From: Zoltan Nagy <kirk@elte.hu>
To: netfilter@lists.netfilter.org
Subject: kernel freeze issue
Date: Wed, 02 Nov 2005 21:45:45 +0100 [thread overview]
Message-ID: <43692579.8000807@elte.hu> (raw)
summary of current configuration:
+----- ext_if(eth1) 3c905TX ------ 34Mbit uplink
|
|
|
+------------+
| filter +
+------------+
| | |
| | +--- lan_if(eth5) rtl8169 - vlan1 ------ users/servers
| |
| +------ adm_if(eth0) 3c905TX - vlan2 ------ log server
|
+--------- core_if(eth3) 3c940
+inp_if(eth3.3) - vlan 3 +
+out_if(eth3.4) - vlan 4 +
|
|(cross-link cable)
|
+------ core_if(eth0) 3c940 ----------+
|
+-----------+
| foo +
+-----------+
|
+------ adm_if(eth1) rtl8139 - vlan2
filter:
arp proxy based
route - policy routing - between local-domain1(C),local-domain2(2*C),uplink,foo(on failover this skipped)
packet filter(netfilter)
- traffic accounting(ipt_account),flood/portscan protection
- packet filter
- TTL inc
- ipset's for extra port configurations
- ipt_condition(failover control)
- we have 2 domain's so it sends redirects for the hosts spoofing that it's our router(ipt_IPALTER)
foo:
not configured because of the freezes...
problem:
filter is freezes in random intervalls(30m - 6day) - on-board watchdog(i8xx) reboot's the system
i've tryed many things, remove my custom patches...but it won't help ;)
in the kernel trace i've last seen(i've a blurry image)
the kernel remove some packages from the boomerang interface
ip_rcv_finish, etc..
ipt_do_table is the last in the call trace...
notice:
crash happens when many of our beloved users use p2p software(this is also a tip)
next try:
place a cisco to monitor ext_if and lan_if with tcpdump, open another file every 10m
and when filter freezes i maybe have the packet that caused the freeze
(small chance - but possible ;)
my tips was:
ipt_condition - in pom it's <2.6.0 but i've read the code, and i think it's safe to use
ipt_IPALTER - w/o it also freezes, so this isn't the problem
ipset - i've a small patch on it...to enable inverted portmaps, i think it's safe
i use portmap,ipmap,macipmap from it
NAPI - yesterday i disabled it...since then no freezes
ipt_TCPMSS - it wrote some warnings in dmesg, about packet size<64 - i've moved another rule before it
-p tcp --tcp-option ! 2 -j DROP
boomerang - maybe the driver is a bit broken
pom_patches - TTL set connmark CONNMARK account condition limit
SMP - maybe, i haven't disabled it yet
today's surprise:
ip l s eth0 promisc on ==> freeze, without any trace ;)
versions:
Linux filter 2.6.14-alt #5 SMP Tue Nov 8 16:40:49 CET 2005 i686 GNU/Linux
iptables-1.3.4
pom-20051031
ipset-2.2.6
some info about the system can be downloaded from
http://152.66.235.5/info-filter.tgz
this is my worst nightmare, any suggestions? ;)
next reply other threads:[~2005-11-02 20:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-02 20:45 Zoltan Nagy [this message]
2005-11-09 11:01 ` kernel freeze issue KOVACS Krisztian
2005-11-09 16:06 ` Zoltan Nagy
2005-11-09 22:44 ` Alexander Samad
2005-11-11 16:17 ` Zoltan Nagy
2005-11-09 14:21 ` /dev/rob0
2005-11-11 19:06 ` Zoltan Nagy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43692579.8000807@elte.hu \
--to=kirk@elte.hu \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox