Fwd: [patch] Source entries removing is awfully slow.

Xin Li delphij at delphij.net
Fri Mar 8 19:12:53 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

This sounds interesting, could someone, please, review this patch and
see if it's appropriate?

Thanks in advance!


- -------- Original Message --------
Subject: [patch] Source entries removing is awfully slow.
Date: Fri, 8 Mar 2013 14:19:17 +0100
From: Kajetan Staszkiewicz <vegeta at tuxpowered.net>
To: freebsd-net at freebsd.org <freebsd-net at freebsd.org>

Hello there!

In my enviroment, where I use FreeBSD machines as loadbalancers, after
a server
is detected as dead, loadbalancer removes the the broken server from a
table
used in route-to pf rule and then removes Source entries pointing
clients to
that server, so clients previously assigned to the broken server are re-
loadbalanced to alive servers.

Each loadbalancer has around 50k Source and 500k State entries. Under
those
conditions removing a Source from anywhere to a dead server with
`pfctl -K
0.0.0.0/0 -K internal.IP.of.server` freezes the machine for a few
seconds (or
even up to a minute in other datacenter segment, where different
services are
served, causing thousands instead of just a few hundred States to be
matched).
Under a DDoS attack, when removing Sources to a server under attack,
kernel
freezes permanently (I gave up after 10 minutes waiting and restarted the
machine).

A patch fixing the issue can be found here:

http://vegeta.tuxpowered.net/download/link-states-to-src_node.patch

- -- 
| pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'
_______________________________________________
freebsd-net at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"


-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJROjg0AAoJEG80Jeu8UPuzkRIH/12pf7eQm/RC5nUSfTyFEPSn
yWEG+2R+83oFza7qhpSOyO+qnSQYmqU+ZMZmCHllNymFVGYgBzO9s8Vs/m5ES3+D
Z6oiz7Zasca1VnNEfegQE2IyyXxqJ3yScLdDpxbh5wJ3r9lPmQLJgn6QwHxXvPqG
elmimfyjCvIOC2ALrggdcc4+xBjcGlpDCmb3CnkosR72I9cwD6fM/xfV9iHY0G/A
8FHfixUe1H4xpSSJiwOA+i0oN4TdFD/hh5JaHBJT4kxbCawxbJtMjazb0XSO+/uP
OIWNKJ6EnfodpAFKv8r/yIAHkEtMBVw9y7DC5cwxOo0miCU7PhNSA+BXtDckiVw=
=ziec
-----END PGP SIGNATURE-----

More information about the freebsd-pf mailing list