[tproxy] General protection fault may occur when removing TPROXY rule
for-forums at mutluit.com
Wed Jan 21 18:26:14 CET 2015
James Oakley wrote, On 01/21/2015 05:28 PM:
> I have already filed an issue at https://bugzilla.kernel.org/show_bug.cgi?id=91661 but I wanted to see if anybody here has any idea about this.
> I have been experiencing GPFs when removing TPROXY rules in modern kernels for a while. This occurs on many different bare-metal x86 machines, plus KVM.
> The setup to reproduce is a bit specific:
> 1. TUN tunnel to remote server, with default route through tunnel (I have no idea whether this is important, but I haven't reproduced without it)
> 2. Transparent TCP proxy, using IP_TRANSPARENT to preserve src and dst addresses. (Basically a TCP accelerator)
> 3. TPROXY setup with the following rules:
> iptables -t nat -A OUTPUT -o tun10 -p tcp -m multiport --ports 80,443,8080 -j REDIRECT --to-ports 5080
> iptables -t mangle -A bridge_existing -j MARK --set-xmark 0xf0/0xffffffff
> iptables -t mangle -A bridge_existing -j ACCEPT
> iptables -t mangle -A tcp_proxy -d 10.123.3.0/24 -p tcp -m socket -j bridge_existing
> iptables -t mangle -A tcp_proxy -d 10.123.3.1/32 -p tcp -j RETURN
> iptables -t mangle -A tcp_proxy -d 10.123.3.0/24 -p tcp -m multiport --dports 80,443,8080 -j TPROXY --on-port 5080 --on-ip 127.0.0.1 --tproxy-mark 0xf0/0xffffffff
> 4. As per the TPROXY documentation, the marked packets are sent to a separate routing table:
> local default dev lo scope host
Is this part of a command?
> 5. Regular traffic through the box from outside. (I use 40 browser tabs accessing random pages every 10 seconds)
> Sometimes, when these rules are removed, the GPF occurs. To reproduce, I add and remove the rules every 3 seconds. It usually occurs within 10 minutes.
Which rules are meant here? The above iptables rules? Why remove? And why in
such short intervalls? Isn't that overkill? :-)
More information about the tproxy