Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 8 Mar 2013 21:11:43 +0100
From:      =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org>
To:        Kajetan Staszkiewicz <vegeta@tuxpowered.net>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: [patch] Source entries removing is awfully slow.
Message-ID:  <CAPBZQG2bb2xzPB2UoPUDx-ifyBdmjac6b8kV76DTPBUzLCDmJw@mail.gmail.com>
In-Reply-To: <201303081419.17743.vegeta@tuxpowered.net>
References:  <201303081419.17743.vegeta@tuxpowered.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Is this FreeBSD 9.x or HEAD?



On Fri, Mar 8, 2013 at 2:19 PM, Kajetan Staszkiewicz
<vegeta@tuxpowered.net>wrote:

> Hello there!
>
> In my enviroment, where I use FreeBSD machines as loadbalancers, after a
> server
> is detected as dead, loadbalancer removes the the broken server from a
> table
> used in route-to pf rule and then removes Source entries pointing clients
> to
> that server, so clients previously assigned to the broken server are re-
> loadbalanced to alive servers.
>
> Each loadbalancer has around 50k Source and 500k State entries. Under those
> conditions removing a Source from anywhere to a dead server with `pfctl -K
> 0.0.0.0/0 -K internal.IP.of.server` freezes the machine for a few seconds
> (or
> even up to a minute in other datacenter segment, where different services
> are
> served, causing thousands instead of just a few hundred States to be
> matched).
> Under a DDoS attack, when removing Sources to a server under attack, kernel
> freezes permanently (I gave up after 10 minutes waiting and restarted the
> machine).
>
> A patch fixing the issue can be found here:
>
> http://vegeta.tuxpowered.net/download/link-states-to-src_node.patch
>
> --
> | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD |
> |  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
> |        Vegeta          | www: http://vegeta.tuxpowered.net     |
> `------------------------^---------------------------------------'
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>



-- 
Ermal

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG2bb2xzPB2UoPUDx-ifyBdmjac6b8kV76DTPBUzLCDmJw>