > "freebsd-stable-unsubscribe at freebsd.org"
> >
>
> Cheers,
> Dom
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>


More information about the freebsd-pf mailing list