[tproxy] Unprotected critical section in tproxy-patched
ip_nat_core.c
KOVACS Krisztian
hidden at balabit.hu
Fri Dec 1 13:39:46 CET 2006
Hi,
On Friday 01 December 2006 04:04, wckwon wrote:
> I found a bug that some critical section was not protected by lock.
Indeed, thanks for your report. Could give the attached updated
nat_delete.patch a try? Although the spinlock method you suggested should
work, I'd like to find a lockless way to fix the problem.
> Question : Do you have any other TIPs to increase MAX-OPEN-SESSION?
Using multiple bind addresses just as you've done is really required.
I'd also recommend increasing the tproxy hashtable size (hashsize module
parameter). It defaults to 127 which is _very_ low if you have that many
connections. If you have 200000 connections I'd set it to something like
49993. (I'd suggest setting it to a prime number.)
Additionally some tuning of the underlying conntrack/NAT subsystem should
suffice. (Like ip_conntrack_max, and maybe tuning some conntrack timeout
values if necessary.)
--
Regards,
Krisztian Kovacs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nat_delete.patch
Type: text/x-diff
Size: 11320 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/tproxy/attachments/20061201/28044e20/nat_delete.bin
More information about the tproxy
mailing list