Re: CPU load on queued_spin_lock_slowpath

2018-02-07 Thread Tugrul Erdogan 
Thanks for your advices. I will try to create the erroneous situation
by triggering icmp error for existing connection and try non-tcp patch
and kernel upgrade respectively. I will report the results at mail
list.

> On Tue, Feb 6, 2018, 7:10 AM Pablo Neira Ayuso <pa...@netfilter.org> wrote:
>>
>> On Tue, Feb 06, 2018 at 10:56:20AM +0300, Tugrul Erdogan wrote:
>> > Hi All,
>> >
>> > My server had a locking problem with the logs located below. I can not
>> > reproduce this erroneous situation again but I think that there is an
>> > active vulnerability at my server because of this error.
>> >
>> > My server's kernel version is v4.6.4.
>>
>> Probably this helps you?
>>
>> commit 49f817d793d1bcc11d721881aac037b996feef5c
>> Author: Lin Zhang <xiaolou4...@gmail.com>
>> Date:   Fri Oct 6 00:44:03 2017 +0800
>>
>> netfilter: SYNPROXY: skip non-tcp packet in {ipv4, ipv6}_synproxy_hook
>>
>> 4.6.4 is rather old, BTW.
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>> the body of a message to majord...@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

CPU load on queued_spin_lock_slowpath

2018-02-05 Thread Tugrul Erdogan 
Hi All,

My server had a locking problem with the logs located below. I can not
reproduce this erroneous situation again but I think that there is an
active vulnerability at my server because of this error.

My server's kernel version is v4.6.4.

What can be the cause of this error or do you have any opinion about
how can I reproduce this logs again? Thanks for your helps.

Best regards,
Tugrul

Feb  5 13:20:42 serv kernel: []
queued_spin_lock_slowpath+0xb/0xf
Feb  5 13:20:42 serv kernel: [] _raw_spin_lock_bh+0x2b/0x30
Feb  5 13:20:42 serv kernel: []
connlimit_mt+0x114/0x30 [xt_connlimit]
Feb  5 13:20:42 serv kernel: [] ?
hashlimit_mt+0x2b7/0x71 [xt_hashlimit]
Feb  5 13:20:42 serv kernel: [] ?
_raw_spin_unlock_bh+0x1e/0x20
Feb  5 13:20:42 serv kernel: []
ipt_do_table+0x25f/0x710 [ipt_tables]
Feb  5 13:20:42 serv kernel: [] ?
ipt_do_table+0x332/0x710 [ipt_tables]
Feb  5 13:20:42 serv kernel: [] ? tcp_packet+0x39d/0x9a0
Feb  5 13:20:42 serv kernel: [] ?
dev_hard_start_xmit+0x22f/0x3e0
Feb  5 13:20:42 serv kernel: []
iptable_mangle_hook+0x37/0x110 [iptable_mangle]
Feb  5 13:20:42 serv kernel: [] nf_iterate+0x5d/0x70
Feb  5 13:20:42 serv kernel: [] nf_hook_slow+0x5d/0x70
Feb  5 13:20:42 serv kernel: [] ip_output+0xdb/0xf0
Feb  5 13:20:42 serv kernel: [] ? __ip_local_out+0xa2/0x110
Feb  5 13:20:42 serv kernel: [] ?
ip_fragment.constprop.51+0x80/0x80
Feb  5 13:20:42 serv kernel: [] ip_local_out+0x35/0x40
Feb  5 13:20:42 serv kernel: []
synproxy_send_tcp.isra.8+0xca/0xf0 [ipt_SYNPROXY]
Feb  5 13:20:42 serv kernel: []
synproxy_recv_client_ack+0x200/0x340 [ipt_SYNPROXY]
Feb  5 13:20:42 serv kernel: []
synproxy_tg4+0x11c/0x308 [ipt_SYNPROXY]
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

About Kernel SynProxy Performance

2017-03-01 Thread Tugrul Erdogan 
Hi All,

I have noticed the commit below in the kernel 4.7 change logs.

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b3d051477cf94e9d71d6acadb8a90de15237b9c1

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8804b2722dc5d6f9b7ba0a9e812eae9ee5ce95bc

Then, I think that this commit might increase SYNPROXY performance of
kernel too and updated my kernel from 3.15.9 to 4.10. But I didn't
notice any significant change on received pps with netfilter/SYNPROXY
module.

I wanted to ask you what may be the reason of that. The commit message
says that the task test result would have approximately %100 increase.

Could you give more details about the reflection of this commit to
SYNPROXY module on performance perspective.

If this commit not affect SYNPROXY module, I want to take your
opinions about is there a way to increase SYNPROXY performace with
some changes which are adopted from the commit linked above on
SYNPROXY internals.

CPU and nic info I used is below:

Intel(R) Xeon(R) CPU   E5645  @ 2.40GHz

82599ES 10-Gigabit SFI/SFP+ Network Connection

and iptables rules

-t raw -A PREROUTING -p tcp -m physdev --physdev-in enp7s0f0 -m tcp
--tcp-flags FIN,SYN,RST,ACK SYN -j NOTRACK

-t filter -A FORWARD -p tcp -m physdev --physdev-in enp7s0f0 -m state
--state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale
7 --mss 1480

Thanks for your kind replies.
Best regards,
Tugrul
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html