Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 9 Mar 2013 14:37:51 +0100
From:      Kajetan Staszkiewicz <vegeta@tuxpowered.net>
To:        Ermal =?utf-8?q?Lu=C3=A7i?= <eri@freebsd.org>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: [patch] Source entries removing is awfully slow.
Message-ID:  <201303091437.51945.vegeta@tuxpowered.net>
In-Reply-To: <CAPBZQG0Jj_c-XvVJNV2S02xcitr%2Bnhs%2BmV=GjJm3YeM6iPUX7g@mail.gmail.com>
References:  <201303081419.17743.vegeta@tuxpowered.net> <201303082151.00895.vegeta@tuxpowered.net> <CAPBZQG0Jj_c-XvVJNV2S02xcitr%2Bnhs%2BmV=GjJm3YeM6iPUX7g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Dnia sobota, 9 marca 2013 o 13:14:16 Ermal Lu=C3=A7i napisa=C5=82(a):
> On Fri, Mar 8, 2013 at 9:51 PM, Kajetan Staszkiewicz
>=20
> <vegeta@tuxpowered.net>wrote:
> > Dnia pi=C4=85tek, 8 marca 2013 o 21:11:43 Ermal Lu=C3=A7i napisa=C5=82(=
a):
> > > Is this FreeBSD 9.x or HEAD?
> >=20
> > I found the problem and developed the patch on 9.1.
> >=20
> Can you please test this more 'beautiful' patch.

Oh, somehow I did not notice an existing implementation for doubly linked l=
ist.=20
I'm quite new to kernel programming.

> Its similar to yours but also delays src state removal to the proper purge
> thread.

I'll try it right after the weekend.

> Though the src node removal option through pfctl -K does a lot of job to
> cleanup things
> Still need to undertand why it takes so much time for you to loop through
> 500K states.

That is because the loop will not be called just once.

`pfctl -K 0.0.0.0/0 -K ip.of.internal.server.behind.this.loadbalancer` will=
=20
match multiple Source entries, up to a thousand of them in normal condition=
s=20
("normal" for my loadbalancers) and many many more when under a DDoS attack.

> The purge thread does that every tick by partitioning it to a few per time
> slot but still minutes is way loong.
>=20
> Can you please try to give a top -SH view of the time when this happens a=
nd
> a pfctl -vvsa output?

I'll try on Monday, although as far as I remember the machine was quite fro=
zen=20
during this operation.

=2D-=20
| pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201303091437.51945.vegeta>