PF performance problems
Max Laier
max at love2party.net
Sat Mar 3 19:06:41 UTC 2007
On Saturday 03 March 2007 16:41, Sergey N. Romanov wrote:
> Blake Covarrubias wrote:
> > Have you tried adjusting your state limit to a higher value in your
> > PF options?
>
> Yes, I have adjusted frags, src-nodes and states. Now this is possible
> to make about 400-500 requests/s. But this is not 4500 requests/s and
> too low for us in any case.
How do you test? Are you by chance using abench (or similar) from one
probe box? In this case you are most likely exhausting your ephemeral
portrange. pf might be too restrictive in enforcing this rule, but you
can change the behavior by chaning the value for tcp.closed. Note that
this is purely due to the test setup and is unlikely to present itself in
a realworld situation - though some stupid reverse webcache setups are
prone to it as well.
In order to verify that this is the cause, you should enable debugging
output (pfctl -xm) and watch the console while testing. "pfctl -si" is
your friend as well.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20070303/0f44dcbb/attachment.pgp
More information about the freebsd-pf
mailing list