From owner-freebsd-pf@FreeBSD.ORG Sun Mar 3 22:48:02 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A80A5497 for ; Sun, 3 Mar 2013 22:48:02 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-ee0-f46.google.com (mail-ee0-f46.google.com [74.125.83.46]) by mx1.freebsd.org (Postfix) with ESMTP id 32976D3B for ; Sun, 3 Mar 2013 22:48:01 +0000 (UTC) Received: by mail-ee0-f46.google.com with SMTP id e49so3574470eek.33 for ; Sun, 03 Mar 2013 14:47:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=nTPhjJyp+zlyP59gGBc65Hw5plmVnyHUKs9UG5fnI4A=; b=mpMXTDVZQHzwUhtK+IlnfwBVUa4sLOWtlRhDylovYp5UBt4qzE7NXjnUdHvFeLAgt0 ad90I4rTLQ5QFmULldMcWsMjIzLb4uIqfubaPTLmTnggwxfBZnbavSKVBnmNI4oUTD7X vjMdJMiEBM8Zu4XDNWy7eJVBDey+BNJEOPI0lsomM8oej4cIpiZOFHX20eqdq6FV3APC ZlMZdJOYAdG/1c2+d9kZuvhoY6JoBHtBIEHvewDnkB5DCUII6xIAjp07+pC3+PgGW5IM 9dEE+3mwlBo6NZS5QUaYNQu/1UTEAN/QkULtx1y4IWRBdXXHmmRnWrxTsBZe5Y07IkOF wj9Q== MIME-Version: 1.0 X-Received: by 10.14.210.8 with SMTP id t8mr52423843eeo.35.1362350874845; Sun, 03 Mar 2013 14:47:54 -0800 (PST) Received: by 10.14.98.65 with HTTP; Sun, 3 Mar 2013 14:47:54 -0800 (PST) Date: Sun, 3 Mar 2013 17:47:54 -0500 Message-ID: Subject: Using pf and Tor DNS port From: Robert Simmons To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Mar 2013 22:48:02 -0000 I am having problems setting up Tor's DNSPort using pf. In FreeBSD 8.x I was able to just run Tor with the "DNSPort 53" config file option with no problems. Now, with 9.1, when I run it with that option, I get a permission denied error when trying to bind port 53 on localhost. I assume this is from tighter reserved port restrictions: now you must be root. Running Tor as root is not recommended, so I'm trying to forward all traffic from localhost port 53 to port 9053 where I have Tor configured to listen now. I created a second loopback like so: ifconfig lo1 create up 127.0.0.2 I added the following two rules: rdr pass on lo1 inet proto udp to port domain -> 127.0.0.1 port 9053 pass out quick route-to lo1 inet proto udp to port domain keep state The above is not working. Any suggestions? From owner-freebsd-pf@FreeBSD.ORG Mon Mar 4 11:06:47 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A5F81EE1 for ; Mon, 4 Mar 2013 11:06:47 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 98537E5B for ; Mon, 4 Mar 2013 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r24B6l57038859 for ; Mon, 4 Mar 2013 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r24B6lVo038857 for freebsd-pf@FreeBSD.org; Mon, 4 Mar 2013 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 4 Mar 2013 11:06:47 GMT Message-Id: <201303041106.r24B6lVo038857@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 11:06:47 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 49 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 4 11:21:40 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 85B43F45 for ; Mon, 4 Mar 2013 11:21:40 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.101]) by mx1.freebsd.org (Postfix) with ESMTP id 484C910DF for ; Mon, 4 Mar 2013 11:21:40 +0000 (UTC) Received: from [78.35.136.40] (helo=fabiankeil.de) by smtprelay06.ispgateway.de with esmtpsa (SSLv3:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1UCTLa-0005rb-I0; Mon, 04 Mar 2013 12:14:22 +0100 Date: Mon, 4 Mar 2013 12:09:34 +0100 From: Fabian Keil To: Robert Simmons Subject: Re: Using pf and Tor DNS port Message-ID: <20130304120934.1842869b@fabiankeil.de> In-Reply-To: References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/0v6F_kl7GYF5pvkACDqjHGk"; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 11:21:40 -0000 --Sig_/0v6F_kl7GYF5pvkACDqjHGk Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Robert Simmons wrote: > I am having problems setting up Tor's DNSPort using pf. In FreeBSD > 8.x I was able to just run Tor with the "DNSPort 53" config file > option with no problems. Now, with 9.1, when I run it with that > option, I get a permission denied error when trying to bind port 53 on > localhost. I assume this is from tighter reserved port restrictions: > now you must be root. I'm reasonably sure that this was the default for 8.x as well. Are you sure you are using the same configuration? > Running Tor as root is not recommended, so I'm > trying to forward all traffic from localhost port 53 to port 9053 > where I have Tor configured to listen now. >=20 > I created a second loopback like so: > ifconfig lo1 create up 127.0.0.2 >=20 > I added the following two rules: > rdr pass on lo1 inet proto udp to port domain -> 127.0.0.1 port 9053 > pass out quick route-to lo1 inet proto udp to port domain keep state >=20 > The above is not working. Any suggestions? Without knowing how it's not working and how the rest of the rules look like, it's hard to come up with specific suggestions. I don't need the port restrictions on my Tor-running systems and thus just set: net.inet.ip.portrange.reservedhigh=3D52 and let Tor bind to 53 directly. Fabian --Sig_/0v6F_kl7GYF5pvkACDqjHGk Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlE0gPEACgkQBYqIVf93VJ3bkQCgqUjTVCIuSWJpMFS6V6Tjwk7W Y3gAn1+aRAIVZ8+1A2pe3vRqnyHnhHz7 =1tFa -----END PGP SIGNATURE----- --Sig_/0v6F_kl7GYF5pvkACDqjHGk-- From owner-freebsd-pf@FreeBSD.ORG Mon Mar 4 12:20:52 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 904D8A2B for ; Mon, 4 Mar 2013 12:20:52 +0000 (UTC) (envelope-from bounces+freebsd-pf=freebsd.org@dynect-mailer.net) Received: from mtaout-246-pao.email7.skillpagesmail.com (mtaout-246-pao.email7.skillpagesmail.com [216.146.32.246]) by mx1.freebsd.org (Postfix) with ESMTP id 7489915B4 for ; Mon, 4 Mar 2013 12:20:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=MTA2; d=skillpagesmail.com; h=MIME-Version:Date:Message-ID:From:To:Subject:Sender:List-Unsubscribe:Content-Type:Reply-To; i=no-reply@skillpagesmail.com; bh=HKZwsetgqX3B4D84SAMM75jn1Co=; b=IA4mtusivazBEMSsod0RzjnNKWZlKKKakyBuyJWPTlOrAnti2iYEXDRMncdRiobILoUkyxVaKzBF