* [BUG] 2.6.33.2-rt13 and iptables
@ 2010-04-25 17:55 FC
2010-04-27 8:13 ` Thomas Gleixner
0 siblings, 1 reply; 3+ messages in thread
From: FC @ 2010-04-25 17:55 UTC (permalink / raw)
To: linux-rt-users
- Updated Debian SID x86 32 bit
- kernel 2.6.33.2-rt13
- iptables v1.4.6
I've experimented some problems while displaying processed packets by
iptables ( iptables -L -n -v ). The output displays a large number of
processed packets with a very low network activity in my LAN ( max 1
hundred of packets delivered )
A sample output obtained after loading iptables rules and quite
immediately running iptables -L -n -v
Chain bad_packets (1 references)
pkts bytes target prot opt in out source destination
8600M 15024815T LOG all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID LOG flags 0 level 4 prefix `fp=bad_packets:1 a=DROP '
15024815T 15066474T DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
13777492T 15024815T bad_tcp_packets tcp -- * * 0.0.0.0/0
0.0.0.0/0
1337099T 7793M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain bad_tcp_packets (1 references)
pkts bytes target prot opt in out source destination
4295M 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x17/0x02 state NEW LOG flags 0 level 4 prefix
`fp=bad_tcp_packets:1 a=DROP '
41659T 288230T DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02 state NEW
41659T 257832T LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x3F/0x00 LOG flags 0 level 4 prefix
`fp=bad_tcp_packets:2 a=DROP '
41659T 144115T DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x3F/0x00
41659T 352428T LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x3F/0x3F LOG flags 0 level 4 prefix
`fp=bad_tcp_packets:3 a=DROP '
72059T 13835076T DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x3F/0x3F
72059T 15024832T LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x3F/0x29 LOG flags 0 level 4 prefix
`fp=bad_tcp_packets:4 a=DROP '
113717T 72074T DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x3F/0x29
72059T 155G LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x3F/0x37 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:5
a=DROP '
3498M 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x37
0 15T LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x06 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:6
a=DROP '
72059T 4305M DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x06
15024815T 8600M LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x03/0x03 LOG flags 0 level 4 prefix
`fp=bad_tcp_packets:7 a=DROP '
15024815T 15024815T DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x03/0x03
15066474T 15782 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
The problem doesn't occur with other kernels ( vanilla 2.6.33.2 ,
2.6.33-zen1 ) and the number of processed packets is displayed correctly.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [BUG] 2.6.33.2-rt13 and iptables 2010-04-25 17:55 [BUG] 2.6.33.2-rt13 and iptables FC @ 2010-04-27 8:13 ` Thomas Gleixner 2010-04-27 17:03 ` FC 0 siblings, 1 reply; 3+ messages in thread From: Thomas Gleixner @ 2010-04-27 8:13 UTC (permalink / raw) To: FC; +Cc: linux-rt-users On Sun, 25 Apr 2010, FC wrote: > - Updated Debian SID x86 32 bit > - kernel 2.6.33.2-rt13 > - iptables v1.4.6 > > I've experimented some problems while displaying processed packets by > iptables ( iptables -L -n -v ). The output displays a large number of > processed packets with a very low network activity in my LAN ( max 1 hundred > of packets delivered ) > > A sample output obtained after loading iptables rules and quite immediately > running iptables -L -n -v Can you please test the patch below on top of -rt ? Thanks, tglx ----------> Subject: net-fix-iptables-fallout.patch From: Thomas Gleixner <tglx@linutronix.de> Date: Tue, 27 Apr 2010 10:05:28 +0200 Signed-off-by: Thomas Gleixner <tglx@linutronix.de> --- net/ipv4/netfilter/ip_tables.c | 9 +++++---- net/ipv6/netfilter/ip6_tables.c | 10 +++++----- 2 files changed, 10 insertions(+), 9 deletions(-) Index: linux-2.6-tip/net/ipv4/netfilter/ip_tables.c =================================================================== --- linux-2.6-tip.orig/net/ipv4/netfilter/ip_tables.c +++ linux-2.6-tip/net/ipv4/netfilter/ip_tables.c @@ -907,7 +907,7 @@ get_counters(const struct xt_table_info { unsigned int cpu; unsigned int i; - unsigned int curcpu = NR_CPUS; + unsigned int curcpu; /* Instead of clearing (by a previous call to memset()) * the counters and using adds, we set the counters @@ -917,16 +917,17 @@ get_counters(const struct xt_table_info * if new softirq were to run and call ipt_do_table */ local_bh_disable(); -#ifndef CONFIG_PREEMPT_RT - curcpu = smp_processor_id(); + curcpu = raw_smp_processor_id(); i = 0; + xt_info_wrlock(curcpu); IPT_ENTRY_ITERATE(t->entries[curcpu], t->size, set_entry_to_counter, counters, &i); -#endif + xt_info_wrunlock(curcpu); + for_each_possible_cpu(cpu) { if (cpu == curcpu) continue; Index: linux-2.6-tip/net/ipv6/netfilter/ip6_tables.c =================================================================== --- linux-2.6-tip.orig/net/ipv6/netfilter/ip6_tables.c +++ linux-2.6-tip/net/ipv6/netfilter/ip6_tables.c @@ -939,7 +939,7 @@ get_counters(const struct xt_table_info { unsigned int cpu; unsigned int i; - unsigned int curcpu = NR_CPUS; + unsigned int curcpu; /* Instead of clearing (by a previous call to memset()) * the counters and using adds, we set the counters @@ -949,17 +949,17 @@ get_counters(const struct xt_table_info * if new softirq were to run and call ipt_do_table */ local_bh_disable(); ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [BUG] 2.6.33.2-rt13 and iptables 2010-04-27 8:13 ` Thomas Gleixner @ 2010-04-27 17:03 ` FC 0 siblings, 0 replies; 3+ messages in thread From: FC @ 2010-04-27 17:03 UTC (permalink / raw) To: linux-rt-users On 27/04/2010 10:13, Thomas Gleixner wrote: > On Sun, 25 Apr 2010, FC wrote: > >> - Updated Debian SID x86 32 bit >> - kernel 2.6.33.2-rt13 >> - iptables v1.4.6 >> >> I've experimented some problems while displaying processed packets by >> iptables ( iptables -L -n -v ). The output displays a large number of >> processed packets with a very low network activity in my LAN ( max 1 hundred >> of packets delivered ) >> >> A sample output obtained after loading iptables rules and quite immediately >> running iptables -L -n -v > > Can you please test the patch below on top of -rt ? > > Thanks, > > tglx > The problem doesn't occur with kernel 2.6.33.3-rt14 which includes your patch. The same sample output displayed under the same conditions ( loading rules , typing iptables -L -n -v ) Chain bad_packets (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 0 level 4 prefix `fp=bad_packets:1 a=DROP ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 316 21488 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0 317 21635 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain bad_tcp_packets (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW LOG flags 0 level 4 prefix `fp=bad_tcp_packets:1 a=DROP ' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:2 a=DROP ' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F LOG flags 0 level 4 prefix `fp=bad_tcp_packets:3 a=DROP ' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:4 a=DROP ' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:5 a=DROP ' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:6 a=DROP ' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:7 a=DROP ' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 316 21488 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-04-27 17:03 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-04-25 17:55 [BUG] 2.6.33.2-rt13 and iptables FC 2010-04-27 8:13 ` Thomas Gleixner 2010-04-27 17:03 ` FC
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).