From d32fdefcb323fe32d6685bf91f5fd24188103b1e Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Sun, 25 Feb 2024 00:05:03 +0300
Subject: [PATCH] =?utf8?q?=D0=9E=D0=BF=D1=82=D0=B8=D0=BC=D0=B8=D0=B7=D0=B0?=
 =?utf8?q?=D1=86=D0=B8=D1=8F=20=D0=BF=D0=BE=D0=B8=D1=81=D0=BA=D0=B0=20?=
 =?utf8?q?=D0=B2=20libalias?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253912
Ð£ Ð¼ÐµÐ½Ñ Ð±ÑÐ»Ð¾ Ð¼Ð½Ð¾Ð³Ð¾ Ð¿ÑÐ¾Ð±Ð»ÐµÐ¼ Ñ Ð½Ð°Ð³ÑÑÐ·ÐºÐ¾Ð¹ Ð½Ð° CPU Ð² Ð¼Ð¾ÑÐ¼ ipfw:
f8e2e4dfc6870c4dad7e62be9bb02ae9dd73d180. ÐÑÑ Ð¶ÑÑÐºÐ¾ ÑÐ¸Ð»ÑÐ½Ð¾
ÑÐ¿Ð¸ÑÐ°Ð»Ð¾ÑÑ Ð² NAT, Ð° ÑÐ¾ÑÐ½ÐµÐµ libalias ÑÐµÐ°Ð»Ð¸Ð·Ð°ÑÐ¸Ñ, Ð¸ÑÐ¿Ð¾Ð»ÑÐ·ÑÐµÐ¼ÑÑ
Ð² ipfw. Ð¡ÐµÐ³Ð¾Ð´Ð½Ñ ÑÐ½Ð¾Ð²Ð° ÑÐ°Ð·Ð±Ð¸ÑÐ°Ð»ÑÑ Ð²Ð¾ Ð²ÑÑÐ¼ ÑÑÐ¾Ð¼, Ð¸Ð±Ð¾ Ñ Ð¼ÐµÐ½Ñ
Xeon ÑÐ¾Ð²ÑÐµÐ¼ÐµÐ½Ð½ÑÐ¹, Ð° Ñ Ð½ÐµÐ³Ð¾ Ð¿Ð¾Ð»Ð¾Ð²Ð¸Ð½Ð° ÑÐµÑÑÑÑÐ¾Ð² Ð·Ð°Ð½ÑÑÐ° ÑÐµÑÑÑ,
Ð° ÑÐ¾ÑÐ½ÐµÐµ libalias-Ð¾Ð¼.

Ð£Ð²ÐµÑÐµÐ½Ð½ÐµÐµ, ÑÐ¶Ðµ ÑÐµÑÐ»ÐµÐºÑÐ¾ÑÐ½Ð¾ ÑÑÐ°Ð» Ð²Ð²Ð¾Ð´Ð¸Ð» "netstat -Q" (Ð¿ÑÐ¾ÑÐ¼Ð¾ÑÑ Ð¾ÑÐµÑÐµÐ´ÐµÐ¹
netisr (kernel network dispatch service)), "top -aSH" (Ð³Ð´Ðµ Ð²Ð¸Ð´Ð½Ñ
ÐºÐ¾Ð½ÐºÑÐµÑÐ½ÑÐµ ÑÐ´ÐµÑÐ½ÑÐµ Ð¼Ð¾Ð´ÑÐ»Ð¸ Ð¾ÑÐ½Ð¸Ð¼Ð°ÑÑÐ¸Ðµ ÑÐµÑÑÑÑÑ), "vmstat -m" (ÑÐ°Ð·Ð¼ÐµÑ
Ð¿Ð°Ð¼ÑÑÐ¸ Ð¾ÑÐ²ÐµÐ´ÑÐ½Ð½Ð¾Ð¹ Ð´Ð»Ñ libalias ÑÐ°Ð¼ Ð²Ð¸Ð´ÐµÐ½), "vmstat -i" (Ð²Ð¸Ð´ÐµÑÑ
ÑÐ°ÑÐ¿ÑÐµÐ´ÐµÐ»ÐµÐ½Ð¸Ñ Ð¿ÑÐµÑÑÐ²Ð°Ð½Ð¸Ð¹ Ð¿Ð¾ ÑÐ´ÑÐ°Ð¼).

