Date: Tue, 27 Jan 2015 20:57:20 +0200 From: wishmaster <artemrts@ukr.net> To: anarcat@koumbit.org Cc: freebsd-net@freebsd.org Subject: Re: is polling still a thing? Message-ID: <1422384769.867067950.y2iiuu53@frv34.fwdcdn.com> In-Reply-To: <871tmgceup.fsf@marcos.anarc.at> References: <871tmgceup.fsf@marcos.anarc.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Have you consider to use netmap-based ipfw instead pf in DDoS mitigation? I think you should. And without any network ''haks'' like polling. Cheers, Vitaly --- Original Message --- From: "Antoine Beaupré" Date: 27 January 2015, 19:28:55 > (Please CC, as i am not on the list.) > > I was surprised to read this article in the pfSense blog: > > https://blog.pfsense.org/?p=115 > > TLDR: "At this time, polling is not recommended at all." > > Is that true? I am trying to tweak a Supermicro machine as a router to > survive major DDOS attacks on a 1gbps link. So far, I can't get far > beyond the 100kpps and 50mbps mark. > > The hardware is: > > * 2xIntel E1G44HTBLK NICs > * 1xIntel 1220LV2 CPU > > More detailed specs here: > > https://wiki.koumbit.net/rtr1.koumbit.net > > We are using a stateful pf firewall and polling on the network > interfaces. We got around 100kpps during the DDOS, with 700kpps dropped > (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps > but around 400mbps reached our port from upstream's point of view. The > kernel interfaces counted around 50mbps: > > https://redmine.koumbit.net/attachments/download/7706 > https://redmine.koumbit.net/attachments/download/7707 > https://redmine.koumbit.net/attachments/download/7708 > https://redmine.koumbit.net/attachments/download/7709 > > The load on the router was fine during the DDOS, but of course packet > loss was endemic. > > At this point, I'm considering the following options: > > * switching to an Intel IGB nic > * enabling fastforwarding > * tweak the number of IGB queues > > Any recommendations would be welcome. > > Thanks! > > A. > > -- > feature, n: a documented bug | bug, n: an undocumented feature > - Mario S F Ferreira > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > From owner-freebsd-net@FreeBSD.ORG Tue Jan 27 19:36:26 2015 Return-Path: <owner-freebsd-net@FreeBSD.ORG> Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3DFFE249; Tue, 27 Jan 2015 19:36:26 +0000 (UTC) Received: from mail.strugglingcoder.info (strugglingcoder.info [65.19.130.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0F87CB1E; Tue, 27 Jan 2015 19:36:25 +0000 (UTC) Received: from localhost (unknown [10.1.1.3]) (Authenticated sender: hiren@strugglingcoder.info) by mail.strugglingcoder.info (Postfix) with ESMTPSA id E99BECB062; Tue, 27 Jan 2015 11:28:14 -0800 (PST) Date: Tue, 27 Jan 2015 11:28:14 -0800 From: hiren panchasara <hiren@strugglingcoder.info> To: Sreekanth Rupavatharam <rupavath@juniper.net> Subject: Re: Double cleanup in igb_attach Message-ID: <20150127192814.GA63990@strugglingcoder.info> References: <D0EC151C.1A7B1%rupavath@juniper.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l" Content-Disposition: inline In-Reply-To: <D0EC151C.1A7B1%rupavath@juniper.net> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: jfv@freebsd.org, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>, <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/> List-Post: <mailto:freebsd-net@freebsd.org> List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>, <mailto:freebsd-net-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 27 Jan 2015 19:36:26 -0000 --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable + Jack On Tue, Jan 27, 2015 at 12:00:19AM +0000, Sreekanth Rupavatharam wrote: > Apologies if this is not the right forum. In igb_attach function, we have= this code. > err_late: > igb_detach(dev); > igb_free_transmit_structures(adapter); > igb_free_receive_structures(adapter); > igb_release_hw_control(adapter); > err_pci: > igb_free_pci_resources(adapter); > if (adapter->ifp !=3D NULL) > if_free(adapter->ifp); > free(adapter->mta, M_DEVBUF); > IGB_CORE_LOCK_DESTROY(adapter); >=20 > The problem is that igb_detach also does the same cleanup in it?s body. O= nly exception is this case where it just returns EBUSY > /* Make sure VLANS are not using driver */ > if (if_vlantrunkinuse(ifp)) { > device_printf(dev,"Vlan in use, detach first\n"); > return (EBUSY); > } >=20 > I think the code in igb_attach should be changed to free up resources onl= y if the igb_detach returns an error. Here?s the patch for it. >=20 >=20 > Index: if_igb.c >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > --- if_igb.c (revision 298025) >=20 > +++ if_igb.c (working copy) >=20 > @@ -723,7 +723,8 @@ igb_attach(device_t dev) >=20 > return (0); >=20 >=20 >=20 > err_late: >=20 > - igb_detach(dev); >=20 > + if(igb_detach(dev) =3D=3D 0) /* igb_detach did the cleanup */ >=20 > + return; >=20 > igb_free_transmit_structures(adapter); >=20 > Can anyone comment on it and tell me if my understanding is incorrect? > Seems reasonable to me at the first glance. We need to call IGB_CORE_LOCK_DESTROY(adapter) before returning though. cheers, Hiren --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQF8BAEBCgBmBQJUx+bOXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNEUyMEZBMUQ4Nzg4RjNGMTdFNjZGMDI4 QjkyNTBFMTU2M0VERkU1AAoJEIuSUOFWPt/lObUH/0Hx97ALe1Q7eUgQKTMH2fYU gqfI89/WZ4TII5/xZPGCpMFooBUNYCRDe4hvCLaf6kfPawWSQLs2j4cWjM854T8h bux/k9KlAkwzCv2ZpiwYQQ1Fm/VLA411La21BmyKPv0rwoF3RosYI6C5XHNC/AT2 6IlePuvKBvaZJT0KYkZ2VDGQUFIr/A3kHKF/DUiTNMGrsVtqcEkMvZp+KBt6IKZs v5coe/wsgfCnFUtxuxf5HXMY2ReJYsgvsbVrwyLKVgomTDHvw1LKVGq7fuzJMsUi 2XbTrOgv+5Ho3BwtDAVIBkU4Jgr8trYl7YejNAZEVJa1Xl0xr4AuirU90pRwZUE= =IUyh -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1422384769.867067950.y2iiuu53>