iptables bug (was: Re: 2.6.12-mm1)

iptables bug (was: Re: 2.6.12-mm1)

[Andrew Morton]

"J.A. Magallon" <jamagallon@able.es> wrote:
>
> 
> On 06.20, Andrew Morton wrote:
> > 
> > ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.12/2.6.12-mm1/
> > 
> > 
> > - Someone broke /proc/device-tree on ppc64.  It's being looked into.
> > 
> > - Nothing particularly special here - various fixes and updates.
> > 
> 
> Are there any known problems with iptables ?

Let's cc the appropriate list and find out ;)

> I see strange things.
> When I use bittorrent (azureus or bittorrent-gui), at the same time as
> iptables (for nat and internet access for my ibook), when I stop a download
> or exit from one of this apps my external network goes down. 
> I have tried the same without iptables loaded and it works fine.
> 
> If someone has any idea about this, I could give more details.
> 
> Kernel: every -mm since time ago.
> External net: 1Mb cable through 3c59x, dhcp
> Internal net: e1000
> Iptables setup:
> # Generated by iptables-save v1.2.9 on Thu Mar  3 23:41:02 2005
> *nat
> :PREROUTING ACCEPT [2:156]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> [0:0] -A POSTROUTING -o eth0 -j MASQUERADE 
> COMMIT
> # Completed on Thu Mar  3 23:41:02 2005
> # Generated by iptables-save v1.2.9 on Thu Mar  3 23:41:02 2005
> *filter
> :INPUT ACCEPT [6:468]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> [0:0] -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
> [0:0] -A FORWARD -i eth1 -o eth0 -j ACCEPT 
> [0:0] -A FORWARD -i eth0 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT 
> [0:0] -A FORWARD -i eth2 -o eth0 -j ACCEPT 
> [0:0] -A FORWARD -i eth0 -o eth3 -m state --state RELATED,ESTABLISHED -j ACCEPT 
> [0:0] -A FORWARD -i eth3 -o eth0 -j ACCEPT 
> COMMIT
> # Completed on Thu Mar  3 23:41:02 2005
> 
> eth's:
> alias eth0 3c59x
> alias eth1 e1000
> alias eth2 ne2k-pci
> alias eth3 eth1394
> 
> eth2 and eth3 are currently down, not even the module is loaded.
> 
> Any idea ?
> 
> --
> J.A. Magallon <jamagallon()able!es>     \               Software is like sex:
> werewolf!able!es                         \         It's better when it's free
> Mandriva Linux release 2006.0 (Cooker) for i586
> Linux 2.6.12-jam1 (gcc 4.0.1 (4.0.1-0.2mdk for Mandriva Linux release 2006.0))
> 

Re: iptables bug

[Patrick McHardy]

Andrew Morton wrote:
> "J.A. Magallon" <jamagallon@able.es> wrote:
> 
>>Are there any known problems with iptables ?

No known problems.

>>I see strange things.
>>When I use bittorrent (azureus or bittorrent-gui), at the same time as
>>iptables (for nat and internet access for my ibook), when I stop a download
>>or exit from one of this apps my external network goes down. 
>>I have tried the same without iptables loaded and it works fine.

What exactly do you mean with "network goes down"? Can you find out
where the packets disappear? Do they silently disappear, or do you get
an error code from sendmsg? What about received packets?

Regards
Patrick

Re: iptables bug

[Stephen Jones]

Patrick McHardy wrote:
> Andrew Morton wrote:
> 
>>"J.A. Magallon" <jamagallon@able.es> wrote:
>>
>>
>>>Are there any known problems with iptables ?
> 
> 
> No known problems.
> 
> 
>>>I see strange things.
>>>When I use bittorrent (azureus or bittorrent-gui), at the same time as
>>>iptables (for nat and internet access for my ibook), when I stop a download
>>>or exit from one of this apps my external network goes down. 
>>>I have tried the same without iptables loaded and it works fine.

I have observed this behavior on multiple machines, but I don't think it 
is specifically an iptables "bug" or kernel "bug".  Most of my 
experience is with 2.4.x kernels, so I can't remark about the 2.6.x series.

The original poster didn't give enough info for me to correlate anything 
with conviction, but, consulting the tea leaves :D I would venture to 
guess that the machine that has the network "go down" has less than 128 
MB of RAM and is probably running lower end NICs (i.e. 8139too).

There appears to be two or three issues interacting with one another in 
these scenarios:

a.) The various Bit Torrent clients and their ilk can generate a 
staggering number of conncurrent connections.  This can quickly fill the 
conntracks on machines with little RAM and cause problems.

b.) The lower end nics (either the hardware itself, or the drivers, I 
don't know enough about how to isolate the two) do not appear to be able 
to handle the massive number of interrupts that are generated in this 
scenario.

c.) The problem is more likely to manifest on  "fat pipe" connections (6 
MB +)

I would also wager the problem goes away if the torrent clients are shut 
down.

I would look there, if I hade the skills requried to tease out anything 
useful :D

Various linux based firewall forums have posts describing the same 
behavior as the OP of this thread.

Here is one relatively recent example:

http://community.smoothwall.org/forum/viewtopic.php?p=43812#43812

I hope that helps in some way!

> 
> 
> What exactly do you mean with "network goes down"? Can you find out
> where the packets disappear? Do they silently disappear, or do you get
> an error code from sendmsg? What about received packets?
> 
> Regards
> Patrick
> 
> 
> 

Re: iptables bug

[Patrick McHardy]

Stephen Jones wrote:
>>> "J.A. Magallon" <jamagallon@able.es> wrote:
>>>
>>>> I see strange things.
>>>> When I use bittorrent (azureus or bittorrent-gui), at the same time as
>>>> iptables (for nat and internet access for my ibook), when I stop a
>>>> download
>>>> or exit from one of this apps my external network goes down. I have
>>>> tried the same without iptables loaded and it works fine.
> 
> Various linux based firewall forums have posts describing the same
> behavior as the OP of this thread.
> 
> Here is one relatively recent example:
> 
> http://community.smoothwall.org/forum/viewtopic.php?p=43812#43812

The report seems rather inconclusive, I would appreciate it if the
original poster could narrow down the problem.

Regards
Patrick