SehxZHk/QVYe4ujYAmAwGUFgHKqKfN+Xf9TLg8Khcsyc7SOjC7QM DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=MTA2; d=skillpagesmail.com; b=Nn8F0j6F5IJYfW7a/9OgvhC+kaoxRhcZ+Ts2NGGsB2IpdBSjDxQmS5SW+QjmLNhEgnRoOwRrYze6 g+FC64KbLQSqTOsKTPVBd6+X2KWa93l9jrRogVs1suMbe4Fc/aro; Received: from Dynect (216.146.40.12) by mtaout-246-pao.email7.skillpagesmail.com (PowerMTA(TM) v3.5r16) id h6i8q818iesm for ; Mon, 4 Mar 2013 12:10:42 +0000 (envelope-from ) MIME-Version: 1.0 Date: Mon, 04 Mar 2013 12:10:36 +0000 Message-ID: X-Priority: 3 (Normal) From: "Muhammad Anwar Mohd Kassim" X-Mailer: www.skillpages.com_CK To: freebsd-pf@freebsd.org Subject: Last chance... Your invitation from Muhammad Anwar Mohd Kassim is about to expire Sender: "Muhammad Anwar Mohd Kassim via SkillPages Team" X-Skillpagesmail.com-ClientID: {a7217e29-3668-542c-8203-863bc4bfeff9} X-FullCode: Reminder2_Invitation_{0}_NonUser X-EmailId: gREWOYTEEeK79Y0ewRhmcQ2 Errors-To: gREWOYTEEeK79Y0ewRhmcQ2@skillpagesmail.com X-Origin: sl0 X-DynectEmail-Msg-Hash: vC56V7JaBiDffRcEo8BHMQHCnrceRCtlpgUKakxlUOIWgnn5+NVz/ZMEYWMBFFzmeG6GbHUk/NgG85UwZp6xU683DnpAqGtipBigc5jrens= Content-Type: text/plain; charset="iso-8859-1"; format="flowed" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Muhammad Anwar Mohd Kassim List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 12:20:52 -0000 Hi, Unlock new opportunities for you and your contacts. Muhammad Anwar Mohd Kassim Invite sent: 18 February, 2013 Join me on SkillPages freebsd-pf@freebsd.org was invited to join SkillPages by Muhammad Anwar Mohd Kassim. To stop receiving emails from SkillPages click here . =A9 2013 SkillPages, Blackrock Business Park, Dublin, Ireland and 228 Hamilt= on Avenue, 3rd Floor, Palo Alto, CA 94301. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 4 15:55:03 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 04808C32 for ; Mon, 4 Mar 2013 15:55:03 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from dss.incore.de (dss.incore.de [195.145.1.138]) by mx1.freebsd.org (Postfix) with ESMTP id BF3BB2B4 for ; Mon, 4 Mar 2013 15:55:02 +0000 (UTC) Received: from inetmail.dmz (inetmail.dmz [10.3.0.3]) by dss.incore.de (Postfix) with ESMTP id 9F5BF5C813 for ; Mon, 4 Mar 2013 16:47:38 +0100 (CET) X-Virus-Scanned: amavisd-new at incore.de Received: from dss.incore.de ([10.3.0.3]) by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024) with LMTP id ht-Ifjg4HcBE for ; Mon, 4 Mar 2013 16:47:37 +0100 (CET) Received: from mail.incore (fwintern.dmz [10.0.0.253]) by dss.incore.de (Postfix) with ESMTP id 64D645C80E for ; Mon, 4 Mar 2013 16:47:36 +0100 (CET) Received: from bsdlo.incore (bsdlo.incore [192.168.0.84]) by mail.incore (Postfix) with ESMTP id 5EE345083F for ; Mon, 4 Mar 2013 16:47:36 +0100 (CET) Message-ID: <5134C218.6060701@incore.de> Date: Mon, 04 Mar 2013 16:47:36 +0100 From: Andreas Longwitz User-Agent: Thunderbird 2.0.0.19 (X11/20090113) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Reloading pf rules breaks connections on lo0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 15:55:03 -0000 I run FreeBSD 8 Stable with pf enabled and have the line set skip on lo0 in my /etc/pf.conf. Reloading the pf rules with pfctl -f /etc/pf.conf breaks any active running connections on lo0. Example: -> scp bigfile 127.0.0.1:bigfile.copy bigfile 10% 96MB 10.5MB/s 01:15 ETA Write failed: Operation not permitted lost connection In pflog I see 15:33:37.310320 127.0.0.1 -> 127.0.0.1 TCP 164 [block lo0/0] ssh > 52650 [PSH, ACK] Seq=1 Ack=1 Win=8960 Len=48 15:33:37.310732 127.0.0.1 -> 127.0.0.1 TCP 14452 [block lo0/0] 52650 > ssh [ACK] Seq=1 Ack=1 Win=8960 Len=14336 15:33:37.311153 127.0.0.1 -> 127.0.0.1 TCP 2212 [block lo0/0] 52650 > ssh [FIN, PSH, ACK] Seq=14337 Ack=1 Win=8960 Len=2096 15:33:37.314473 127.0.0.1 -> 127.0.0.1 TCP 116 [block lo0/0] ssh > 52650 [FIN, ACK] Seq=49 Ack=1 Win=8960 Len=0 I can avoid the break on active connections on lo0 using the commands pfctl -d pfctl -f /etc/pf.conf pfctl -e but this may break other things and is not what I want. >From man pf.conf "set skip on .." Packets passing in or out on such interfaces are passed as if pf was disabled, i.e. pf does not process them in any way. I think this should be true for reloading the rules too. -- Andreas Longwitz From owner-freebsd-pf@FreeBSD.ORG Mon Mar 4 20:54:10 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 32DC842E for ; Mon, 4 Mar 2013 20:54:10 +0000 (UTC) (envelope-from cyberleo@cyberleo.net) Received: from paka.cyberleo.net (mtumishi.cyberleo.net [216.226.128.201]) by mx1.freebsd.org (Postfix) with ESMTP id 0B524144F for ; Mon, 4 Mar 2013 20:54:09 +0000 (UTC) Received: from [172.16.44.4] (den.cyberleo.net [216.80.73.130]) by paka.cyberleo.net (Postfix) with ESMTPSA id 488251262F1; Mon, 4 Mar 2013 15:45:53 -0500 (EST) Message-ID: <51350800.2070803@cyberleo.net> Date: Mon, 04 Mar 2013 14:45:52 -0600 From: CyberLeo Kitsana User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130228 Thunderbird/17.0.2 MIME-Version: 1.0 To: Robert Simmons Subject: Re: Using pf and Tor DNS port References: In-Reply-To: X-Enigmail-Version: 1.