From owner-freebsd-net@FreeBSD.ORG Fri Mar 8 13:19:21 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4D879BD9 for ; Fri, 8 Mar 2013 13:19:21 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-bk0-x22a.google.com (mail-bk0-x22a.google.com [IPv6:2a00:1450:4008:c01::22a]) by mx1.freebsd.org (Postfix) with ESMTP id D6F22CD for ; Fri, 8 Mar 2013 13:19:20 +0000 (UTC) Received: by mail-bk0-f42.google.com with SMTP id jk7so688542bkc.15 for ; Fri, 08 Mar 2013 05:19:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:subject:date:user-agent:mime-version:x-uid :content-type:content-transfer-encoding:message-id :x-gm-message-state; bh=VplLr68ahVUntemVm74O8Aql7acd7eYNjzo7VLVGfH4=; b=aqS8CbZGI+ay9ovXIfSMdKJ0lq3RfX2RHyf24DJpQbrSb/gBn/e955rRvK5Z69OX5D 7Q4MdKcRxxP4rwZ1p0rjjrfmLLKkqhu1G+guWaKYhFm3Z5eNIzf6q0fxP1ZsOk1z+87M jLr/zGHqp8HV7ZXEk1hFwnfjJtk1p5hABWzXYsJ+TprOTwnmkHfPtsofuyDqQ17oA2Gw Dm1V11tLUT5ItXhY/6jJq1Mk4V77bcRrL7EAhVb5JJn6Gyf4GIw0qlJ3coipindq7oMq MKgSgrycMZ+DSfXrdzWgX4ENnF2pk1jLB5dMNCxei+MNBewHt/VGfhgv7VP3pMG61GdB xICQ== X-Received: by 10.204.198.3 with SMTP id em3mr821253bkb.96.1362748759383; Fri, 08 Mar 2013 05:19:19 -0800 (PST) Received: from zvezda.localnet ([212.48.107.10]) by mx.google.com with ESMTPS id z6sm1676495bkv.11.2013.03.08.05.19.18 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 08 Mar 2013 05:19:18 -0800 (PST) From: Kajetan Staszkiewicz To: "freebsd-net@freebsd.org" Subject: [patch] Source entries removing is awfully slow. Date: Fri, 8 Mar 2013 14:19:17 +0100 User-Agent: KMail/1.13.5 (Linux/3.6.6-vegeta.1; KDE/4.4.5; x86_64; ; ) MIME-Version: 1.0 X-UID: 1998 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201303081419.17743.vegeta@tuxpowered.net> X-Gm-Message-State: ALoCoQlhTnlJoQ5UWXk/k82qQf2EQF2TP65X5JmF+Bc8mNaNOzgeWbO0dwLIlC4JHkbJHQW5yG92 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 13:19:21 -0000 Hello there! In my enviroment, where I use FreeBSD machines as loadbalancers, after a server is detected as dead, loadbalancer removes the the broken server from a table used in route-to pf rule and then removes Source entries pointing clients to that server, so clients previously assigned to the broken server are re- loadbalanced to alive servers. Each loadbalancer has around 50k Source and 500k State entries. Under those conditions removing a Source from anywhere to a dead server with `pfctl -K 0.0.0.0/0 -K internal.IP.of.server` freezes the machine for a few seconds (or even up to a minute in other datacenter segment, where different services are served, causing thousands instead of just a few hundred States to be matched). Under a DDoS attack, when removing Sources to a server under attack, kernel freezes permanently (I gave up after 10 minutes waiting and restarted the machine). A patch fixing the issue can be found here: http://vegeta.tuxpowered.net/download/link-states-to-src_node.patch -- | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'