|Summary:||On state creation src_node is looked up twice.|
|Product:||Base System||Reporter:||Kajetan Staszkiewicz <vegeta>|
|Component:||kern||Assignee:||Gleb Smirnoff <glebius>|
|Severity:||Affects Only Me||CC:||vegeta|
Description Kajetan Staszkiewicz 2013-11-15 15:50:00 UTC
When a new state is created, pf_insert_src_node is called which tries to find an existing src_node or creates a new one if none matching is found. Later, when pf_set_rt_ifp (and pf_map_addr) is called, a search for src_node is performed again, even though matching (found or new) src_node is already known. Fix: Do not call pf_find_src_node in pf_map_addr if source_node is given. The attached patch is for FreeBSD 10.0-BETA3 and was not yet tested under bigger load, although the same approach works well for FreeBSD 9.1. I can provide the 9.1 patch too if requested. Patch attached with submission follows: How-To-Repeat: Have your FreeBSD-based loadbalancer under a SYN DDoS attack, observe 2x more src_node lookups than incoming SYN packets.
Comment 1 Gleb Smirnoff 2013-12-25 01:33:01 UTC
Responsible Changed From-To: freebsd-bugs->glebius Grab to not forget it.
Comment 2 Kajetan Staszkiewicz 2014-08-15 14:04:54 UTC
Created attachment 145818 [details] Version updated for latest changes in 183997. In pf_map_addr don't lookup src_if it is given. In pf_create_state don't give NULL node to pf_map_addr as it is known.
Comment 3 commit-hook 2014-08-15 14:17:08 UTC
A commit references this bug: Author: glebius Date: Fri Aug 15 14:16:09 UTC 2014 New revision: 270023 URL: http://svnweb.freebsd.org/changeset/base/270023 Log: Do not lookup source node twice when pf_map_addr() is used. PR: 184003 Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> Sponsored by: InnoGames GmbH Changes: head/sys/netpfil/pf/pf.c head/sys/netpfil/pf/pf_lb.c
Comment 4 commit-hook 2014-08-25 15:51:28 UTC
A commit references this bug: Author: glebius Date: Mon Aug 25 15:51:08 UTC 2014 New revision: 270577 URL: http://svnweb.freebsd.org/changeset/base/270577 Log: Merge r270023 from head: Do not lookup source node twice when pf_map_addr() is used. PR: 184003 Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> Sponsored by: InnoGames GmbH Changes: _U stable/10/ stable/10/sys/netpfil/pf/pf.c stable/10/sys/netpfil/pf/pf_lb.c