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 20:54:10 -0000 On 03/03/2013 04:47 PM, Robert Simmons wrote: > I am having problems setting up Tor's DNSPort using pf. In FreeBSD > 8.x I was able to just run Tor with the "DNSPort 53" config file > option with no problems. Now, with 9.1, when I run it with that > option, I get a permission denied error when trying to bind port 53 on > localhost. I assume this is from tighter reserved port restrictions: > now you must be root. Running Tor as root is not recommended, so I'm > trying to forward all traffic from localhost port 53 to port 9053 > where I have Tor configured to listen now. > > I created a second loopback like so: > ifconfig lo1 create up 127.0.0.2 > > I added the following two rules: > rdr pass on lo1 inet proto udp to port domain -> 127.0.0.1 port 9053 > pass out quick route-to lo1 inet proto udp to port domain keep state > > The above is not working. Any suggestions? I'm pretty sure any traffic that both originates and targets addresses on the same machine will pass over lo0, regardless of which interface possesses the addresses. Try attaching your rdr rule to lo0 instead? -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Furry Peace! - http://wwww.fur.com/peace/ From owner-freebsd-pf@FreeBSD.ORG Mon Mar 4 21:15:27 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id AAF6EA11 for ; Mon, 4 Mar 2013 21:15:27 +0000 (UTC) (envelope-from kentavez@tormail.org) Received: from outgoing.tormail.org (outgoing.tormail.org [82.221.96.22]) by mx1.freebsd.org (Postfix) with ESMTP id 6DDC91591 for ; Mon, 4 Mar 2013 21:15:27 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=internal.tormail.org) by outgoing.tormail.org with esmtp (Exim 4.72) (envelope-from ) id 1UCciy-0005oo-27; Tue, 05 Mar 2013 00:15:09 +0300 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tormail.org; s=tm; h=Message-Id:X-TorMail-User:Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:To:From:Subject:Date; bh=niTtinA/hvfdQ/rhLBnddUWtWwazVcnW2dWA3z6BiVA=; b=DdJrxvt6RCCD7xqrOq6ir1CC9yqeNkaElF0TBTtag1eubEUIqT8sEsfg61sBuStKfImdGeDOcTT3c3HSNC7drDuZqoC0tYjy1Oi1yMwUYulF3ICgiXjGlS0w2kZS5kxOzxkA0FnxBhUWHy9hU2fOwMkpUEXBJA9XuEp/qciRxqU=; Received: from kentavez by internal.tormail.org with local (Exim 4.63) (envelope-from ) id 1UCcg7-000PZl-Pj; Mon, 04 Mar 2013 21:12:11 +0000 Date: Mon, 4 Mar 2013 21:12:11 -0000 Subject: Using pf and Tor DNS port From: kentavez@tormail.org To: cyberleo@cyberleo.net MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Importance: High X-TorMail-User: kentavez Message-Id: <1UCcg7-000PZl-Pj@internal.tormail.org> Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 21:15:27 -0000 On Mon, Mar 4, 2013 at 3:45 PM, CyberLeo Kitsana wrote: > -- > Fuzzy love, > > Furry Peace! - http://wwww.fur.com/peace/ Can you please keep this kind of stuff off our lists? Thanks. From owner-freebsd-pf@FreeBSD.ORG Wed Mar 6 12:09:25 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id CD551A44 for ; Wed, 6 Mar 2013 12:09:25 +0000 (UTC) (envelope-from enquiries@belabelatourism.co.za) Received: from www8.jnb1.host-h.net (www8.jnb1.host-h.net [196.22.132.8]) by mx1.freebsd.org (Postfix) with ESMTP id 5EE536D2 for ; Wed, 6 Mar 2013 12:09:24 +0000 (UTC) Received: from [105.225.133.171] (helo=admin) by www8.jnb1.host-h.net with esmtpa (Exim 4.72) (envelope-from ) id 1UDCrG-00009J-Er for freebsd-pf@freebsd.org; Wed, 06 Mar 2013 13:50:07 +0200 From: "Bela-Bela Tourism" To: Subject: Drive A New Car from R499 P/M Date: Wed, 6 Mar 2013 13:50:07 +0200 Message-ID: MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0035_01CE1A71.86383420" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac4aYLpGyhwSfUEnQ7ywupYes7aGdQ== Content-Language: en-za x-cr-hashedpuzzle: NNg= BnPM Bo3X CAk4 CHej Cyy8 DKys DaRP EMsr Fb7W Feax H5rJ IZFB Jgvh JtVj JxV4; 1; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA=; Sosha1_v1; 7; {86956CAE-ECF5-418A-B5EF-DAE4E79A5939}; ZQBuAHEAdQBpAHIAaQBlAHMAQABiAGUAbABhAGIAZQBsAGEAdABvAHUAcgBpAHMAbQAuAGMAbwAuAHoAYQA=; Wed, 06 Mar 2013 11:50:00 GMT; RAByAGkAdgBlACAAQQAgAE4AZQB3ACAAQwBhAHIAIABmAHIAbwBtACAAUgA0ADkAOQAgAFAALwBNAA== x-cr-puzzleid: {86956CAE-ECF5-418A-B5EF-DAE4E79A5939} X-Authenticated-Sender: enquiries@belabelatourism.co.za X-Virus-Scanned: Clear (ClamAV 0.97.6/16790/Wed Mar 6 05:50:05 2013) X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Mar 2013 12:09:25 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0035_01CE1A71.86383420 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Please can a consultant call me re a new car/ Bakkie Amanda Moco Marketing & Events Officer / Manageress Bela-Bela Tourism A1 Bela-Bela Waterfront, Bela-Bela P.O. Box 204, Bela-Bela, 0480 Tel: 014 736 3694 Fax: 086 604 7430 Cell: 078 797 8300/ 082 221 0197 Email: enquiries@belabelatourism.co.za Website: www.belabelatourism.co.za Bela Bela Tourism ------=_NextPart_000_0035_01CE1A71.86383420-- From owner-freebsd-pf@FreeBSD.ORG Fri Mar 8 19:12:53 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B46B0D22 for ; Fri, 8 Mar 2013 19:12:53 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) by mx1.freebsd.org (Postfix) with ESMTP id 9B8EA696 for ; Fri, 8 Mar 2013 19:12:53 +0000 (UTC) Received: from epsilon.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 3296028CBB; Fri, 8 Mar 2013 11:12:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1362769973; bh=4PcAa0Wa3eHjUn6j8lsslwKWRpyx6w1ITcFkLU8yebs=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=k6gQ8KGMacD2kQ/0VzVrE2GBGjZpxBJklorMZpX3f4qjLgQfITBcivVqH6tyFQmid 7O2QQqBMWPx3tK3wrxa8bertaHdNaUJ43KmOsnBEFvTbGqgclWjHiUffEoRUEUk3RO 8vAmg2YFlYMn2Eq315OSLSsgeR1bI/ZoysOC4ekM= Message-ID: <513A3834.8060504@delphij.net> Date: Fri, 08 Mar 2013 11:12:52 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Subject: Fwd: [patch] Source entries removing is awfully slow. References: <201303081419.17743.vegeta@tuxpowered.net> In-Reply-To: <201303081419.17743.vegeta@tuxpowered.net> X-Enigmail-Version: 1.5.1 X-Forwarded-Message-Id: <201303081419.17743.vegeta@tuxpowered.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: d@delphij.