Date: Fri, 8 Mar 2013 14:19:17 +0100 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: [patch] Source entries removing is awfully slow. Message-ID: <201303081419.17743.vegeta@tuxpowered.net>
next in thread | raw e-mail | index | archive | help
Hello there! In my enviroment, where I use FreeBSD machines as loadbalancers, after a server is detected as dead, loadbalancer removes the the broken server from a table used in route-to pf rule and then removes Source entries pointing clients to that server, so clients previously assigned to the broken server are re- loadbalanced to alive servers. Each loadbalancer has around 50k Source and 500k State entries. Under those conditions removing a Source from anywhere to a dead server with `pfctl -K 0.0.0.0/0 -K internal.IP.of.server` freezes the machine for a few seconds (or even up to a minute in other datacenter segment, where different services are served, causing thousands instead of just a few hundred States to be matched). Under a DDoS attack, when removing Sources to a server under attack, kernel freezes permanently (I gave up after 10 minutes waiting and restarted the machine). A patch fixing the issue can be found here: http://vegeta.tuxpowered.net/download/link-states-to-src_node.patch -- | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201303081419.17743.vegeta>