<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_ASSIGNED "
title="ASSIGNED - Hard lockup when inserting nft rules (esp. ct rule)"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1082#c3">Comment # 3</a>
on <a class="bz_bug_link
bz_status_ASSIGNED "
title="ASSIGNED - Hard lockup when inserting nft rules (esp. ct rule)"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1082">bug 1082</a>
from <span class="vcard"><a class="email" href="mailto:larkwang@gmail.com" title="Wang Jian <larkwang@gmail.com>"> <span class="fn">Wang Jian</span></a>
</span></b>
<pre>The following are steps to reproduce. It's different from our production setup,
though.
== network setup
HostB <= ipsec => HostA <= ipsec => HostC
HostA
eth0: 10.2.16.13/24
eth1: 192.168.235.12/24
HostB
eth0: 10.2.16.14/24
eth1: 192.168.234.12/24
HostC
eth0: 10.2.16.18/24
eth1: 192.168.236.12/24
IPsec config
HostA /var/lib/strongswan/ipsec.conf.inc
--snip--
conn %default
ikelifetime=1440m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn base
leftid=host-a@peers
left=10.2.16.13
conn host-b
leftsubnet=192.168.235.0/24,192.168.236.0/24
right=10.2.16.14
rightid=host-b@peers
rightsubnet=192.168.234.0/24
also=base
auto=start
dpdaction=restart
keyingtries=%forever
conn host-c
leftsubnet=192.168.235.0/24,192.168.234.0/24
right=10.2.16.18
rightid=host-c@peers
rightsubnet=192.168.236.0/24
also=base
auto=start
dpdaction=restart
keyingtries=%forever
--snip--
HostB /var/lib/strongswan/ipsec.conf.inc
--snip--
conn %default
ikelifetime=1440m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn base
leftid=host-b@peers
left=10.2.16.14
conn host-a
leftsubnet=192.168.234.0/24
right=10.2.16.13
rightid=host-a@peers
rightsubnet=192.168.235.0/24,192.168.236.0/24
also=base
auto=start
dpdaction=restart
keyingtries=%forever
--sip--
HostC /var/lib/strongswan/ipsec.conf.inc
--snip--
conn %default
ikelifetime=1440m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn base
leftid=host-c@peers
left=10.2.16.18
conn host-a
leftsubnet=192.168.236.0/24
right=10.2.16.13
rightid=host-a@peers
rightsubnet=192.168.234.0/24,192.168.235.0/24
also=base
auto=start
dpdaction=restart
keyingtries=%forever
--snip--
All /var/lib/strongswan/ipsec.secrets.inc
--snip--
<a href="mailto:host-a@client.bytedance.net">host-a@client.bytedance.net</a> <a href="mailto:host-b@client.bytedance.net">host-b@client.bytedance.net</a> : PSK
0sPJ6QU/WlSrbj8caGCcXxO6qBcyxdbMbh8RVTRhDDNXM=
<a href="mailto:host-a@client.bytedance.net">host-a@client.bytedance.net</a> <a href="mailto:host-c@client.bytedance.net">host-c@client.bytedance.net</a> : PSK
0sPJ6QU/WlSrbj8caGCcXxO6qBcyxdbMbh8RVTRhDDNXM=
--snip--
== test method
1. run ab on HostC against HostA's webserver (such as nginx)
$ ab -n 10000000 -c <concurrency> <a href="http://192.168.234.12/">http://192.168.234.12/</a>
2. load/reload nftable ruleset on HostA during ab
# ./rules.nft
if ab concurrency is equal to or more than 1000, HostA will freeze without any
panic information.
A smaller concurrency may or may not trigger freeze.
We try to trigger freeze without ipsec involved, but fail to at the time.
== software
It's mix of debian jiessie/jessie-backports and home built strongswan
HostA kernel: 4.6.4-1~bpo8+1
strongswan: 5.5.0-1
nftables: 0.6-1~bpo8+1
The debian jessie backport kernel 4.7.8-1~bpo8+1 & 4.8.11-1~bpo8+1 are not
affected by this test setup,
BUT 4.7.8-1~bpo8+1 is affected on our production server setup. We can't test
4.8.11-1~bpo8+1 on our production server.
== rules.nft
It's not suitable for public post. I will mail it privately.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>