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 19:12:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, This sounds interesting, could someone, please, review this patch and see if it's appropriate? Thanks in advance! - -------- Original Message -------- Subject: [patch] Source entries removing is awfully slow. Date: Fri, 8 Mar 2013 14:19:17 +0100 From: Kajetan Staszkiewicz To: freebsd-net@freebsd.org Hello there! In my enviroment, where I use FreeBSD machines as loadbalancers, after a server is detected as dead, loadbalancer removes the the broken server from a table used in route-to pf rule and then removes Source entries pointing clients to that server, so clients previously assigned to the broken server are re- loadbalanced to alive servers. Each loadbalancer has around 50k Source and 500k State entries. Under those conditions removing a Source from anywhere to a dead server with `pfctl -K 0.0.0.0/0 -K internal.IP.of.server` freezes the machine for a few seconds (or even up to a minute in other datacenter segment, where different services are served, causing thousands instead of just a few hundred States to be matched). Under a DDoS attack, when removing Sources to a server under attack, kernel freezes permanently (I gave up after 10 minutes waiting and restarted the machine). A patch fixing the issue can be found here: http://vegeta.tuxpowered.net/download/link-states-to-src_node.patch - -- | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJROjg0AAoJEG80Jeu8UPuzkRIH/12pf7eQm/RC5nUSfTyFEPSn yWEG+2R+83oFza7qhpSOyO+qnSQYmqU+ZMZmCHllNymFVGYgBzO9s8Vs/m5ES3+D Z6oiz7Zasca1VnNEfegQE2IyyXxqJ3yScLdDpxbh5wJ3r9lPmQLJgn6QwHxXvPqG elmimfyjCvIOC2ALrggdcc4+xBjcGlpDCmb3CnkosR72I9cwD6fM/xfV9iHY0G/A 8FHfixUe1H4xpSSJiwOA+i0oN4TdFD/hh5JaHBJT4kxbCawxbJtMjazb0XSO+/uP OIWNKJ6EnfodpAFKv8r/yIAHkEtMBVw9y7DC5cwxOo0miCU7PhNSA+BXtDckiVw= =ziec -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Fri Mar 8 20:11:50 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 163E0881; Fri, 8 Mar 2013 20:11:50 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qe0-f43.google.com (mail-qe0-f43.google.com [209.85.128.43]) by mx1.freebsd.org (Postfix) with ESMTP id A7D6E82C; Fri, 8 Mar 2013 20:11:49 +0000 (UTC) Received: by mail-qe0-f43.google.com with SMTP id 1so1241902qee.2 for ; Fri, 08 Mar 2013 12:11:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=6dfG5ak3dFdXeVLMvxfuj1OJZUZSzvkRA24n915cEJ0=; b=USSvbn+UoCu3EK8sPoJWRMDiTWtDb9brRRGWLHAZW9eVjBHSv7H5kqgidwdDyxmM/i p3ggkKyvVcorXyUt+4oE9F41QqWJtJj6wKbA5K6gqINOgK0dhnGFwEYfCQWmvMMSFTts R9vzlaMny4m3vBJdZPp7oRmXHgT3hfQvSsctmVj7u2qockJOcnBz96t87yt5sgr1topB SbdZNG2nfiUVuBq8eXQXnhSr6tkqPYkBEYnc/UiJK4itXxfm8moFaeRk9d7735p0yGv5 v3fqzD/7Q33nQsiWveGxiI7znfhqNC92ggkNqg2aAUUgrE26KduAK8DrMik4STf/HDrp qGEg== MIME-Version: 1.0 X-Received: by 10.224.184.130 with SMTP id ck2mr5848224qab.41.1362773503493; Fri, 08 Mar 2013 12:11:43 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.49.27.197 with HTTP; Fri, 8 Mar 2013 12:11:43 -0800 (PST) In-Reply-To: <201303081419.17743.vegeta@tuxpowered.net> References: <201303081419.17743.vegeta@tuxpowered.net> Date: Fri, 8 Mar 2013 21:11:43 +0100 X-Google-Sender-Auth: 9xXpcPwr1C64h_-MLHQWtFTBtYw Message-ID: Subject: Re: [patch] Source entries removing is awfully slow. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Kajetan Staszkiewicz Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 20:11:50 -0000 Is this FreeBSD 9.x or HEAD? On Fri, Mar 8, 2013 at 2:19 PM, Kajetan Staszkiewicz wrote: > Hello there! > > In my enviroment, where I use FreeBSD machines as loadbalancers, after a > server > is detected as dead, loadbalancer removes the the broken server from a > table > used in route-to pf rule and then removes Source entries pointing clients > to > that server, so clients previously assigned to the broken server are re- > loadbalanced to alive servers. > > Each loadbalancer has around 50k Source and 500k State entries. Under those > conditions removing a Source from anywhere to a dead server with `pfctl -K > 0.0.0.0/0 -K internal.IP.of.server` freezes the machine for a few seconds > (or > even up to a minute in other datacenter segment, where different services > are > served, causing thousands instead of just a few hundred States to be > matched). > Under a DDoS attack, when removing Sources to a server under attack, kernel > freezes permanently (I gave up after 10 minutes waiting and restarted the > machine). > > A patch fixing the issue can be found here: > > http://vegeta.tuxpowered.net/download/link-states-to-src_node.patch > > -- > | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | > | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | > | Vegeta | www: http://vegeta.tuxpowered.net | > `------------------------^---------------------------------------' > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Fri Mar 8 20:51:11 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 3E2E9691 for ; Fri, 8 Mar 2013 20:51:11 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-ee0-f41.google.com (mail-ee0-f41.google.com [74.125.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id BABCC9C6 for ; Fri, 8 Mar 2013 20:51:10 +0000 (UTC) Received: by mail-ee0-f41.google.com with SMTP id c13so1248051eek.14 for ; Fri, 08 Mar 2013 12:51:04 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id:x-gm-message-state; bh=XWil0kz7DOw9U0/ENqWwDm2MDNiKp778Re89w4pDYG4=; b=izHU9koJbrcCpCvOQ7XV0jw7+Rj9HcA93XM9B9v+oKbsEydKl3jnKnNDovUyCyw/I8 5UaGRPlporfNs8IahjNxAHpHODgopSobWcQsUlpDrvujjDZ1pRdpG3WT7YCNdBLifjl5 0QyrNR3o1gXABiKO2hOlWIovrR+Qrcr9qXdfkR2hcTA1GkHo8KOPlxG5ZyHXdOm2SKS2 rU9GfkiwEYaa7Tg3Z1cei+Z5MnrZVqf2VUPw4HwQ7Rk7PlcUePjyIcJDIsslml9Ylo8i F/lbnEGmpeWMZL4uISe9TMG6nQarvdxEsOO7CNWBha6cxa7Mco7aNL+xDK+R2jPxvI/i 7SVg== X-Received: by 10.14.0.135 with SMTP id 7mr9518352eeb.5.1362775864101; Fri, 08 Mar 2013 12:51:04 -0800 (PST) Received: from zvezda.localnet ([37.83.50.199]) by mx.google.com with ESMTPS id s3sm9728785eem.4.2013.03.08.12.51.02 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 08 Mar 2013 12:51:03 -0800 (PST) From: Kajetan Staszkiewicz To: Ermal =?utf-8?q?Lu=C3=A7i?