hi all.. i am preparing to run Squid-2.5 on my SuSE Linux 8.2 Professional server, and i want to do run in transparent mode using the 2.4 kernel WCCP module with a Cisco router... as i get along, i've noticed a problem with Netfilter -- a bug that causes the automatic redirection of HTTP packets to Squid's 3128 port to hang... this bug has been reported in kernel 2.4.20, and SuSE Linux 8.2 Pro is running kernel 2.4.20-108 (latest update)... i wonder - has SuSE patched the kernel of this bug..?.. please see below for the bug report as well as the patch for it... ------------------------------- Hello, netfilter guys. We run transparent web caches using ipt_REDIRECT, and after upgrading to 2.4.20, found that conntrack table overflows after a week or so. Quick examination showed large number of entries in SYN_SENT state with super long timeouts exist. The offending change was in include/linux/list.h. list_del() now zeros prev and next pointer of list_head, which circumvents is_confirmed() test. This didn't cause troubles to most conntrack entries which disappear by timing out. But as our cache was bypassing some of the connections, the machine was seeing only one way stream of packets (!IPS_SEEN_REPLY). And when the originating host terminates a bypassed connection by sending out RST packets, the corresponding entry is repeatedly removed from hash with death_by_tiemout() and soon confirmed again adding jiffies to expire time every time. Applying the following patch solved the problem. As I'm not on the list, please CC to me any comments regarding this problem. Thank you a lot for great netfilter. --- linux-2.4.20-orig/include/linux/netfilter_ipv4/listhelp.h 2003-02-20 16:48:27.000000000 +0900 +++ linux-2.4.20-rmap-pm/include/linux/netfilter_ipv4/listhelp.h 2003-02-20 16:45:30.000000000 +0900 @@ -57,10 +57,13 @@ if (!list_inlist(head, oldentry)) \ printk("LIST_DELETE: %s:%u `%s'(%p) not in %s.\n", \ __FILE__, __LINE__, #oldentry, oldentry, #head); \ - else list_del((struct list_head *)oldentry); \ + else __list_del(((struct list_head *)oldentry)->prev, \ + ((struct list_head *)oldentry)->next); \ } while(0) #else -#define LIST_DELETE(head, oldentry) list_del((struct list_head *)oldentry) +#define LIST_DELETE(head, oldentry) \ + __list_del(((struct list_head *)oldentry)->prev, \ + ((struct list_head *)oldentry)->next) #endif /* Append. */ ------------------------------------ all help appreciated... __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html
hi all..
i am preparing to run Squid-2.5 on my SuSE Linux 8.2 Professional server, and i want to do run in transparent mode using the 2.4 kernel WCCP module with a Cisco router...
as i get along, i've noticed a problem with Netfilter -- a bug that causes the automatic redirection of HTTP packets to Squid's 3128 port to hang... this bug has been reported in kernel 2.4.20, and SuSE Linux 8.2 Pro is running kernel 2.4.20-108 (latest update)...
My Box: SuSE 8.2 uname -a Linux <Host> 2.4.20-64GB-SMP No patch to iptables, redirect int -> 8080 dansguardian -> 3128 squid -> no problem. We uses cisco routers as well, but no WCCP in our network. Maybe it depends on your WCCP-Patch (http://www.sublime.com.au/squid-wccp/). Did you download latest kernel-source update? Did you build kernel with: make cloneconfig make dep to get a copy of the config of the SuSE kernel? This may help configureing the right things. Normally it's no problem to install your own iptables, with the right kernel config and deps.
i wonder - has SuSE patched the kernel of this bug..?..
Don't know, but the above works without any change to lkm - no systemhangs. If there is a patch then it might be interesting to test this on the SuSE source, if it helps you - maybe try to patch it on your own, you can get the source via onlineupdate or over ftp. Philippe
--- Philippe Vogel <filiaap@freenet.de> wrote:
My Box:
SuSE 8.2 uname -a Linux <Host> 2.4.20-64GB-SMP
No patch to iptables, redirect int -> 8080 dansguardian -> 3128 squid -> no problem.
i see.. i was just inquiring whether SuSE had found a problem as described by the bug, with regard to Netfilter..
We uses cisco routers as well, but no WCCP in our network. Maybe it depends on your WCCP-Patch (http://www.sublime.com.au/squid-wccp/).
i haven't yet setup the caching service, i am just getting ready to do that.. i like to read up on all sorts of things before i do.. i've setup a transparent squid cache before, but this was 2 yrs ago, on SuSE Linux 7.2 Pro with kernel 2.2.19-SMP, and using route-maps (not WCCP) on Cisco for transparent redirection..
Did you download latest kernel-source update? Did you build kernel with:
i have got it, just prepp'ing the server so i can begin the compilation..
make cloneconfig make dep
to get a copy of the config of the SuSE kernel? This may help configureing the right things.
i see.. good tip.. do u mean i could clone the running config of the pre-installed SuSE kernel, and then add anything else i need before i build..?..
Normally it's no problem to install your own iptables, with the right kernel config and deps.
this is true..
i wonder - has SuSE patched the kernel of this bug..?..
Don't know, but the above works without any change to lkm - no systemhangs.
good to know..
If there is a patch then it might be interesting to test this on the SuSE source, if it helps you - maybe try to patch it on your own, you can get the source via onlineupdate or over ftp.
cheers, thanks..
Philippe
Regards, Mark __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html
Am 26.03.2004 um 10:01 schrieb Mark Tinka:
We run transparent web caches using ipt_REDIRECT, and after upgrading to 2.4.20, found that conntrack table overflows after a week or so.
There seem to be more issues with the conntrack code introduced with kernels > 2.4.19. We have some systems running SuSE 8.1 (kernel 2.4.21-198) where the conntrack table overflows regardless of its size. In /proc/net/ip_conntrack are only some entries, but /proc/slabinfo says: ip_conntrack 12012 12012 320 1001 1001 1 : 124 62 This is after about one week uptime. The number of objects raises constantly and results in an unreachable system sooner or later. As an ugly side-effect, trying to unload the modules gives 100%CPU usage until reset, a clean shutdown is not possible.
--- "Backhausen, Sven" <sbackhausen@ntcg.de> wrote:
Am 26.03.2004 um 10:01 schrieb Mark Tinka:
We run transparent web caches using ipt_REDIRECT,
and
after upgrading to 2.4.20, found that conntrack table overflows after a week or so.
There seem to be more issues with the conntrack code introduced with kernels > 2.4.19. We have some systems running SuSE 8.1 (kernel 2.4.21-198) where the conntrack table overflows regardless of its size. In /proc/net/ip_conntrack are only some entries, but /proc/slabinfo says: ip_conntrack 12012 12012 320 1001 1001 1 : 124 62 This is after about one week uptime. The number of objects raises constantly and results in an unreachable system sooner or later. As an ugly side-effect, trying to unload the modules gives 100%CPU usage until reset, a clean shutdown is not possible.
now this sounds scarey, to say the least.. do u think u would like to try the patch i posted, seeing as u already have experience with the problem..?.. i am yet to install my squid.. i've been running my transparent squid setup with kernel 2.2, hitherto.. moving to 2.4 will be a first for me.. Regards, Mark. __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html
Am 26.03.2004 um 12:25 schrieb Mark Tinka:
now this sounds scarey, to say the least.. do u think u would like to try the patch i posted, seeing as u already have experience with the problem..?..
I´ll try it when i´m back from vacation on April 5. Sven
participants (3)
-
Backhausen, Sven -
Mark Tinka -
Philippe Vogel