Dnia sobota, 9 marca 2013 o 16:11:56 napisałeś:
> > > Though the src node removal option through pfctl -K does a lot of job
> > > to cleanup things
> > > Still need to undertand why it takes so much time for you to loop
> > > through 500K states.
> >
> > That is because the loop will not be called just once.
> >
> > `pfctl -K 0.0.0.0/0 -K ip.of.internal.server.behind.this.loadbalancer`
> > will
> > match multiple Source entries, up to a thousand of them in normal
> > conditions
> > ("normal" for my loadbalancers) and many many more when under a DDoS
> > attack.
>
> I would expect from a proper software to kill states from those clients and
> then kill the srcnode for the backend server.
First of all, I do not know which clients are affected. I know which server is
dead. But I can not remove states to this server using pfctl, as states are
from clients' public IP addresses to loadbalancer's public IP address. Sources
on the other hand point to the internal IP address of the broken server.
And the second thing is, that under normal conditions removing just a bit of
states would not help the performance. Also the server health checking software
is unaware of DDoS attacks and will not remove states resulting from the attack
in advance.
> It does not make proper sense to not kill state before src nodes since that
> is what will impact your connectivity.
I agree, it makes only sense to remove both sources and linked states at the
same time. With removing sources only, states are still pointing to the broken
server and clients are still connected to it in existing tcp connections. If
states would be also removed, clients will loose all connectivity (which I
prefer rather than them seeing wrong data) and (hopefully) reconnect to another
live server.
> Though the patch improves your use case a lot still would be better to even
> kill those states during this step, with an extra option,
> since otherwise you'd have to create for each of those client a separate
> request.
That would be in updated version of the patch I hope to send to the list on
Monday.
--
| pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
