Mailinglist Archive: opensuse-security (485 mails)
| < Previous | Next > |
Netfilter Bug -- kernel 2.4.20
- From: Mark Tinka <aknit444@xxxxxxxxx>
- Date: Fri, 26 Mar 2004 01:01:50 -0800 (PST)
- Message-id: <20040326090150.11865.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
hi all..
i am preparing to run Squid-2.5 on my SuSE Linux 8.2
Professional server, and i want to do run in
transparent mode using the 2.4 kernel WCCP module with
a Cisco router...
as i get along, i've noticed a problem with Netfilter
-- a bug that causes the automatic redirection of HTTP
packets to Squid's 3128 port to hang... this bug has
been reported in kernel 2.4.20, and SuSE Linux 8.2 Pro
is running kernel 2.4.20-108 (latest update)...
i wonder - has SuSE patched the kernel of this
bug..?..
please see below for the bug report as well as the
patch for it...
-------------------------------
Hello, netfilter guys.
We run transparent web caches using ipt_REDIRECT, and
after upgrading
to 2.4.20, found that conntrack table overflows after
a week or so.
Quick examination showed large number of entries in
SYN_SENT state
with super long timeouts exist. The offending change
was in
include/linux/list.h. list_del() now zeros prev and
next pointer of
list_head, which circumvents is_confirmed() test.
This didn't cause troubles to most conntrack entries
which disappear
by timing out. But as our cache was bypassing some of
the
connections, the machine was seeing only one way
stream of packets
(!IPS_SEEN_REPLY). And when the originating host
terminates a
bypassed connection by sending out RST packets, the
corresponding
entry is repeatedly removed from hash with
death_by_tiemout() and soon
confirmed again adding jiffies to expire time every
time.
Applying the following patch solved the problem. As
I'm not on the
list, please CC to me any comments regarding this
problem. Thank you
a lot for great netfilter.
---
linux-2.4.20-orig/include/linux/netfilter_ipv4/listhelp.h
2003-02-20 16:48:27.000000000 +0900
+++
linux-2.4.20-rmap-pm/include/linux/netfilter_ipv4/listhelp.h
2003-02-20 16:45:30.000000000 +0900
@@ -57,10 +57,13 @@
if (!list_inlist(head, oldentry)) \
printk("LIST_DELETE: %s:%u `%s'(%p) not in %s.\n", \
__FILE__, __LINE__, #oldentry, oldentry,
#head); \
- else list_del((struct list_head *)oldentry);
\
+ else __list_del(((struct list_head
*)oldentry)->prev, \
+
((struct list_head *)oldentry)->next); \
} while(0)
#else
-#define LIST_DELETE(head, oldentry) list_del((struct
list_head *)oldentry)
+#define LIST_DELETE(head, oldentry) \
+
__list_del(((struct list_head *)oldentry)->prev, \
+
((struct list_head *)oldentry)->next)
#endif
/* Append. */
------------------------------------
all help appreciated...
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
i am preparing to run Squid-2.5 on my SuSE Linux 8.2
Professional server, and i want to do run in
transparent mode using the 2.4 kernel WCCP module with
a Cisco router...
as i get along, i've noticed a problem with Netfilter
-- a bug that causes the automatic redirection of HTTP
packets to Squid's 3128 port to hang... this bug has
been reported in kernel 2.4.20, and SuSE Linux 8.2 Pro
is running kernel 2.4.20-108 (latest update)...
i wonder - has SuSE patched the kernel of this
bug..?..
please see below for the bug report as well as the
patch for it...
-------------------------------
Hello, netfilter guys.
We run transparent web caches using ipt_REDIRECT, and
after upgrading
to 2.4.20, found that conntrack table overflows after
a week or so.
Quick examination showed large number of entries in
SYN_SENT state
with super long timeouts exist. The offending change
was in
include/linux/list.h. list_del() now zeros prev and
next pointer of
list_head, which circumvents is_confirmed() test.
This didn't cause troubles to most conntrack entries
which disappear
by timing out. But as our cache was bypassing some of
the
connections, the machine was seeing only one way
stream of packets
(!IPS_SEEN_REPLY). And when the originating host
terminates a
bypassed connection by sending out RST packets, the
corresponding
entry is repeatedly removed from hash with
death_by_tiemout() and soon
confirmed again adding jiffies to expire time every
time.
Applying the following patch solved the problem. As
I'm not on the
list, please CC to me any comments regarding this
problem. Thank you
a lot for great netfilter.
---
linux-2.4.20-orig/include/linux/netfilter_ipv4/listhelp.h
2003-02-20 16:48:27.000000000 +0900
+++
linux-2.4.20-rmap-pm/include/linux/netfilter_ipv4/listhelp.h
2003-02-20 16:45:30.000000000 +0900
@@ -57,10 +57,13 @@
if (!list_inlist(head, oldentry)) \
printk("LIST_DELETE: %s:%u `%s'(%p) not in %s.\n", \
__FILE__, __LINE__, #oldentry, oldentry,
#head); \
- else list_del((struct list_head *)oldentry);
\
+ else __list_del(((struct list_head
*)oldentry)->prev, \
+
((struct list_head *)oldentry)->next); \
} while(0)
#else
-#define LIST_DELETE(head, oldentry) list_del((struct
list_head *)oldentry)
+#define LIST_DELETE(head, oldentry) \
+
__list_del(((struct list_head *)oldentry)->prev, \
+
((struct list_head *)oldentry)->next)
#endif
/* Append. */
------------------------------------
all help appreciated...
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
| < Previous | Next > |