[tproxy] Unprotected critical section in tproxy-patched ip_nat_core.c

KOVACS Krisztian hidden at balabit.hu
Fri Dec 1 13:39:46 CET 2006


On Friday 01 December 2006 04:04, wckwon wrote:
> I found a bug that some critical section was not protected by lock.

  Indeed, thanks for your report. Could give the attached updated 
nat_delete.patch a try? Although the spinlock method you suggested should 
work, I'd like to find a lockless way to fix the problem.

> Question : Do you have any other TIPs to increase MAX-OPEN-SESSION?

  Using multiple bind addresses just as you've done is really required. 
I'd also recommend increasing the tproxy hashtable size (hashsize module 
parameter). It defaults to 127 which is _very_ low if you have that many 
connections. If you have 200000 connections I'd set it to something like 
49993. (I'd suggest setting it to a prime number.)

Additionally some tuning of the underlying conntrack/NAT subsystem should 
suffice. (Like ip_conntrack_max, and maybe tuning some conntrack timeout 
values if necessary.)

  Krisztian Kovacs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nat_delete.patch
Type: text/x-diff
Size: 11320 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/tproxy/attachments/20061201/28044e20/nat_delete.bin

More information about the tproxy mailing list