Bug 184003 - On state creation src_node is looked up twice.
Summary: On state creation src_node is looked up twice.
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: Gleb Smirnoff
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-15 15:50 UTC by Kajetan Staszkiewicz
Modified: 2018-12-08 14:57 UTC (History)
1 user (show)

See Also:


Attachments
file.txt (4.17 KB, text/plain)
2013-11-15 15:50 UTC, Kajetan Staszkiewicz
no flags Details
Version updated for latest changes in 183997. (2.13 KB, patch)
2014-08-15 14:04 UTC, Kajetan Staszkiewicz
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kajetan Staszkiewicz 2013-11-15 15:50:00 UTC
When a new state is created, pf_insert_src_node is called which tries to find an existing src_node or creates a new one if none matching is found. Later, when pf_set_rt_ifp (and pf_map_addr) is called, a search for src_node is performed again, even though matching (found or new) src_node is already known.

Fix: Do not call pf_find_src_node in pf_map_addr if source_node is given.

The attached patch is for FreeBSD 10.0-BETA3 and was not yet tested under bigger load, although the same approach works well for FreeBSD 9.1. I can provide the 9.1 patch too if requested.

Patch attached with submission follows:
How-To-Repeat: Have your FreeBSD-based loadbalancer under a SYN DDoS attack, observe 2x more src_node lookups than incoming SYN packets.
Comment 1 Gleb Smirnoff freebsd_committer 2013-12-25 01:33:01 UTC
Responsible Changed
From-To: freebsd-bugs->glebius

Grab to not forget it.
Comment 2 Kajetan Staszkiewicz 2014-08-15 14:04:54 UTC
Created attachment 145818 [details]
Version updated for latest changes in 183997.

In pf_map_addr don't lookup src_if it is given.
In pf_create_state don't give NULL node to pf_map_addr as it is known.
Comment 3 commit-hook freebsd_committer 2014-08-15 14:17:08 UTC
A commit references this bug:

Author: glebius
Date: Fri Aug 15 14:16:09 UTC 2014
New revision: 270023
URL: http://svnweb.freebsd.org/changeset/base/270023

Log:
  Do not lookup source node twice when pf_map_addr() is used.

  PR:		184003
  Submitted by:	Kajetan Staszkiewicz <vegeta tuxpowered.net>
  Sponsored by:	InnoGames GmbH

Changes:
  head/sys/netpfil/pf/pf.c
  head/sys/netpfil/pf/pf_lb.c
Comment 4 commit-hook freebsd_committer 2014-08-25 15:51:28 UTC
A commit references this bug:

Author: glebius
Date: Mon Aug 25 15:51:08 UTC 2014
New revision: 270577
URL: http://svnweb.freebsd.org/changeset/base/270577

Log:
  Merge r270023 from head:
    Do not lookup source node twice when pf_map_addr() is used.

    PR:           184003
    Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net>
    Sponsored by: InnoGames GmbH

Changes:
_U  stable/10/
  stable/10/sys/netpfil/pf/pf.c
  stable/10/sys/netpfil/pf/pf_lb.c