From owner-freebsd-pf@FreeBSD.ORG Fri Mar 8 20:11:50 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 163E0881; Fri, 8 Mar 2013 20:11:50 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qe0-f43.google.com (mail-qe0-f43.google.com [209.85.128.43]) by mx1.freebsd.org (Postfix) with ESMTP id A7D6E82C; Fri, 8 Mar 2013 20:11:49 +0000 (UTC) Received: by mail-qe0-f43.google.com with SMTP id 1so1241902qee.2 for ; Fri, 08 Mar 2013 12:11:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=6dfG5ak3dFdXeVLMvxfuj1OJZUZSzvkRA24n915cEJ0=; b=USSvbn+UoCu3EK8sPoJWRMDiTWtDb9brRRGWLHAZW9eVjBHSv7H5kqgidwdDyxmM/i p3ggkKyvVcorXyUt+4oE9F41QqWJtJj6wKbA5K6gqINOgK0dhnGFwEYfCQWmvMMSFTts R9vzlaMny4m3vBJdZPp7oRmXHgT3hfQvSsctmVj7u2qockJOcnBz96t87yt5sgr1topB SbdZNG2nfiUVuBq8eXQXnhSr6tkqPYkBEYnc/UiJK4itXxfm8moFaeRk9d7735p0yGv5 v3fqzD/7Q33nQsiWveGxiI7znfhqNC92ggkNqg2aAUUgrE26KduAK8DrMik4STf/HDrp qGEg== MIME-Version: 1.0 X-Received: by 10.224.184.130 with SMTP id ck2mr5848224qab.41.1362773503493; Fri, 08 Mar 2013 12:11:43 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.49.27.197 with HTTP; Fri, 8 Mar 2013 12:11:43 -0800 (PST) In-Reply-To: <201303081419.17743.vegeta@tuxpowered.net> References: <201303081419.17743.vegeta@tuxpowered.net> Date: Fri, 8 Mar 2013 21:11:43 +0100 X-Google-Sender-Auth: 9xXpcPwr1C64h_-MLHQWtFTBtYw Message-ID: Subject: Re: [patch] Source entries removing is awfully slow. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Kajetan Staszkiewicz Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 20:11:50 -0000 Is this FreeBSD 9.x or HEAD? On Fri, Mar 8, 2013 at 2:19 PM, Kajetan Staszkiewicz wrote: > Hello there! > > In my enviroment, where I use FreeBSD machines as loadbalancers, after a > server > is detected as dead, loadbalancer removes the the broken server from a > table > used in route-to pf rule and then removes Source entries pointing clients > to > that server, so clients previously assigned to the broken server are re- > loadbalanced to alive servers. > > Each loadbalancer has around 50k Source and 500k State entries. Under those > conditions removing a Source from anywhere to a dead server with `pfctl -K > 0.0.0.0/0 -K internal.IP.of.server` freezes the machine for a few seconds > (or > even up to a minute in other datacenter segment, where different services > are > served, causing thousands instead of just a few hundred States to be > matched). > Under a DDoS attack, when removing Sources to a server under attack, kernel > freezes permanently (I gave up after 10 minutes waiting and restarted the > machine). > > A patch fixing the issue can be found here: > > http://vegeta.tuxpowered.net/download/link-states-to-src_node.patch > > -- > | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | > | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | > | Vegeta | www: http://vegeta.tuxpowered.net | > `------------------------^---------------------------------------' > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- Ermal