FreeBSD patch - Speeding up removal of pf src entries

dhatz

I thought this might be of interest …

[patch] Source entries removing is awfully slow.
Kajetan Staszkiewicz vegeta at tuxpowered.net
Fri Mar 8 13:19:21 UTC 2013

Hello there!

In my enviroment, where I use FreeBSD machines as loadbalancers, after a server
is detected as dead, loadbalancer removes the the broken server from a table
used in route-to pf rule and then removes Source entries pointing clients to
that server, so clients previously assigned to the broken server are re-
loadbalanced to alive servers.

Each loadbalancer has around 50k Source and 500k State entries. Under those
conditions removing a Source from anywhere to a dead server with pfctl -K 0.0.0.0/0 -K internal.IP.of.server freezes the machine for a few seconds (or
even up to a minute in other datacenter segment, where different services are
served, causing thousands instead of just a few hundred States to be matched).
Under a DDoS attack, when removing Sources to a server under attack, kernel
freezes permanently (I gave up after 10 minutes waiting and restarted the
machine).

A patch fixing the issue can be found here:

http://vegeta.tuxpowered.net/download/link-states-to-src_node.patch

eri--

Please do not post things from freebsd-net here.
Most of us follow those lists and are aware of things.