From: Zoltan Nagy <kirk@elte.hu>
To: netfilter@lists.netfilter.org
Subject: kernel freeze issue
Date: Wed, 02 Nov 2005 21:45:45 +0100 [thread overview]
Message-ID: <43692579.8000807@elte.hu> (raw)
summary of current configuration:
+----- ext_if(eth1) 3c905TX ------ 34Mbit uplink
|
|
|
+------------+
| filter +
+------------+
| | |
| | +--- lan_if(eth5) rtl8169 - vlan1 ------ users/servers
| |
| +------ adm_if(eth0) 3c905TX - vlan2 ------ log server
|
+--------- core_if(eth3) 3c940
+inp_if(eth3.3) - vlan 3 +
+out_if(eth3.4) - vlan 4 +
|
|(cross-link cable)
|
+------ core_if(eth0) 3c940 ----------+
|
+-----------+
| foo +
+-----------+
|
+------ adm_if(eth1) rtl8139 - vlan2
filter:
arp proxy based
route - policy routing - between local-domain1(C),local-domain2(2*C),uplink,foo(on failover this skipped)
packet filter(netfilter)
- traffic accounting(ipt_account),flood/portscan protection
- packet filter
- TTL inc
- ipset's for extra port configurations
- ipt_condition(failover control)
- we have 2 domain's so it sends redirects for the hosts spoofing that it's our router(ipt_IPALTER)
foo:
not configured because of the freezes...
problem:
filter is freezes in random intervalls(30m - 6day) - on-board watchdog(i8xx) reboot's the system
i've tryed many things, remove my custom patches...but it won't help ;)
in the kernel trace i've last seen(i've a blurry image)
the kernel remove some packages from the boomerang interface
ip_rcv_finish, etc..
ipt_do_table is the last in the call trace...
notice:
crash happens when many of our beloved users use p2p software(this is also a tip)
next try:
place a cisco to monitor ext_if and lan_if with tcpdump, open another file every 10m
and when filter freezes i maybe have the packet that caused the freeze
(small chance - but possible ;)
my tips was:
ipt_condition - in pom it's <2.6.0 but i've read the code, and i think it's safe to use
ipt_IPALTER - w/o it also freezes, so this isn't the problem
ipset - i've a small patch on it...to enable inverted portmaps, i think it's safe
i use portmap,ipmap,macipmap from it
NAPI - yesterday i disabled it...since then no freezes
ipt_TCPMSS - it wrote some warnings in dmesg, about packet size<64 - i've moved another rule before it
-p tcp --tcp-option ! 2 -j DROP
boomerang - maybe the driver is a bit broken
pom_patches - TTL set connmark CONNMARK account condition limit
SMP - maybe, i haven't disabled it yet
today's surprise:
ip l s eth0 promisc on ==> freeze, without any trace ;)
versions:
Linux filter 2.6.14-alt #5 SMP Tue Nov 8 16:40:49 CET 2005 i686 GNU/Linux
iptables-1.3.4
pom-20051031
ipset-2.2.6
some info about the system can be downloaded from
http://152.66.235.5/info-filter.tgz
this is my worst nightmare, any suggestions? ;)
next reply other threads:[~2005-11-02 20:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-02 20:45 Zoltan Nagy [this message]
2005-11-09 11:01 ` kernel freeze issue KOVACS Krisztian
2005-11-09 16:06 ` Zoltan Nagy
2005-11-09 22:44 ` Alexander Samad
2005-11-11 16:17 ` Zoltan Nagy
2005-11-09 14:21 ` /dev/rob0
2005-11-11 19:06 ` Zoltan Nagy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43692579.8000807@elte.hu \
--to=kirk@elte.hu \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.