ipp2p segfault with kernel 2.6.24.7

ipp2p segfault with kernel 2.6.24.7

[SŽébastien Cramatte]

Hello

I've build latest IPP2P with  kernel 2.6.24.7 and iptables 4.0
When I try to use it I have a "segmentation fault" :

#strace iptables -t mangle -A QOS_eth1 -m ipp2p --edk
execve("/usr/local/sbin/iptables", ["iptables", "-t", "mangle", "-A", 
"QOS_eth1", "-m", "ipp2p", "--edk"], [/* 20 vars */]) = 0
brk(0)                                  = 0x8055000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or 
directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0x37f70000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or 
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=9698, ...}) = 0
mmap2(NULL, 9698, PROT_READ, MAP_PRIVATE, 3, 0) = 0x37f6d000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or 
directory)
open("/lib/libdl.so.2", O_RDONLY)       = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\n\0\000"..., 
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=9684, ...}) = 0
mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) 
= 0x37f69000
mmap2(0x37f6b000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0x37f6b000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or 
directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260e\1"..., 
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1257708, ...}) = 0
mmap2(NULL, 1263216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0x37e34000
mmap2(0x37f63000, 12288, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12f) = 0x37f63000
mmap2(0x37f66000, 9840, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37f66000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0x37e33000
set_thread_area({entry_number:-1 -> 6, base_addr:0x37e33ad0, 
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, 
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0x37f63000, 4096, PROT_READ)   = 0
munmap(0x37f6d000, 9698)                = 0
brk(0)                                  = 0x8055000
brk(0x8076000)                          = 0x8076000
open("/usr/local/lib/iptables/libxt_ipp2p.so", O_RDONLY) = -1 ENOENT (No 
such file or directory)
open("/usr/local/lib/iptables/libipt_ipp2p.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\4\0"..., 
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=11554, ...}) = 0
mmap2(NULL, 11252, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) 
= 0x37f6d000
mmap2(0x37f6f000, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0x37f6f000
close(3)                                = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++


Thank you for your help.

Re: ipp2p segfault with kernel 2.6.24.7

[Jan Engelhardt]

On Friday 2008-06-06 23:16, S?ébastien Cramatte wrote:

> Hello
>
> I've build latest IPP2P with  kernel 2.6.24.7 and iptables 4.0
> When I try to use it I have a "segmentation fault" :

What steps did you take to compile it?

Re: ipp2p segfault with kernel 2.6.24.7

[SŽébastien Cramatte]

Jan Engelhardt escribió:
> On Friday 2008-06-06 23:16, S?ébastien Cramatte wrote:
>
>   
>> Hello
>>
>> I've build latest IPP2P with  kernel 2.6.24.7 and iptables 4.0
>> When I try to use it I have a "segmentation fault" :
>>     
>
> What steps did you take to compile it?
>
>   
Hello

I'm use  set of patches from http://linuxbox.pl/index.php?go=kernel
These patches are quite up to date ...

I've just do  a  "make menuconfig"  and I  use debian  make-kpkg  tools 
to build the kernel package.
Note that I use  Debian Lenny  (testing) with gcc version 4.2.4

I customised the kernel for a traffic manager with minimal required 
hardware drivers and all available netfilter modules.
I haven't test in depth all others plugins but l7filter works well

If you need any other kind of informations please tell me !
Regards

Re: ipp2p segfault with kernel 2.6.24.7

[Jan Engelhardt]

On Saturday 2008-06-07 00:33, S?ébastien Cramatte wrote:
>> >
>> > I've build latest IPP2P with  kernel 2.6.24.7 and iptables 4.0
>> > When I try to use it I have a "segmentation fault" :
>>
>> What steps did you take to compile it?
>
> I'm use  set of patches from http://linuxbox.pl/index.php?go=kernel
> These patches are quite up to date ...

That page has not been updated in a long time. Not only does it use
the legacy patchomatic, which is largely superseded now, but also
references "projekty subversion"; a few things have gone into
mainline, many others into Xtables-addons, including ipp2p:
http://lwn.net/Articles/277804/

Re: ipp2p segfault with kernel 2.6.24.7

[SŽébastien Cramatte]

Jan Engelhardt escribió:
> On Saturday 2008-06-07 00:33, S?ébastien Cramatte wrote:
>   
>>>> I've build latest IPP2P with  kernel 2.6.24.7 and iptables 4.0
>>>> When I try to use it I have a "segmentation fault" :
>>>>         
>>> What steps did you take to compile it?
>>>       
>> I'm use  set of patches from http://linuxbox.pl/index.php?go=kernel
>> These patches are quite up to date ...
>>     
>
> That page has not been updated in a long time. Not only does it use
> the legacy patchomatic, which is largely superseded now, but also
> references "projekty subversion"; a few things have gone into
> mainline, many others into Xtables-addons, including ipp2p:
> http://lwn.net/Articles/277804/
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   
Thank your for your answer

I've downloaded the lastest 2.6.25.5 kernel  and applied  l7-filter patch.
I must build a debian kernel package  and  xtables-addons  seems doesn't 
act  as a patch ... 
so  I  don't know how can I  include it  in my main kernel package. 

