[Bug 1082] Hard lockup when inserting nft rules (esp. ct rule)
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Mon Dec 19 09:19:27 CET 2016
https://bugzilla.netfilter.org/show_bug.cgi?id=1082
--- Comment #3 from Wang Jian <larkwang at gmail.com> ---
The following are steps to reproduce. It's different from our production setup,
though.
== network setup
HostB <= ipsec => HostA <= ipsec => HostC
HostA
eth0: 10.2.16.13/24
eth1: 192.168.235.12/24
HostB
eth0: 10.2.16.14/24
eth1: 192.168.234.12/24
HostC
eth0: 10.2.16.18/24
eth1: 192.168.236.12/24
IPsec config
HostA /var/lib/strongswan/ipsec.conf.inc
--snip--
conn %default
ikelifetime=1440m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn base
leftid=host-a at peers
left=10.2.16.13
conn host-b
leftsubnet=192.168.235.0/24,192.168.236.0/24
right=10.2.16.14
rightid=host-b at peers
rightsubnet=192.168.234.0/24
also=base
auto=start
dpdaction=restart
keyingtries=%forever
conn host-c
leftsubnet=192.168.235.0/24,192.168.234.0/24
right=10.2.16.18
rightid=host-c at peers
rightsubnet=192.168.236.0/24
also=base
auto=start
dpdaction=restart
keyingtries=%forever
--snip--
HostB /var/lib/strongswan/ipsec.conf.inc
--snip--
conn %default
ikelifetime=1440m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn base
leftid=host-b at peers
left=10.2.16.14
conn host-a
leftsubnet=192.168.234.0/24
right=10.2.16.13
rightid=host-a at peers
rightsubnet=192.168.235.0/24,192.168.236.0/24
also=base
auto=start
dpdaction=restart
keyingtries=%forever
--sip--
HostC /var/lib/strongswan/ipsec.conf.inc
--snip--
conn %default
ikelifetime=1440m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn base
leftid=host-c at peers
left=10.2.16.18
conn host-a
leftsubnet=192.168.236.0/24
right=10.2.16.13
rightid=host-a at peers
rightsubnet=192.168.234.0/24,192.168.235.0/24
also=base
auto=start
dpdaction=restart
keyingtries=%forever
--snip--
All /var/lib/strongswan/ipsec.secrets.inc
--snip--
host-a at client.bytedance.net host-b at client.bytedance.net : PSK
0sPJ6QU/WlSrbj8caGCcXxO6qBcyxdbMbh8RVTRhDDNXM=
host-a at client.bytedance.net host-c at client.bytedance.net : PSK
0sPJ6QU/WlSrbj8caGCcXxO6qBcyxdbMbh8RVTRhDDNXM=
--snip--
== test method
1. run ab on HostC against HostA's webserver (such as nginx)
$ ab -n 10000000 -c <concurrency> http://192.168.234.12/
2. load/reload nftable ruleset on HostA during ab
# ./rules.nft
if ab concurrency is equal to or more than 1000, HostA will freeze without any
panic information.
A smaller concurrency may or may not trigger freeze.
We try to trigger freeze without ipsec involved, but fail to at the time.
== software
It's mix of debian jiessie/jessie-backports and home built strongswan
HostA kernel: 4.6.4-1~bpo8+1
strongswan: 5.5.0-1
nftables: 0.6-1~bpo8+1
The debian jessie backport kernel 4.7.8-1~bpo8+1 & 4.8.11-1~bpo8+1 are not
affected by this test setup,
BUT 4.7.8-1~bpo8+1 is affected on our production server setup. We can't test
4.8.11-1~bpo8+1 on our production server.
== rules.nft
It's not suitable for public post. I will mail it privately.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161219/4b4b3099/attachment.html>
More information about the netfilter-buglog
mailing list