= Subject: Re: [patch] Source entries removing is awfully slow. Date: Fri, 8 Mar 2013 21:51:00 +0100 User-Agent: KMail/1.13.5 (Linux/3.6.6-vegeta.1; KDE/4.4.5; x86_64; ; ) References: <201303081419.17743.vegeta@tuxpowered.net> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <201303082151.00895.vegeta@tuxpowered.net> X-Gm-Message-State: ALoCoQlpvqfgWACwS9eEu3BMbLkrmulCBn3DWf27sbedLRcuGWEXxpEg82p6/aGDDpHPxUT3ldkk Cc: "freebsd-net@freebsd.org" , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 20:51:11 -0000 Dnia pi=C4=85tek, 8 marca 2013 o 21:11:43 Ermal Lu=C3=A7i napisa=C5=82(a): > Is this FreeBSD 9.x or HEAD? I found the problem and developed the patch on 9.1. =2D-=20 | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' From owner-freebsd-pf@FreeBSD.ORG Sat Mar 9 12:14:25 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 716F8F4F; Sat, 9 Mar 2013 12:14:25 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qe0-f42.google.com (mail-qe0-f42.google.com [209.85.128.42]) by mx1.freebsd.org (Postfix) with ESMTP id 21C54D0F; Sat, 9 Mar 2013 12:14:24 +0000 (UTC) Received: by mail-qe0-f42.google.com with SMTP id f6so1549085qej.1 for ; Sat, 09 Mar 2013 04:14:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=UHcs7vGdgH8kblpB8G3zinSns84zyrBia5+mdu0h4JI=; b=FaYXZcVSrwD+4NmmdszJDXIVru1k+chxA4egobAae5nsfklbiXzpU2nadlpVps1oWh zq76F8b+GoPKi4FW4H1x56YOOC8WsrYnSIT9dm5w4TZDdaRsmteMu05mjdLL/IEGRyR/ e0qRYx3bv3lH2fuVBzUQxD1JZYGDurLWcJvidIZZ68KesaCGx3rVJ9O9uX+cZVcO/n7H ROM8KbnmmrJ5/wtcktUCUEeFqfMvdplRp3R0TRQ4bazuIFnVBdSZfp4V3HWFjHeDpHS/ DCRQ6bc22+J0EKc0CNLg/rEz/klFMtYwPeOUOmfUZjMq41V3E50bljkiXPYO/T1VdOAs ziuA== MIME-Version: 1.0 X-Received: by 10.49.6.101 with SMTP id z5mr9322969qez.50.1362831258610; Sat, 09 Mar 2013 04:14:18 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.49.27.197 with HTTP; Sat, 9 Mar 2013 04:14:16 -0800 (PST) In-Reply-To: <201303082151.00895.vegeta@tuxpowered.net> References: <201303081419.17743.vegeta@tuxpowered.net> <201303082151.00895.vegeta@tuxpowered.net> Date: Sat, 9 Mar 2013 13:14:16 +0100 X-Google-Sender-Auth: PO_l65cnq0c2RwQhae4xh5miDZE Message-ID: Subject: Re: [patch] Source entries removing is awfully slow. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Kajetan Staszkiewicz Content-Type: multipart/mixed; boundary=047d7bea40f00ef2e504d77ce15b X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Mar 2013 12:14:25 -0000 --047d7bea40f00ef2e504d77ce15b Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: quoted-printable On Fri, Mar 8, 2013 at 9:51 PM, Kajetan Staszkiewicz wrote: > Dnia pi=B1tek, 8 marca 2013 o 21:11:43 Ermal Lu=E7i napisa=B3(a): > > Is this FreeBSD 9.x or HEAD? > > I found the problem and developed the patch on 9.1. > > Can you please test this more 'beautiful' patch. Its similar to yours but also delays src state removal to the proper purge thread. Though the src node removal option through pfctl -K does a lot of job to cleanup things Still need to undertand why it takes so much time for you to loop through 500K states. The purge thread does that every tick by partitioning it to a few per time slot but still minutes is way loong. Can you please try to give a top -SH view of the time when this happens and a pfctl -vvsa output? > -- > | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | > | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | > | Vegeta | www: http://vegeta.tuxpowered.net | > `------------------------^---------------------------------------' > --=20 Ermal --047d7bea40f00ef2e504d77ce15b Content-Type: application/octet-stream; name="state_unlink_optimization2.diff" Content-Disposition: attachment; filename="state_unlink_optimization2.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: f_he2q1w430 ZGlmZiAtLWdpdCBhL3N5cy9jb250cmliL3BmL25ldC9wZi5jIGIvc3lzL2NvbnRyaWIvcGYvbmV0 L3BmLmMKaW5kZXggOWZiMDVhZS4uNGRmNDBjYyAxMDA2NDQKLS0tIGEvc3lzL2NvbnRyaWIvcGYv bmV0L3BmLmMKKysrIGIvc3lzL2NvbnRyaWIvcGYvbmV0L3BmLmMKQEAgLTcyMCw2ICs3MjAsOSBA QCBwZl9pbnNlcnRfc3JjX25vZGUoc3RydWN0IHBmX3NyY19ub2RlICoqc24sIHN0cnVjdCBwZl9y dWxlICpydWxlLAogCQkgICAgcnVsZS0+bWF4X3NyY19jb25uX3JhdGUubGltaXQsCiAJCSAgICBy dWxlLT5tYXhfc3JjX2Nvbm5fcmF0ZS5zZWNvbmRzKTsKIAorI2lmZGVmIF9fRnJlZUJTRF9fCisJ CVRBSUxRX0lOSVQoJigqc24pLT5zdGF0ZV9saXN0KTsKKyNlbmRpZgogCQkoKnNuKS0+YWYgPSBh ZjsKIAkJaWYgKHJ1bGUtPnJ1bGVfZmxhZyAmIFBGUlVMRV9SVUxFU1JDVFJBQ0sgfHwKIAkJICAg IHJ1bGUtPnJwb29sLm9wdHMgJiBQRl9QT09MX1NUSUNLWUFERFIpCkBAIC0xNDUzLDYgKzE0NTYs OSBAQCBwZl9wdXJnZV9leHBpcmVkX3NyY19ub2RlcyhpbnQgd2FzbG9ja2VkKQogI2VuZGlmCiB7 CiAJc3RydWN0IHBmX3NyY19ub2RlCQkqY3VyLCAqbmV4dDsKKyNpZmRlZiBfX0ZyZWVCU0RfXwor CXN0cnVjdCBwZl9zdGF0ZQkJCSpzOworI2VuZGlmCiAJaW50CQkJCSBsb2NrZWQgPSB3YXNsb2Nr ZWQ7CiAKICNpZmRlZiBfX0ZyZWVCU0RfXwpAQCAtMTQ4Niw2ICsxNDkyLDEyIEBAIHBmX3B1cmdl X2V4cGlyZWRfc3JjX25vZGVzKGludCB3YXNsb2NrZWQpCiAJCQkJCXBmX3JtX3J1bGUoTlVMTCwg Y3VyLT5ydWxlLnB0cik7CiAJCQl9CiAjaWZkZWYgX19GcmVlQlNEX18KKwkJCXdoaWxlICghVEFJ TFFfRU1QVFkoJmN1ci0+c3RhdGVfbGlzdCkpIHsKKwkJCQlzID0gVEFJTFFfRklSU1QoJmN1ci0+ c3RhdGVfbGlzdCk7CisJCQkJVEFJTFFfUkVNT1ZFKCZjdXItPnN0YXRlX2xpc3QsIHMsIHNyY25v ZGVfbGluayk7CisJCQkJcy0+c3JjX25vZGUgPSBOVUxMOworCQkJCXMtPm5hdF9zcmNfbm9kZSA9 IE5VTEw7CisJCQl9CiAJCQlSQl9SRU1PVkUocGZfc3JjX3RyZWUsICZWX3RyZWVfc3JjX3RyYWNr aW5nLCBjdXIpOwogCQkJVl9wZl9zdGF0dXMuc2NvdW50ZXJzW1NDTlRfU1JDX05PREVfUkVNT1ZB TFNdKys7CiAJCQlWX3BmX3N0YXR1cy5zcmNfbm9kZXMtLTsKQEAgLTE1MjksNiArMTU0MSwxMCBA QCBwZl9zcmNfdHJlZV9yZW1vdmVfc3RhdGUoc3RydWN0IHBmX3N0YXRlICpzKQogI2VuZGlmCiAJ CQlzLT5zcmNfbm9kZS0+ZXhwaXJlID0gdGltZV9zZWNvbmQgKyB0aW1lb3V0OwogCQl9CisjaWZk ZWYgX19GcmVlQlNEX18KKwkJaWYgKCFUQUlMUV9FTVBUWSgmcy0+c3JjX25vZGUtPnN0YXRlX2xp c3QpKQorCQkJVEFJTFFfUkVNT1ZFKCZzLT5zcmNfbm9kZS0+c3RhdGVfbGlzdCwgcywgc3Jjbm9k ZV9saW5rKTsKKyNlbmRpZgogCX0KIAlpZiAocy0+bmF0X3NyY19ub2RlICE9IHMtPnNyY19ub2Rl ICYmIHMtPm5hdF9zcmNfbm9kZSAhPSBOVUxMKSB7CiAJCWlmICgtLXMtPm5hdF9zcmNfbm9kZS0+ c3RhdGVzIDw9IDApIHsKQEAgLTE1NDIsNiArMTU1OCwxMCBAQCBwZl9zcmNfdHJlZV9yZW1vdmVf c3RhdGUoc3RydWN0IHBmX3N0YXRlICpzKQogI2VuZGlmCiAJCQlzLT5uYXRfc3JjX25vZGUtPmV4 cGlyZSA9IHRpbWVfc2Vjb25kICsgdGltZW91dDsKIAkJfQorI2lmZGVmIF9fRnJlZUJTRF9fCisJ CWlmICghVEFJTFFfRU1QVFkoJnMtPm5hdF9zcmNfbm9kZS0+c3RhdGVfbGlzdCkpCisJCQlUQUlM UV9SRU1PVkUoJnMtPm5hdF9zcmNfbm9kZS0+c3RhdGVfbGlzdCwgcywgc3Jjbm9kZV9saW5rKTsK KyNlbmRpZgogCX0KIAlzLT5zcmNfbm9kZSA9IHMtPm5hdF9zcmNfbm9kZSA9IE5VTEw7CiB9CkBA IC0zOTQ5LDggKzM5NjksMTggQEAgcGZfY3JlYXRlX3N0YXRlKHN0cnVjdCBwZl9ydWxlICpyLCBz dHJ1Y3QgcGZfcnVsZSAqbnIsIHN0cnVjdCBwZl9ydWxlICphLAogCQlwb29sX3B1dCgmcGZfc3Rh dGVfcGwsIHMpOwogI2VuZGlmCiAJCXJldHVybiAoUEZfRFJPUCk7CisjaWZkZWYgX19GcmVlQlNE X18KKwl9IGVsc2UgeworCQlpZiAoc24gIT0gTlVMTCkKKwkJCVRBSUxRX0lOU0VSVF9IRUFEKCZz bi0+c3RhdGVfbGlzdCwgcywgc3Jjbm9kZV9saW5rKTsKKwkJaWYgKG5zbiAhPSBOVUxMKQorCQkJ VEFJTFFfSU5TRVJUX0hFQUQoJm5zbi0+c3RhdGVfbGlzdCwgcywgc3Jjbm9kZV9saW5rKTsKKwkJ KnNtID0gczsKKwl9CisjZWxzZQogCX0gZWxzZQogCQkqc20gPSBzOworI2VuZGlmCiAKIAlwZl9z ZXRfcnRfaWZwKHMsIHBkLT5zcmMpOwkvKiBuZWVkcyBzLT5zdGF0ZV9rZXkgc2V0ICovCiAJaWYg KHRhZyA+IDApIHsKZGlmZiAtLWdpdCBhL3N5cy9jb250cmliL3BmL25ldC9wZl9pb2N0bC5jIGIv c3lzL2NvbnRyaWIvcGYvbmV0L3BmX2lvY3RsLmMKaW5kZXggM2IxMzBlNS4uMjg2NGU5YSAxMDA2 NDQKLS0tIGEvc3lzL2NvbnRyaWIvcGYvbmV0L3BmX2lvY3RsLmMKKysrIGIvc3lzL2NvbnRyaWIv cGYvbmV0L3BmX2lvY3RsLmMKQEAgLTM3ODksNyArMzc4OSw5IEBAIHBmaW9jdGwoZGV2X3QgZGV2 LCB1X2xvbmcgY21kLCBjYWRkcl90IGFkZHIsIGludCBmbGFncywgc3RydWN0IHByb2MgKnApCiAK IAljYXNlIERJT0NLSUxMU1JDTk9ERVM6IHsKIAkJc3RydWN0IHBmX3NyY19ub2RlCSpzbjsKKyNp Zm5kZWYgX19GcmVlQlNEX18KIAkJc3RydWN0IHBmX3N0YXRlCQkqczsKKyNlbmRpZgogCQlzdHJ1 Y3QgcGZpb2Nfc3JjX25vZGVfa2lsbCAqcHNuayA9CiAJCSAgICAoc3RydWN0IHBmaW9jX3NyY19u b2RlX2tpbGwgKilhZGRyOwogCQl1X2ludAkJCWtpbGxlZCA9IDA7CkBAIC0zODA4LDYgKzM4MTAs NyBAQCBwZmlvY3RsKGRldl90IGRldiwgdV9sb25nIGNtZCwgY2FkZHJfdCBhZGRyLCBpbnQgZmxh Z3MsIHN0cnVjdCBwcm9jICpwKQogCQkJCSZwc25rLT5wc25rX2RzdC5hZGRyLnYuYS5tYXNrLAog CQkJCSZzbi0+cmFkZHIsIHNuLT5hZikpIHsKIAkJCQkvKiBIYW5kbGUgc3RhdGUgdG8gc3JjX25v ZGUgbGlua2FnZSAqLworI2lmbmRlZiBfX0ZyZWVCU0RfXyAKIAkJCQlpZiAoc24tPnN0YXRlcyAh PSAwKSB7CiAJCQkJCVJCX0ZPUkVBQ0gocywgcGZfc3RhdGVfdHJlZV9pZCwKICNpZmRlZiBfX0Zy ZWVCU0RfXwpAQCAtMzgyMiwxMyArMzgyNSwxNiBAQCBwZmlvY3RsKGRldl90IGRldiwgdV9sb25n IGNtZCwgY2FkZHJfdCBhZGRyLCBpbnQgZmxhZ3MsIHN0cnVjdCBwcm9jICpwKQogCQkJCQl9CiAJ CQkJCXNuLT5zdGF0ZXMgPSAwOwogCQkJCX0KKyNlbmRpZgogCQkJCXNuLT5leHBpcmUgPSAxOwog CQkJCWtpbGxlZCsrOwogCQkJfQogCQl9CiAKKyNpZiAwCiAJCWlmIChraWxsZWQgPiAwKQogCQkJ cGZfcHVyZ2VfZXhwaXJlZF9zcmNfbm9kZXMoMSk7CisjZW5kaWYKIAogCQlwc25rLT5wc25rX2tp bGxlZCA9IGtpbGxlZDsKIAkJYnJlYWs7CmRpZmYgLS1naXQgYS9zeXMvY29udHJpYi9wZi9uZXQv cGZ2YXIuaCBiL3N5cy9jb250cmliL3BmL25ldC9wZnZhci5oCmluZGV4IGRhYjcwYzUuLmUzMWQz OWQgMTAwNjQ0Ci0tLSBhL3N5cy9jb250cmliL3BmL25ldC9wZnZhci5oCisrKyBiL3N5cy9jb250 cmliL3BmL25ldC9wZnZhci5oCkBAIC03MzksNiArNzM5LDkgQEAgc3RydWN0IHBmX3NyY19ub2Rl IHsKIAlzdHJ1Y3QgcGZfYWRkcgkgcmFkZHI7CiAJdW5pb24gcGZfcnVsZV9wdHIgcnVsZTsKIAlz dHJ1Y3QgcGZpX2tpZgkqa2lmOworI2lmZGVmIF9fRnJlZUJTRF9fCisJVEFJTFFfSEVBRCgsIHBm X3N0YXRlKQlzdGF0ZV9saXN0OworI2VuZGlmCiAJdV9pbnQ2NF90CSBieXRlc1syXTsKIAl1X2lu dDY0X3QJIHBhY2tldHNbMl07CiAJdV9pbnQzMl90CSBzdGF0ZXM7CkBAIC04NDAsNiArODQzLDkg QEAgc3RydWN0IHBmX3N0YXRlIHsKIAogCVRBSUxRX0VOVFJZKHBmX3N0YXRlKQkgc3luY19saXN0 OwogCVRBSUxRX0VOVFJZKHBmX3N0YXRlKQkgZW50cnlfbGlzdDsKKyNpZmRlZiBfX0ZyZWVCU0Rf XworCVRBSUxRX0VOVFJZKHBmX3N0YXRlKQkgc3Jjbm9kZV9saW5rOworI2VuZGlmCiAJUkJfRU5U UlkocGZfc3RhdGUpCSBlbnRyeV9pZDsKIAlzdHJ1Y3QgcGZfc3RhdGVfcGVlcgkgc3JjOwogCXN0 cnVjdCBwZl9zdGF0ZV9wZWVyCSBkc3Q7Cg== --047d7bea40f00ef2e504d77ce15b-- From owner-freebsd-pf@FreeBSD.ORG Sat Mar 9 12:15:05 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 53D619D; Sat, 9 Mar 2013 12:15:05 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qe0-f53.google.com (mail-qe0-f53.google.com [209.85.128.53]) by mx1.freebsd.org (Postfix) with ESMTP id 06BC3D26; Sat, 9 Mar 2013 12:15:04 +0000 (UTC) Received: by mail-qe0-f53.google.com with SMTP id cz11so1542710qeb.12 for ; Sat, 09 Mar 2013 04:15:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=IF4nE86t6qj/q8ZZ8pG7hCBxHuKDGdQchvqsuaVRHYE=; b=G2dj1zF4+MwPcCmU68wZgHh3FooxhAyYhrNaCtjJtehhstrk4HXuh8wcmYH6ov2NEn +twD0AD5BCM2smDgXr9IwOC12/cYUBfLBj3poXGR6hlqKJB1a+p9uzo3h+kh6zgkZilt ah1Xfnm7u3cIVLEsUHrcDbZvLT6/1eqCgkt3KqtsXAWLj2atE2WS+ouoDEE1lGq3Onqu Begh2eyRgBrc2sUKK4F4J254DAiNePjUieRqEejcAQwmcr+DupoCJsBrBDNDQWsMhdz/ TGJ/LVDEJeJ6egMqnEhsdGIWihm76x6QkhsMdgh3jvMFlj0TkljWPLEQm4QmpWSwc/6j SMGg== MIME-Version: 1.0 X-Received: by 10.224.186.82 with SMTP id cr18mr8691238qab.64.1362831304317; Sat, 09 Mar 2013 04:15:04 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.49.27.197 with HTTP; Sat, 9 Mar 2013 04:15:04 -0800 (PST) In-Reply-To: References: <201303081419.17743.vegeta@tuxpowered.net> <201303082151.00895.vegeta@tuxpowered.net> Date: Sat, 9 Mar 2013 13:15:04 +0100 X-Google-Sender-Auth: YuZhHC-J6WEuDQwMu0GUxbI9FRw Message-ID: Subject: Re: [patch] Source entries removing is awfully slow. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Kajetan Staszkiewicz Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Mar 2013 12:15:05 -0000 Also do not forget to rebuild pfctl so that statistics are shown correctly. On Sat, Mar 9, 2013 at 1:14 PM, Ermal Lu=C3=A7i wrote: > > > > On Fri, Mar 8, 2013 at 9:51 PM, Kajetan Staszkiewicz < > vegeta@tuxpowered.net> wrote: > >> Dnia pi=C4=85tek, 8 marca 2013 o 21:11:43 Ermal Lu=C3=A7i napisa=C5=82(a= ): >> > Is this FreeBSD 9.x or HEAD? >> >> I found the problem and developed the patch on 9.1. >> >> Can you please test this more 'beautiful' patch. > Its similar to yours but also delays src state removal to the proper purg= e > thread. > > Though the src node removal option through pfctl -K does a lot of job to > cleanup things > Still need to undertand why it takes so much time for you to loop through > 500K states. > The purge thread does that every tick by partitioning it to a few per tim= e > slot but still minutes is way loong. > > Can you please try to give a top -SH view of the time when this happens > and a pfctl -vvsa