From owner-freebsd-pf@FreeBSD.ORG Fri Mar 8 19:12:53 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B46B0D22 for ; Fri, 8 Mar 2013 19:12:53 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) by mx1.freebsd.org (Postfix) with ESMTP id 9B8EA696 for ; Fri, 8 Mar 2013 19:12:53 +0000 (UTC) Received: from epsilon.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 3296028CBB; Fri, 8 Mar 2013 11:12:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1362769973; bh=4PcAa0Wa3eHjUn6j8lsslwKWRpyx6w1ITcFkLU8yebs=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=k6gQ8KGMacD2kQ/0VzVrE2GBGjZpxBJklorMZpX3f4qjLgQfITBcivVqH6tyFQmid 7O2QQqBMWPx3tK3wrxa8bertaHdNaUJ43KmOsnBEFvTbGqgclWjHiUffEoRUEUk3RO 8vAmg2YFlYMn2Eq315OSLSsgeR1bI/ZoysOC4ekM= Message-ID: <513A3834.8060504@delphij.net> Date: Fri, 08 Mar 2013 11:12:52 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Subject: Fwd: [patch] Source entries removing is awfully slow. References: <201303081419.17743.vegeta@tuxpowered.net> In-Reply-To: <201303081419.17743.vegeta@tuxpowered.net> X-Enigmail-Version: 1.5.1 X-Forwarded-Message-Id: <201303081419.17743.vegeta@tuxpowered.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: d@delphij.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 19:12:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, This sounds interesting, could someone, please, review this patch and see if it's appropriate? Thanks in advance! - -------- Original Message -------- Subject: [patch] Source entries removing is awfully slow. Date: Fri, 8 Mar 2013 14:19:17 +0100 From: Kajetan Staszkiewicz To: freebsd-net@freebsd.org Hello there! In my enviroment, where I use FreeBSD machines as loadbalancers, after a server is detected as dead, loadbalancer removes the the broken server from a table used in route-to pf rule and then removes Source entries pointing clients to that server, so clients previously assigned to the broken server are re- loadbalanced to alive servers. Each loadbalancer has around 50k Source and 500k State entries. Under those conditions removing a Source from anywhere to a dead server with `pfctl -K 0.0.0.0/0 -K internal.IP.of.server` freezes the machine for a few seconds (or even up to a minute in other datacenter segment, where different services are served, causing thousands instead of just a few hundred States to be matched). Under a DDoS attack, when removing Sources to a server under attack, kernel freezes permanently (I gave up after 10 minutes waiting and restarted the machine). A patch fixing the issue can be found here: http://vegeta.tuxpowered.net/download/link-states-to-src_node.patch - -- | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJROjg0AAoJEG80Jeu8UPuzkRIH/12pf7eQm/RC5nUSfTyFEPSn yWEG+2R+83oFza7qhpSOyO+qnSQYmqU+ZMZmCHllNymFVGYgBzO9s8Vs/m5ES3+D Z6oiz7Zasca1VnNEfegQE2IyyXxqJ3yScLdDpxbh5wJ3r9lPmQLJgn6QwHxXvPqG elmimfyjCvIOC2ALrggdcc4+xBjcGlpDCmb3CnkosR72I9cwD6fM/xfV9iHY0G/A 8FHfixUe1H4xpSSJiwOA+i0oN4TdFD/hh5JaHBJT4kxbCawxbJtMjazb0XSO+/uP OIWNKJ6EnfodpAFKv8r/yIAHkEtMBVw9y7DC5cwxOo0miCU7PhNSA+BXtDckiVw= =ziec -----END PGP SIGNATURE-----