Re: network/performance problem

From: Ron Peterson
Date: Sun Mar 14 2004 - 13:16:27 EST

Next message: Manfred Spraul: "Re: [PATCH 2.4] sys_select() return error on bad file"
Previous message: Richard A Nelson: "2.6 IPSEC and NAT issue"
In reply to: David S. Miller: "Re: network/performance problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Mar 14, 2004 at 09:33:58AM -0800, David S. Miller wrote:
> On Sun, 14 Mar 2004 08:23:40 -0500
> Ron Peterson <rpeterso@xxxxxxxxxxxxx> wrote:
>
> > Don't think so. If I revert to 2.4.20 from 2.4.21, and change nothing
> > else, this problem goes away.
>
> That's right because a netfilter change during that time period
> makes certain auto-rule adding setups go berzerk and it's a bug
> in the netfilter userland bits not the kernel.

I may indeed be completely dense. That's not unheard of around these
parts. I'd certainly accept an explanation of my denseness in lieue of
any other explanation, as long as I can make this stop happening.

What is the nature of the auto-rule adding setups going berzerk problem?

Below are my current iptables rules on 'sam' (the only machine not
currently running 2.4.20). There are no jumps to user defined chains.
I have not installed any scripts that dynamically add/alter iptables
rules. I can't imagine what package I may have installed that might do
such a thing either. Even if there were such a script somehow, since
nothing below ever jumps anywhere else, it wouldn't be getting called,
right?

If I flush and expunge my rules as follows, the problem goes away. If
this was because a jump to user defined chain was being deleted, then I'd
understand. But there are no jumps out of INPUT, OUTPUT, FORWARD,
PREROUTING, or POSTROUTING, so I'm confused.

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

FWIW, I compiled the latest 'iptables' code against my current running
2.4.21 kernel also..

1052# iptables -V
iptables v1.2.9

1045# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- 138.110.0.0/16 anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT all -- anywhere localhost

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED

Sun Mar 14 12:57:25 root@sam /usr/src
1046# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

--
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Manfred Spraul: "Re: [PATCH 2.4] sys_select() return error on bad file"
Previous message: Richard A Nelson: "2.6 IPSEC and NAT issue"
In reply to: David S. Miller: "Re: network/performance problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]