[tproxy] Kernel Panic/System Hang when using TPROXY with 2.6.27 or later
KOVACS Krisztian
hidden at balabit.hu
Thu Oct 21 16:24:57 CEST 2010
Hi,
On Thu, 2010-10-21 at 16:16 +0200, FREY Oliver wrote:
> Our product supports either proxying using iptables-REDIRECT-targets and
> no TPROXY, or using iptables-TPROXY-targets and the TPROXY-support to
> open the outgoing connection with the client's IP-address.
>
> Everything is working fine and systems are stable and running for months
> when using the REDIRECT-targets.
> Also everything looks to run fine when using the TPROXY-targets, but
> unfortunately within 24-48 hours the system either hangs with a Kernel
> Panic (we can also see some Soft-Lockup-Warnings before that) or
> completely hangs, needing a manual reset.
> Unfortunately we have no Kernel-development/debugging experience, but
> all the warnings/panics point to kernel-memory-corruption, because by
> now we had panics in virtually any system-function called that tries to
> allocate/free kernel-memory - also once we had a Kernel with
> slab-debug-messages enabled running and got messages that corruption was
> detected, hours before the system finally paniced.
>
> The latest kernel we tried was 2.6.35.2, we also tried a few versions in
> between, but stability did not change.
> At application-level there is not much that has to be done (and can get
> wrong) to use TPROXY-support, and the calls were implemented according
> to sample-code.
>
> I do appreciate any help you can provide, as I've run out of ideas what
> I could do to fix the issue.
Well, there was a report of tproxy-triggered crashes on the linux netdev
mailing list a few months ago. It might be the case that you're
experiencing the same issue, but it's impossible to tell without knowing
more details.
We do have a patch which should fix that particular problem so maybe it
would be worth giving that patch a try. You can get the patch here:
http://git.balabit.hu/?p=hidden/tproxy-2.6.git;a=commit;h=4ccf010bd5841745847a330c4063efdf12f3648e
Please let me know if you're still having issues after applying the
patch.
Cheers,
Krisztian
More information about the tproxy
mailing list