Date: Sat, 9 Mar 2013 17:15:42 +0100 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: Ermal =?utf-8?q?Lu=C3=A7i?= <eri@freebsd.org> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: [patch] Source entries removing is awfully slow. Message-ID: <201303091715.42624.vegeta@tuxpowered.net> In-Reply-To: <CAPBZQG0EyUb=MZFfFzesxQvA38CPBubjd7izt3OHyqpbMOMarA@mail.gmail.com> References: <201303081419.17743.vegeta@tuxpowered.net> <201303091437.51945.vegeta@tuxpowered.net> <CAPBZQG0EyUb=MZFfFzesxQvA38CPBubjd7izt3OHyqpbMOMarA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dnia sobota, 9 marca 2013 o 16:11:56 napisa=C5=82e=C5=9B:
> > > Though the src node removal option through pfctl -K does a lot of job
> > > to cleanup things
> > > Still need to undertand why it takes so much time for you to loop
> > > through 500K states.
> >=20
> > That is because the loop will not be called just once.
> >=20
> > `pfctl -K 0.0.0.0/0 -K ip.of.internal.server.behind.this.loadbalancer`
> > will
> > match multiple Source entries, up to a thousand of them in normal
> > conditions
> > ("normal" for my loadbalancers) and many many more when under a DDoS
> > attack.
>=20
> I would expect from a proper software to kill states from those clients a=
nd
> then kill the srcnode for the backend server.
=46irst of all, I do not know which clients are affected. I know which serv=
er is=20
dead. But I can not remove states to this server using pfctl, as states are=
=20
from clients' public IP addresses to loadbalancer's public IP address. Sour=
ces=20
on the other hand point to the internal IP address of the broken server.
And the second thing is, that under normal conditions removing just a bit o=
f=20
states would not help the performance. Also the server health checking soft=
ware=20
is unaware of DDoS attacks and will not remove states resulting from the at=
tack=20
in advance.
> It does not make proper sense to not kill state before src nodes since th=
at
> is what will impact your connectivity.
I agree, it makes only sense to remove both sources and linked states at th=
e=20
same time. With removing sources only, states are still pointing to the bro=
ken=20
server and clients are still connected to it in existing tcp connections. I=
f=20
states would be also removed, clients will loose all connectivity (which I=
=20
prefer rather than them seeing wrong data) and (hopefully) reconnect to ano=
ther=20
live server.
> Though the patch improves your use case a lot still would be better to ev=
en
> kill those states during this step, with an extra option,
> since otherwise you'd have to create for each of those client a separate
> request.
That would be in updated version of the patch I hope to send to the list on=
=20
Monday.
=2D-=20
| pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201303091715.42624.vegeta>