ÐÑÑÐ°ÑÐ»ÑÑ ÑÐ¶Ðµ, Ð¸Ð±Ð¾ Ð²ÑÑÐ¾Ð´Ð¸Ð»Ð¾ ÑÐ°Ðº, ÑÑÐ¾ Ð²Ð¾Ñ Ð½Ñ Ð½Ð¸ Ð¼Ð¾Ð¶ÐµÑ FreeBSD Ð²ÑÐ¶Ð°ÑÑ NAT
Ð´Ð»Ñ 100Mbps Ð¸Ð½ÑÐµÑÑÐµÐ¹ÑÐ°, Ð·Ð° ÐºÐ¾ÑÐ¾ÑÑÐ¼ Ð²ÑÐµÐ³Ð¾ 1.5 Ð¼Ð°ÑÐ¸Ð½Ñ Ð¿Ð¾ ÑÑÑÐ¸ (Ð¾Ð´Ð½Ð° Ñ
BitTorrent Ð°ÐºÑÐ¸Ð²Ð½ÑÐ¼, Ð° Ð²ÑÐ¾ÑÐ°Ñ ÑÑÐ¾ Ð¼Ð¾Ð¹ ÐºÐ¾Ð¼Ð¿ÑÑÑÐµÑ, Ð¸Ð½Ð¾Ð³Ð´Ð° ÑÐ°ÑÐ°Ð¼Ð¸ Ð½Ð¸ÑÐµÐ³Ð¾ Ð½Ðµ
Ð´ÑÑÐ³Ð°ÑÑÐµÐ³Ð¾ Ð¸Ð· IPv4 ÐÐ½ÑÐµÑÐ½ÐµÑÐ°).

ÐÐ¾ Ð½Ð°ÑÑÐ»ÑÑ bug Ð¿Ð¾ ÑÑÑÐ»ÐºÐµ, Ñ Ð¿Ð°ÑÑÐµÐ¼, ÑÐ¾Ð·Ð´Ð°Ð½Ð½ÑÐ¹ ÐµÑÑ Ð¿Ð°ÑÑ Ð»ÐµÑ Ð½Ð°Ð·Ð°Ð´. Ð
Ð½Ð¸ÐºÑÐ¾ ÐµÐ³Ð¾ Ð½Ðµ Ð¼ÑÑÐ¶Ð¸Ñ Ð½Ð¸ÐºÑÐ´Ð°. ÐÑÐ¾ÑÐ»Ð¾ Ð¿Ð°ÑÐ° ÑÐ°ÑÐ¾Ð² -- Ð¿Ð¾Ð»ÑÑ Ð¾ÑÐ»Ð¸ÑÐ½ÐµÐ¹ÑÐ¸Ð¹. ÐÐ°
Ð¿ÑÐ¾ÑÐµÑÑÐ¾ÑÐµ ÑÐ¼ÐµÑÐ¾ÑÐ²Ð¾ÑÐ½ÑÐµ Ð½ÐµÑÐºÐ¾Ð»ÑÐºÐ¾ Ð¿ÑÐ¾ÑÐµÐ½ÑÐ¾Ð² Ð¾Ð´Ð½Ð¾Ð³Ð¾ ÑÐ´ÑÐ° Ð¼Ð°ÐºÑÐ¸Ð¼ÑÐ¼ ÑÐµÐ¿ÐµÑÑ
(Ð¸ ÑÑÐ¾ firewall, NAT Ð¸ AQM).

    While lookup of outgoing packets uses hash based on both source and
    destination address, for incoming packets only alias address and
    port is used. So when multiple connections from different addresses
    target the same port of redirected address (using redirect_addr or
    redirect_port in IPFW), the link table must be searched sequentially
    - tens of thousand of items for every incoming packet. To make it
    worse, the search is under a lock, so it is forced to run on a
    single core. Consequently just 1000pps from different addresses are
    enough to bring down a server with the fastest CPU available in
    under a minute.

ÐÑÑÐ¼ Ð²Ð¾Ñ ÑÐ¸ÑÑÐ°ÑÐ¸Ñ Ð¸Ð¼ÐµÐ½Ð½Ð¾ ÐºÐ°Ðº Ñ Ð¼ÐµÐ½Ñ, ÑÐ¾ÑÑ-Ð²-ÑÐ¾ÑÑ. Ð Ð²ÐµÐ´Ñ ÑÐ°Ð¼Ð°Ñ Ð¾Ð±ÑÑÐ½Ð°Ñ
Ð±Ð°Ð½Ð°Ð»ÑÐ½Ð°Ñ Ð´Ð¾Ð¼Ð°ÑÐ½ÑÑ. ÐÐ°Ðº-Ð±ÑÐ´ÑÐ¾ ÐºÑÐ°Ð¹Ð½Ðµ ÑÐµÐ´ÐºÐ¾ Ð¸ Ð¼Ð°Ð»Ð¾ ÐºÑÐ¾ Ñ Ð½ÐµÐ¹ Ð²ÑÑÑÐµÑÐ°ÐµÑÑÑ.
ÐÐ¾Ñ ÑÑÑ ÑÐ¾ Ð¸ Ð¼Ð¾Ð¶Ð½Ð¾ Ð±Ñ Ð±ÑÐ»Ð¾ ÑÐºÐ°Ð·Ð°ÑÑ ÑÑÐ¾ FreeBSD Ð½Ðµ Ð´Ð»Ñ Ð´Ð¾Ð¼Ð°. ÐÐ¾ Ð½ÐµÑ,
Ð²ÑÐµÐ³Ð¾ ÑÐ¾ Ð¼Ð°Ð»ÐµÐ½ÑÐºÐ¸Ð¹ Ð¿Ð°ÑÑÐ¸Ðº Ð½ÑÐ¶ÐµÐ½.
-- 
2.51.0