I will take a look in depth to see how can I achieve this.

Regards

Re: ipp2p segfault with kernel 2.6.24.7

[Jan Engelhardt]

On Saturday 2008-06-07 09:30, S?ébastien Cramatte wrote:
>>   
> Thank your for your answer
>
> I've downloaded the lastest 2.6.25.5 kernel  and applied  l7-filter
> patch. I must build a debian kernel package and xtables-addons
> seems doesn't act as a patch ...

Well is not that wonderful - running it without patching
or recompiling the kernel!

> so I don't know how can I include
> it in my main kernel package.  I will take a look in depth to see
> how can I achieve this.

It builds as external modules, much like ati/nvidia/madwifi,
and works for a large range of older kernels, down to 2.6.18.5.

how to use eficiently CLASSIFY, MARK, CONNMARK, CONNLIMIT ?

[SŽébastien Cramatte]

Hello


I've build a traffic shapper base on debian lenny with 2.6.24 customised 
kernel.
I'm not sure that the netfilter list is appropiate  for get an answer  
so  I will post this on LARTC mailing list.

I'm searching more information  about CLASSIFY and MARK and CONNMARK. 
I'm not sure to understand everything !

I've got various doubts  :

- What achieve exactly CLASSIFY vs MARK.   Because  seems that  you can 
have   "-j CLASSIFY --set-mark" or  "-j CLASSIFY --set-class"   ? isn't it ?
So What is the exact difference between  CLASSIFY and MARK ?  CLASSIFY 
target  can "classify" and "mark"  and MARK just "mark"  ?

- Should I use CONNMARK  to optimise matching on an heavy loaded traffic 
shapper ?

-  In the example code bellow I've classified VoIP traffic using another 
custom chain  (QOS_out_voip ...)   and p2p directly. Which method give 
best performance ?
Make a jump through another custom chain may slowdown  matching ?  I 
will prefer to use a custom chain  but performance  is the first ...  My 
traffic shapper must
support  90Mbits of bandwith with  20000 packets/s

-  I would like to limit to 4096 P2P connection foreach  IP. Does it 
relevant to use a rule  like this :   ...  --connlimit-mask 32  
--connlimit-above 4096  --jump drop  ?

Please take a look to my example and give me some feedback.


MY SCENARIO

1) My box is setup as transparent bridge as this 


eth0/LAN  -------------------   eth1/WAN
-------------- |   SHAPPER  | -------------
                   -------------------
                            br0

2) I've setup  various HTB qdisc and classes to matches my need :

for eth0 (download)

1:  root
1:10    main
1:100  icmp
1:200  interactive
1:300  voip
1:400  web
1:500  bulk

... and for eth1  (upload)

2: root
2:10 main
2:100 icmp
...


2) I've created two CUSTOM chains  to get  outgoing traffic (egress) of 
each interfaces

IPTABLES=/usr/local/sbin/iptables

${IPTABLES} --table mangle --new QOS_in
${IPTABLES} --table mangle --append POSTROUTING --out-interface br0 --match physdev --physdev-out eth0 --jump QOS_in

...

${IPTABLES} --table mangle --new QOS_out
${IPTABLES} --table mangle --append POSTROUTING --out-interface br0 --match physdev --physdev-out eth1 --jump QOS_out

... 

3) I'm trying to use CONNMARK to

${IPTABLES} --table mangle --append QOS_in --jump CONNMARK --restore-mark
${IPTABLES} --table mangle --append QOS_in --match mark ! --mark 0 -j RETURN

...

#voIP
#(1st way with another custom chain)
 
${IPTABLES} --table mangle --new QOS_out_voip
${IPTABLES} --table mangle --append QOS_out_voip --jump CLASSIFY --set-class 1:300
${IPTABLES} --table mangle --append QOS_out_voip --jump RETURN

${IPTABLES} --table mangle --append QOS_in --match mark --mark 300 --jump QOS_out_voip
${IPTABLES} --table mangle --append QOS_in --match mark --mark 0 --jump MARK --set-mark 300 --match helper --helper sip 
${IPTABLES} --table mangle --append QOS_in --match mark --mark 0 --jump MARK --set-mark 300 --proto tcp --sport 5060 



#p2p 
#(2nd way without use custom chain)

${IPTABLES} --table mangle --append QOS_in --match mark --mark 500 --m connlimit --connlimit-above 4096 --connlimit-mask 32 --jump DROP
${IPTABLES} --table mangle --append QOS_in --match mark --mark 500 --jump CLASSIFY --set-class 1:500
${IPTABLES} --table mangle --append QOS_in --match mark --mark 500 --jump RETURN

${IPTABLES} --table mangle --append QOS_in --match mark --mark 0 --jump MARK --set-mark 500 --match ipp2p --ipp2p
...

${IPTABLES} --table mangle --append QOS_in --jump CONNMARK --save-mark



Thank you for your help