[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netbsd-tech-net
Subject:    Re: squid proxy issue
From:       Stephen Borrill <netbsd () precedence ! co ! uk>
Date:       2010-11-09 11:50:31
Message-ID: Pine.NEB.4.64.1011091135560.1695 () ugly ! internal ! precedence ! co ! uk
[Download RAW message or body]

On Mon, 25 Oct 2010, Stephen Borrill wrote:
> On Fri, 22 Oct 2010, Joerg Sonnenberger wrote:
>> On Fri, Oct 22, 2010 at 11:01:03PM +0200, Manuel Bouyer wrote:
>>> Did you check if squid is hitting some ressource limit, maybe
>>> file descriptors ?
>> 
>> Or sockets in time wait state.
>
> Tuan (my co-worked) will correct me if I'm wrong, but it's proving to be an 
> ipfilter problem. With ipfilter disabled, there are literally zero errors (we 
> did up file descriptors to 8192 BTW).

For the record, this turned out to be exhaustion of the ipfilter state 
table.

From sys/dist/ipf/netinet/ip_state.h:

# define        IPSTATE_SIZE    5737
# define        IPSTATE_MAX     4013    /* Maximum number of states held */

These need to be primes with IPSTATE_MAX being about 70% of IPSTATE_SIZE. 
So I increased these by adding the following to my kernel config file:
options         IPSTATE_SIZE=30011
options         IPSTATE_MAX=21011

I've tracked the usage with:
ipfstat -sl | grep '^[^[:space:]]' | wc -l

I've seen it go up to 11k or so.

-- 
Stephen
[prev in list] [next in list] [prev in thread] [next in thread]