[patch] Source entries removing is awfully slow.
Kajetan Staszkiewicz
vegeta at tuxpowered.net
Sat Mar 9 13:37:57 UTC 2013
Dnia sobota, 9 marca 2013 o 13:14:16 Ermal Luçi napisał(a):
> On Fri, Mar 8, 2013 at 9:51 PM, Kajetan Staszkiewicz
>
> <vegeta at tuxpowered.net>wrote:
> > Dnia piątek, 8 marca 2013 o 21:11:43 Ermal Luçi napisał(a):
> > > Is this FreeBSD 9.x or HEAD?
> >
> > I found the problem and developed the patch on 9.1.
> >
> Can you please test this more 'beautiful' patch.
Oh, somehow I did not notice an existing implementation for doubly linked list.
I'm quite new to kernel programming.
> Its similar to yours but also delays src state removal to the proper purge
> thread.
I'll try it right after the weekend.
> Though the src node removal option through pfctl -K does a lot of job to
> cleanup things
> Still need to undertand why it takes so much time for you to loop through
> 500K states.
That is because the loop will not be called just once.
`pfctl -K 0.0.0.0/0 -K ip.of.internal.server.behind.this.loadbalancer` will
match multiple Source entries, up to a thousand of them in normal conditions
("normal" for my loadbalancers) and many many more when under a DDoS attack.
> The purge thread does that every tick by partitioning it to a few per time
> slot but still minutes is way loong.
>
> Can you please try to give a top -SH view of the time when this happens and
> a pfctl -vvsa output?
I'll try on Monday, although as far as I remember the machine was quite frozen
during this operation.
--
| pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
More information about the freebsd-pf
mailing list