On Thu, Feb 13, 2020 at 8:20 AM Witold Tosta <witold.to...@gmail.com> wrote: > > It seemed to me that way too > czw., 13 lut 2020 o 05:16 Tom Eastep <teas...@shorewall.net> napisaĆ(a): >> >> Vieri's problem appears to be in the driver for his Network Interface >> Card
Maybe, maybe not. The fact is that I'm seeing the same kernel message when using totally different network cards/brands, ie. different drivers. They can't be all buggy... (well, hopefully) It also happened with an Intel igb, Intel xigbe and Broadcom NetExtreme (bnxt_en). I've yet to try out a Mellanox ConnectX5, but I'm ready to bet I'd get the same results. I think I've finally found a way to reproduce the problem, and asked for help on the LKML. The warning messages I reported (which *could* lead to a system hang after a long period running -- a week in my case) disappear if I stop using NFQUEUE. In my specific case I use NFQUEUE balance 0:5 with iptables-1.6.1. As an IPS I'm using suricata 5.0.1 with the following arguments (among others): -q 0 -q 1 -q 2 -q 3 -q 4 -q 5 I've reproduced this behavior with several recent Linux kernel versions. I've also asked for help on the Suricata mailing list. I configure NFQUEUE in Shorewall like so (I know it's not optimized -- I just generate these rules from a script which I need to improve): NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL loc,dmz,fw tcp,udp6502,7071,7070- NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL tcp,udp-6502,7071,7070 NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL loc,dmz,fw icmp NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL icmp NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL loc,dmz,fw udp500,4500- NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL udp-500,4500 NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL loc,dmz,fw 50 NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL 50 NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL loc,dmz,fw 51 NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL 51 NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL loc,dmz,fw tcp61196,61197,61198,21,80,443,3389,10444- NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL tcp-61196,61197,61198,21,80,443,3389,10444 [...] NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GLOBAL_WL,+EMAIL_WL loc,dmz,fw tcp25- NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GLOBAL_WL,+EMAIL_WL tcp-25 [...] NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL loc,dmz,fw tcp,udp6502,7071,7070- NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL tcp,udp-6502,7071,7070 NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL loc,dmz,fw icmp NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL icmp NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL loc,dmz,fw udp500,4500- NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL udp-500,4500 NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL loc,dmz,fw 50 NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL 50 NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL loc,dmz,fw 51 NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL 51 NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL loc,dmz,fw tcp61196,61197,61198,21,80,443,3389,10444- NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL,+GLOBAL_WL tcp-61196,61197,61198,21,80,443,3389,10444 [...] NFQUEUE(0:5) net1,net2,net3:!+IPS_BL,+POL_BL,+GLOBAL_WL,+EMAIL_WL loc,dmz,fw tcp25- NFQUEUE(0:5) loc,dmz,fw net1,net2,net3:!+IPS_BL,+POL_BL,+GLOBAL_WL,+EMAIL_WL tcp-25 They are in SECTION_ESTABLISHED SECTION_NEW SECTION_RELATED Just in case you have any suggestions... Thanks, Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
