On 7/13/07, TuxR <[EMAIL PROTECTED]> wrote:
Hello.I trying to use OpenBSD under high load and have problems with PF. When there is very many connections to server in some point other connections just failes. I try to use simple test application that creates 1000 connections to server for 1000 iteration. Maximum number I have observed with pf was '12' but with 'pfctl -d' all cycle successfully works ('1000'). I try to use following simple test application: Also I have looked the same when testing 'ab' from apache2 distribution. 'ab -c 100 -n 100' : maximum 9 iteration with pf enabled and 100 without. There is instant connection closing if "keep state" is enabled. When "keep state" is disabled there is following behaviour: in some moment the program is waiting for reply but do not get it and connection also close because timeout. I have looked no problems in tcpdump reports. Also no blocked packets was in pflog0 interface ('block log all' rule) I am sure that states limit is not exceed. Now I have set limit states 500000 set limit src-nodes 50000 set limit frags 32000 And `pfctl -si` have normal values. 'antispoof' and 'scrub' options are not affected. 'set optimization' make more bad. I looked the same behaviour in real use: when there is many connection, in some point they just closed. Any help will be appropriated. Many thanks. P.S. Sorry for my bad english.
Study the execellent 3 part series of OpenBSD developer at http://undeadly.org/cgi?action=article&sid=20060927091645&mode=expanded If after following his advice, your firewall still does not perform adequately come back here with a posting of: 1) dmesg to see what kind of hardware you are using 2) vmstat -i output to show the interrupt rate of the NICs Using 'systat vmstat" will give you a 'live' view of the interrupt rate and other resources 3) netstat -m output to see the mbuf stats 4) your pf.conf Others may have additional suggestions of course ;) =Adriaan=
