[patch] Source entries removing is awfully slow.
Ermal Luçi
eri at freebsd.org
Fri Mar 8 20:11:50 UTC 2013
Is this FreeBSD 9.x or HEAD?
On Fri, Mar 8, 2013 at 2:19 PM, Kajetan Staszkiewicz
<vegeta at tuxpowered.net>wrote:
> Hello there!
>
> In my enviroment, where I use FreeBSD machines as loadbalancers, after a
> server
> is detected as dead, loadbalancer removes the the broken server from a
> table
> used in route-to pf rule and then removes Source entries pointing clients
> to
> that server, so clients previously assigned to the broken server are re-
> loadbalanced to alive servers.
>
> Each loadbalancer has around 50k Source and 500k State entries. Under those
> conditions removing a Source from anywhere to a dead server with `pfctl -K
> 0.0.0.0/0 -K internal.IP.of.server` freezes the machine for a few seconds
> (or
> even up to a minute in other datacenter segment, where different services
> are
> served, causing thousands instead of just a few hundred States to be
> matched).
> Under a DDoS attack, when removing Sources to a server under attack, kernel
> freezes permanently (I gave up after 10 minutes waiting and restarted the
> machine).
>
> A patch fixing the issue can be found here:
>
> http://vegeta.tuxpowered.net/download/link-states-to-src_node.patch
>
> --
> | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD |
> | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
> | Vegeta | www: http://vegeta.tuxpowered.net |
> `------------------------^---------------------------------------'
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
--
Ermal
More information about the freebsd-net
mailing list