Site Navigation

Date:      Tue, 27 Jan 2015 20:57:20 +0200
From:      wishmaster <artemrts@ukr.net>
To:        anarcat@koumbit.org
Cc:        freebsd-net@freebsd.org
Subject:   Re: is polling still a thing?
Message-ID:  <1422384769.867067950.y2iiuu53@frv34.fwdcdn.com>
In-Reply-To: <871tmgceup.fsf@marcos.anarc.at>
References:  <871tmgceup.fsf@marcos.anarc.at>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

 
Have you consider to use netmap-based ipfw instead pf in DDoS mitigation? I think you should. And without any network ''haks'' like polling.

Cheers,
Vitaly

 --- Original Message ---
 From: "Antoine Beaupré" 
 Date: 27 January 2015, 19:28:55
 


> (Please CC, as i am not on the list.)
> 
> I was surprised to read this article in the pfSense blog:
> 
> https://blog.pfsense.org/?p=115
> 
> TLDR: "At this time, polling is not recommended at all."
> 
> Is that true? I am trying to tweak a Supermicro machine as a router to
> survive major DDOS attacks on a 1gbps link. So far, I can't get far
> beyond the 100kpps and 50mbps mark.
> 
> The hardware is:
> 
> * 2xIntel E1G44HTBLK NICs
> * 1xIntel 1220LV2 CPU
> 
> More detailed specs here:
> 
> https://wiki.koumbit.net/rtr1.koumbit.net
> 
> We are using a stateful pf firewall and polling on the network
> interfaces. We got around 100kpps during the DDOS, with 700kpps dropped
> (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps
> but around 400mbps reached our port from upstream's point of view. The
> kernel interfaces counted around 50mbps:
> 
> https://redmine.koumbit.net/attachments/download/7706
> https://redmine.koumbit.net/attachments/download/7707
> https://redmine.koumbit.net/attachments/download/7708
> https://redmine.koumbit.net/attachments/download/7709
> 
> The load on the router was fine during the DDOS, but of course packet
> loss was endemic.
> 
> At this point, I'm considering the following options:
> 
> * switching to an Intel IGB nic
> * enabling fastforwarding
> * tweak the number of IGB queues
> 
> Any recommendations would be welcome.
> 
> Thanks!
> 
> A.
> 
> -- 
> feature, n: a documented bug | bug, n: an undocumented feature
> - Mario S F Ferreira 
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
> 
 
From owner-freebsd-net@FreeBSD.ORG  Tue Jan 27 19:36:26 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3DFFE249;
 Tue, 27 Jan 2015 19:36:26 +0000 (UTC)
Received: from mail.strugglingcoder.info (strugglingcoder.info [65.19.130.35])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 0F87CB1E;
 Tue, 27 Jan 2015 19:36:25 +0000 (UTC)
Received: from localhost (unknown [10.1.1.3])
 (Authenticated sender: hiren@strugglingcoder.info)
 by mail.strugglingcoder.info (Postfix) with ESMTPSA id E99BECB062;
 Tue, 27 Jan 2015 11:28:14 -0800 (PST)
Date: Tue, 27 Jan 2015 11:28:14 -0800
From: hiren panchasara <hiren@strugglingcoder.info>
To: Sreekanth Rupavatharam <rupavath@juniper.net>
Subject: Re: Double cleanup in igb_attach
Message-ID: <20150127192814.GA63990@strugglingcoder.info>
References: <D0EC151C.1A7B1%rupavath@juniper.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l"
Content-Disposition: inline
In-Reply-To: <D0EC151C.1A7B1%rupavath@juniper.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Cc: jfv@freebsd.org, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>;
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jan 2015 19:36:26 -0000


--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

+ Jack
On Tue, Jan 27, 2015 at 12:00:19AM +0000, Sreekanth Rupavatharam wrote:
> Apologies if this is not the right forum. In igb_attach function, we have=
 this code.
> err_late:
> igb_detach(dev);
>         igb_free_transmit_structures(adapter);
>         igb_free_receive_structures(adapter);
>         igb_release_hw_control(adapter);
> err_pci:
>         igb_free_pci_resources(adapter);
>         if (adapter->ifp !=3D NULL)
>                 if_free(adapter->ifp);
>         free(adapter->mta, M_DEVBUF);
>         IGB_CORE_LOCK_DESTROY(adapter);
>=20
> The problem is that igb_detach also does the same cleanup in it?s body. O=
nly exception is this case where it just returns EBUSY
>         /* Make sure VLANS are not using driver */
> if (if_vlantrunkinuse(ifp)) {
> device_printf(dev,"Vlan in use, detach first\n");
> return (EBUSY);
> }
>=20
> I think the code in igb_attach should be changed to free up resources onl=
y if the igb_detach returns an error. Here?s the patch for it.
>=20
>=20
> Index: if_igb.c
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> --- if_igb.c (revision 298025)
>=20
> +++ if_igb.c (working copy)
>=20
> @@ -723,7 +723,8 @@ igb_attach(device_t dev)
>=20
>   return (0);
>=20
>=20
>=20
>  err_late:
>=20
> - igb_detach(dev);
>=20
> + if(igb_detach(dev) =3D=3D 0) /* igb_detach did the cleanup */
>=20
> + return;
>=20
>   igb_free_transmit_structures(adapter);
>=20
>  Can anyone comment on it and tell me if my understanding is incorrect?
>

Seems reasonable to me at the first glance.

We need to call IGB_CORE_LOCK_DESTROY(adapter) before returning though.

cheers,
Hiren

--XsQoSWH+UP9D9v3l
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQF8BAEBCgBmBQJUx+bOXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNEUyMEZBMUQ4Nzg4RjNGMTdFNjZGMDI4
QjkyNTBFMTU2M0VERkU1AAoJEIuSUOFWPt/lObUH/0Hx97ALe1Q7eUgQKTMH2fYU
gqfI89/WZ4TII5/xZPGCpMFooBUNYCRDe4hvCLaf6kfPawWSQLs2j4cWjM854T8h
bux/k9KlAkwzCv2ZpiwYQQ1Fm/VLA411La21BmyKPv0rwoF3RosYI6C5XHNC/AT2
6IlePuvKBvaZJT0KYkZ2VDGQUFIr/A3kHKF/DUiTNMGrsVtqcEkMvZp+KBt6IKZs
v5coe/wsgfCnFUtxuxf5HXMY2ReJYsgvsbVrwyLKVgomTDHvw1LKVGq7fuzJMsUi
2XbTrOgv+5Ho3BwtDAVIBkU4Jgr8trYl7YejNAZEVJa1Xl0xr4AuirU90pRwZUE=
=IUyh
-----END PGP SIGNATURE-----

--XsQoSWH+UP9D9v3l--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1422384769.867067950.y2iiuu53>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact