[tproxy] General protection fault may occur when removing TPROXY rule

U.Mutlu for-forums at mutluit.com
Wed Jan 21 18:26:14 CET 2015

James Oakley wrote, On 01/21/2015 05:28 PM:
> I have already filed an issue at https://bugzilla.kernel.org/show_bug.cgi?id=91661 but I wanted to see if anybody here has any idea about this.
> I have been experiencing GPFs when removing TPROXY rules in modern kernels for a while. This occurs on many different bare-metal x86 machines, plus KVM.
> The setup to reproduce is a bit specific:
> 1. TUN tunnel to remote server, with default route through tunnel (I have no idea whether this is important, but I haven't reproduced without it)
> 2. Transparent TCP proxy, using IP_TRANSPARENT to preserve src and dst addresses. (Basically a TCP accelerator)
> 3. TPROXY setup with the following rules:
>      iptables -t nat -A OUTPUT -o tun10 -p tcp -m multiport --ports 80,443,8080 -j REDIRECT --to-ports 5080
>      iptables -t mangle -A bridge_existing -j MARK --set-xmark 0xf0/0xffffffff
>      iptables -t mangle -A bridge_existing -j ACCEPT
>      iptables -t mangle -A tcp_proxy -d -p tcp -m socket -j bridge_existing
>      iptables -t mangle -A tcp_proxy -d -p tcp  -j RETURN
>      iptables -t mangle -A tcp_proxy -d -p tcp -m multiport --dports 80,443,8080  -j TPROXY --on-port 5080 --on-ip --tproxy-mark 0xf0/0xffffffff
> 4. As per the TPROXY documentation, the marked packets are sent to a separate routing table:
>      local default dev lo  scope host

Is this part of a command?

> 5. Regular traffic through the box from outside. (I use 40 browser tabs accessing random pages every 10 seconds)
> Sometimes, when these rules are removed, the GPF occurs. To reproduce, I add and remove the rules every 3 seconds. It usually occurs within 10 minutes.

Which rules are meant here? The above iptables rules? Why remove? And why in 
such short intervalls? Isn't that overkill? :-)


More information about the tproxy mailing list