PF performance problems

[Sergey N. Romanov]

Max Laier wrote:

> How do you test?  Are you by chance using abench (or similar) from one 
> probe box?  

I use bench software on another server. In case if I use bench software
on the same server we have about 2500 requests/s.

> ... but you can change the behavior by chaning the value for tcp.closed.

This is changed already. I have added in my config these lines

set limit { frags 64000, src-nodes 128000, states 128000 }
set timeout { tcp.closed 15 }

After this we have about 400-500 requests/s during tests.

> In order to verify that this is the cause, you should enable debugging 
> output (pfctl -xm) and watch the console while testing.  "pfctl -si" is 
> your friend as well.

With "pfctl -si" I can see that state-mismatch counter grow.
With "pfctl -xm" I can see messages like this :

20:51:43 [0d] pf: State failure on: 1       | 5
20:51:43 [0d] pf: BAD state: TCP x.x.x.x:80 x.x.x.x:80 y.y.y.y:55186
[lo=655302705 high=655369312 win=33304 modulator=0 wscale=1]
[lo=783251017 high=783317625 win=33304 modulator=0 wscale=1] 9:9 S
seq=659466254 ack=783251017 len=0 ackskew=0 pkts=5:4 dir=in,fwd


That this mean?



-- 

Best regards,
Sergey N. Romanov