output? > > > >> -- >> | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | >> | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | >> | Vegeta | www: http://vegeta.tuxpowered.net | >> `------------------------^---------------------------------------' >> > > > > -- > Ermal > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Sat Mar 9 13:37:57 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 87A59BDC for ; Sat, 9 Mar 2013 13:37:57 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-ee0-f46.google.com (mail-ee0-f46.google.com [74.125.83.46]) by mx1.freebsd.org (Postfix) with ESMTP id 10D801D7 for ; Sat, 9 Mar 2013 13:37:56 +0000 (UTC) Received: by mail-ee0-f46.google.com with SMTP id e49so1533689eek.33 for ; Sat, 09 Mar 2013 05:37:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id:x-gm-message-state; bh=ZfG3s3NFULdgi+srDZR0jl6TBJ+5Egt1AF4+r9mpUUI=; b=lWYVvY+0Ave05yAkooAY1Nok75SddJQCKrs22IyKfPfcWgUS9CUX6OzRwL5CFihKrj ox+1WSUR0ClUoMSHYapy+ziqG5ghipNCUTpLpiKSV5hwyy9e0qw4Y0DZ8pFrhwe0vop4 4HJHL+rkG9KMd2/aKfgkaq7OOxkkiVvp3VTWRDYX5BVPi35R7bX7mpFksgTxzRchfUQK F1w4Th0qe1uZ6WDn2CAx9pkDCPgjn6NXyeo0i2jWIw4tKt8NgQGOHngiqewvpormHZk1 uMdjE0bsa7fMipzEiQipMOgtfPPz4foLblR1+w+IRj7FAuq8A0YNi06EUk6ACLr7/1eg Vy+Q== X-Received: by 10.14.183.198 with SMTP id q46mr16472183eem.1.1362836275730; Sat, 09 Mar 2013 05:37:55 -0800 (PST) Received: from zvezda.localnet ([37.81.64.97]) by mx.google.com with ESMTPS id 44sm13262429eek.5.2013.03.09.05.37.53 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sat, 09 Mar 2013 05:37:54 -0800 (PST) From: Kajetan Staszkiewicz To: Ermal =?utf-8?q?Lu=C3=A7i?= Subject: Re: [patch] Source entries removing is awfully slow. Date: Sat, 9 Mar 2013 14:37:51 +0100 User-Agent: KMail/1.13.5 (Linux/3.6.6-vegeta.1; KDE/4.4.5; x86_64; ; ) References: <201303081419.17743.vegeta@tuxpowered.net> <201303082151.00895.vegeta@tuxpowered.net> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <201303091437.51945.vegeta@tuxpowered.net> X-Gm-Message-State: ALoCoQn3K1pnIJCORF7OizZyVAYJYUNeW/Jll7/VWOCTfuOqrLV7eHfpi4NidxqzskUHdvndK9nj Cc: "freebsd-net@freebsd.org" , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Mar 2013 13:37:57 -0000 Dnia sobota, 9 marca 2013 o 13:14:16 Ermal Lu=C3=A7i napisa=C5=82(a): > On Fri, Mar 8, 2013 at 9:51 PM, Kajetan Staszkiewicz >=20 > wrote: > > Dnia pi=C4=85tek, 8 marca 2013 o 21:11:43 Ermal Lu=C3=A7i napisa=C5=82(= a): > > > Is this FreeBSD 9.x or HEAD? > >=20 > > I found the problem and developed the patch on 9.1. > >=20 > Can you please test this more 'beautiful' patch. Oh, somehow I did not notice an existing implementation for doubly linked l= ist.=20 I'm quite new to kernel programming. > Its similar to yours but also delays src state removal to the proper purge > thread. I'll try it right after the weekend. > Though the src node removal option through pfctl -K does a lot of job to > cleanup things > Still need to undertand why it takes so much time for you to loop through > 500K states. That is because the loop will not be called just once. `pfctl -K 0.0.0.0/0 -K ip.of.internal.server.behind.this.loadbalancer` will= =20 match multiple Source entries, up to a thousand of them in normal condition= s=20 ("normal" for my loadbalancers) and many many more when under a DDoS attack. > The purge thread does that every tick by partitioning it to a few per time > slot but still minutes is way loong. >=20 > Can you please try to give a top -SH view of the time when this happens a= nd > a pfctl -vvsa output? I'll try on Monday, although as far as I remember the machine was quite fro= zen=20 during this operation. =2D-=20 | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' From owner-freebsd-pf@FreeBSD.ORG Sat Mar 9 15:11:57 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 81FDBE46; Sat, 9 Mar 2013 15:11:57 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qa0-f48.google.com (mail-qa0-f48.google.com [209.85.216.48]) by mx1.freebsd.org (Postfix) with ESMTP id 350727FA; Sat, 9 Mar 2013 15:11:57 +0000 (UTC) Received: by mail-qa0-f48.google.com with SMTP id j8so295744qah.0 for ; Sat, 09 Mar 2013 07:11:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=t8tBgO4mi0deOXxY60/CPlmuTr33/GZM/wLwrlvJua4=; b=DyMck+jw/XdCiePMWTFnQtBCr4St/A9AfdkCSSV75ALyi1Zp526hzee3Es+ZlSBMLH h8gWhjtI1wCgdIDzOtoiI1hLSL0VPSq9Ug3lWfrW68EzLI45PDdDMDWXGzEx8zW13SbL GdlnY0qsIDVw/ZuIWXtUpaEnubEFqLh57N1tJncoS0tAeOOBNx0XMwADeIZ47UzEA2LO FKO35jtOhIfAZe78ldaqx+6W1rqxVNYnyvOz/KC0ALcdbdRByLIYi3PtmSejYLY+IMA/ 5MfpdfbJ3Y9WrDOxVyBlcYdHtnOyVfkmebTk5egIOVK+m2zmJoGfftaXvTsvUm+6p9/e aVvA== MIME-Version: 1.0 X-Received: by 10.224.178.77 with SMTP id bl13mr9338639qab.13.1362841916475; Sat, 09 Mar 2013 07:11:56 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.49.27.197 with HTTP; Sat, 9 Mar 2013 07:11:56 -0800 (PST) In-Reply-To: <201303091437.51945.vegeta@tuxpowered.net> References: <201303081419.17743.vegeta@tuxpowered.net> <201303082151.00895.vegeta@tuxpowered.net> <201303091437.51945.vegeta@tuxpowered.net> Date: Sat, 9 Mar 2013 16:11:56 +0100 X-Google-Sender-Auth: SDQcnfZIop-Qf76jdAFs98G2DVc Message-ID: Subject: Re: [patch] Source entries removing is awfully slow. