Bug 184003

Summary: On state creation src_node is looked up twice.
Product: Base System Reporter: Kajetan Staszkiewicz <vegeta>
Component: kernAssignee: Gleb Smirnoff <glebius>
Status: Closed FIXED    
Severity: Affects Only Me CC: vegeta
Priority: Normal    
Version: unspecified   
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233867
Attachments:
Description Flags
file.txt
none
Version updated for latest changes in 183997. none

Description Kajetan Staszkiewicz 2013-11-15 15:50:00 UTC
When a new state is created, pf_insert_src_node is called which tries to find an existing src_node or creates a new one if none matching is found. Later, when pf_set_rt_ifp (and pf_map_addr) is called, a search for src_node is performed again, even though matching (found or new) src_node is already known.

Fix: Do not call pf_find_src_node in pf_map_addr if source_node is given.

The attached patch is for FreeBSD 10.0-BETA3 and was not yet tested under bigger load, although the same approach works well for FreeBSD 9.1. I can provide the 9.1 patch too if requested.

Patch attached with submission follows:
How-To-Repeat: Have your FreeBSD-based loadbalancer under a SYN DDoS attack, observe 2x more src_node lookups than incoming SYN packets.
Comment 1 Gleb Smirnoff freebsd_committer 2013-12-25 01:33:01 UTC
Responsible Changed
From-To: freebsd-bugs->glebius

Grab to not forget it.
Comment 2 Kajetan Staszkiewicz 2014-08-15 14:04:54 UTC
Created attachment 145818 [details]
Version updated for latest changes in 183997.

In pf_map_addr don't lookup src_if it is given.
In pf_create_state don't give NULL node to pf_map_addr as it is known.
Comment 3 commit-hook freebsd_committer 2014-08-15 14:17:08 UTC
A commit references this bug:

Author: glebius
Date: Fri Aug 15 14:16:09 UTC 2014
New revision: 270023
URL: http://svnweb.freebsd.org/changeset/base/270023

Log:
  Do not lookup source node twice when pf_map_addr() is used.

  PR:		184003
  Submitted by:	Kajetan Staszkiewicz <vegeta tuxpowered.net>
  Sponsored by:	InnoGames GmbH

Changes:
  head/sys/netpfil/pf/pf.c
  head/sys/netpfil/pf/pf_lb.c
Comment 4 commit-hook freebsd_committer 2014-08-25 15:51:28 UTC
A commit references this bug:

Author: glebius
Date: Mon Aug 25 15:51:08 UTC 2014
New revision: 270577
URL: http://svnweb.freebsd.org/changeset/base/270577

Log:
  Merge r270023 from head:
    Do not lookup source node twice when pf_map_addr() is used.

    PR:           184003
    Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net>
    Sponsored by: InnoGames GmbH

Changes:
_U  stable/10/
  stable/10/sys/netpfil/pf/pf.c
  stable/10/sys/netpfil/pf/pf_lb.c