[patch] Source entries removing is awfully slow.
Kajetan Staszkiewicz
vegeta at tuxpowered.net
Fri Mar 8 13:19:21 UTC 2013
Hello there!
In my enviroment, where I use FreeBSD machines as loadbalancers, after a server
is detected as dead, loadbalancer removes the the broken server from a table
used in route-to pf rule and then removes Source entries pointing clients to
that server, so clients previously assigned to the broken server are re-
loadbalanced to alive servers.
Each loadbalancer has around 50k Source and 500k State entries. Under those
conditions removing a Source from anywhere to a dead server with `pfctl -K
0.0.0.0/0 -K internal.IP.of.server` freezes the machine for a few seconds (or
even up to a minute in other datacenter segment, where different services are
served, causing thousands instead of just a few hundred States to be matched).
Under a DDoS attack, when removing Sources to a server under attack, kernel
freezes permanently (I gave up after 10 minutes waiting and restarted the
machine).
A patch fixing the issue can be found here:
http://vegeta.tuxpowered.net/download/link-states-to-src_node.patch
--
| pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
More information about the freebsd-net
mailing list