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Kajetan Staszkiewicz Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Mar 2013 15:11:57 -0000 On Sat, Mar 9, 2013 at 2:37 PM, Kajetan Staszkiewicz wrote: > Dnia sobota, 9 marca 2013 o 13:14:16 Ermal Lu=E7i napisa=B3(a): > > On Fri, Mar 8, 2013 at 9:51 PM, Kajetan Staszkiewicz > > > > wrote: > > > Dnia pi=B1tek, 8 marca 2013 o 21:11:43 Ermal Lu=E7i napisa=B3(a): > > > > Is this FreeBSD 9.x or HEAD? > > > > > > I found the problem and developed the patch on 9.1. > > > > > Can you please test this more 'beautiful' patch. > > Oh, somehow I did not notice an existing implementation for doubly linked > list. > I'm quite new to kernel programming. > > > Its similar to yours but also delays src state removal to the proper > purge > > thread. > > I'll try it right after the weekend. > > > Though the src node removal option through pfctl -K does a lot of job t= o > > cleanup things > > Still need to undertand why it takes so much time for you to loop throu= gh > > 500K states. > > That is because the loop will not be called just once. > > `pfctl -K 0.0.0.0/0 -K ip.of.internal.server.behind.this.loadbalancer` > will > match multiple Source entries, up to a thousand of them in normal > conditions > ("normal" for my loadbalancers) and many many more when under a DDoS > attack. > > I would expect from a proper software to kill states from those clients and then kill the srcnode for the backend server. It does not make proper sense to not kill state before src nodes since that is what will impact your connectivity. Though the patch improves your use case a lot still would be better to even kill those states during this step, with an extra option, since otherwise you'd have to create for each of those client a separate request. Do you control the application to test an extra addition to this patch to allow killing the linked states as well? > > The purge thread does that every tick by partitioning it to a few per > time > > slot but still minutes is way loong. > > > > Can you please try to give a top -SH view of the time when this happens > and > > a pfctl -vvsa output? > > I'll try on Monday, although as far as I remember the machine was quite > frozen > during this operation. > > -- > | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | > | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | > | Vegeta | www: http://vegeta.tuxpowered.net | > `------------------------^---------------------------------------' > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Sat Mar 9 16:15:48 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 00E76E2D for ; Sat, 9 Mar 2013 16:15:47 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-ee0-f53.google.com (mail-ee0-f53.google.com [74.125.83.53]) by mx1.freebsd.org (Postfix) with ESMTP id 9175DE04 for ; Sat, 9 Mar 2013 16:15:46 +0000 (UTC) Received: by mail-ee0-f53.google.com with SMTP id e53so1509571eek.12 for ; Sat, 09 Mar 2013 08:15:46 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id:x-gm-message-state; bh=87U5I1ti2Xiokb1uoM/2wytuL6lompIPNW4nwc8R2X8=; b=iIvKm4ZvdIdD1doZcpJrV4JTItEx6wuogd95HVnNxjapUtT8o0Zz18kAdfoWEx8FxR FbqBSTrEtcU5lLV2WdTsWiwN5GHvoJGS+OF5mAqQVzh6vQUYCbuGTGZnbDZ3zfSfmgzR A+BtcrjkDlPdmYxlPwQ2I+cZWxLt1YuTjaQ44uJ8TZXAohGvzoNN2ZS8IK4wBoO2v9hH xvvkfzvkmjbfUHmCAuJ479rvTJqs59/CZ4HInCsnqsf+02yKE2z3muQZh5Tgp+p2yToX HgO0OAm7IWCSI/69+FYC0xjat3BTzsPVg1qPG4/K+SBF61J66/Wif+gCM2BzGO31xLYv HOzA== X-Received: by 10.14.4.69 with SMTP id 45mr17622104eei.0.1362845745816; Sat, 09 Mar 2013 08:15:45 -0800 (PST) Received: from zvezda.localnet ([37.81.64.97]) by mx.google.com with ESMTPS id 3sm13797558eej.6.2013.03.09.08.15.43 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sat, 09 Mar 2013 08:15:44 -0800 (PST) From: Kajetan Staszkiewicz To: Ermal =?utf-8?q?Lu=C3=A7i?= Subject: Re: [patch] Source entries removing is awfully slow. Date: Sat, 9 Mar 2013 17:15:42 +0100 User-Agent: KMail/1.13.5 (Linux/3.6.6-vegeta.1; KDE/4.4.5; x86_64; ; ) References: <201303081419.17743.vegeta@tuxpowered.net> <201303091437.51945.vegeta@tuxpowered.net> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <201303091715.42624.vegeta@tuxpowered.net> X-Gm-Message-State: ALoCoQk+BJTrgcYMmZefv4LPsxRAZZk++m6dKb7ai/uEFJR+z0u7g0UB0MjE3OnoRfXFiewAxt8Y Cc: "freebsd-net@freebsd.org" , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Mar 2013 16:15:48 -0000 Dnia sobota, 9 marca 2013 o 16:11:56 napisa=C5=82e=C5=9B: > > > Though the src node removal option through pfctl -K does a lot of job > > > to cleanup things > > > Still need to undertand why it takes so much time for you to loop > > > through 500K states. > >=20 > > That is because the loop will not be called just once. > >=20 > > `pfctl -K 0.0.0.0/0 -K ip.of.internal.server.behind.this.loadbalancer` > > will > > match multiple Source entries, up to a thousand of them in normal > > conditions > > ("normal" for my loadbalancers) and many many more when under a DDoS > > attack. >=20 > I would expect from a proper software to kill states from those clients a= nd > then kill the srcnode for the backend server. =46irst of all, I do not know which clients are affected. I know which serv= er is=20 dead. But I can not remove states to this server using pfctl, as states are= =20 from clients' public IP addresses to loadbalancer's public IP address. Sour= ces=20 on the other hand point to the internal IP address of the broken server. And the second thing is, that under normal conditions removing just a bit o= f=20 states would not help the performance. Also the server health checking soft= ware=20 is unaware of DDoS attacks and will not remove states resulting from the at= tack=20 in advance. > It does not make proper sense to not kill state before src nodes since th= at > is what will impact your connectivity. I agree, it makes only sense to remove both sources and linked states at th= e=20 same time. With removing sources only, states are still pointing to the bro= ken=20 server and clients are still connected to it in existing tcp connections. I= f=20 states would be also removed, clients will loose all connectivity (which I= =20 prefer rather than them seeing wrong data) and (hopefully) reconnect to ano= ther=20 live server. > Though the patch improves your use case a lot still would be better to ev= en > kill those states during this step, with an extra option, > since otherwise you'd have to create for each of those client a separate > request. That would be in updated version of the patch I hope to send to the list on= =20 Monday. =2D-=20 | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'