Re: Re[2]: kernel oops, fast ethernet bridge, 2.4.31
I have included a patch that adds Cisco ISL support to the ethernet bridge code. When I first debugged it I had to make changes to ip_output.c and netfilter_bridge.h to leave room for the ISL header. The changes to ip_output.c I got from looking at the 2.6 changes and tweeking them a bit. The same problem I had w/ large UDP packets are going to happen to you as we need to reserve space for the extra bytes that the VLAN uses when fragmenting the UDP packet that is being forwarded. I think if you take the ip_output.c diffs, along with the nf_bridge_pad() from netfilter_bridge.h you should be fine. nf_bridge_tail() is only needed for ISL as it has an extra checksum at the end of the packet.That can be removed for VLAN only I have attached the patch, patch.isl is the patch that I have running w/ ISL support and is working for me. fix.vlan is just the code I think you need to add. It wasn't generated by diff so you will need to hand edit it. If you have questions let me know. If it fixes your problem, we need to submit it to the ebtables person that is maintaining the 2.4.31 tree as it needs to be released from them. These changes are in 2.6 already. - joy leima - > On Fri, 22 Jul 2005 15:13:33 + (UTC) > Joy Leima <[EMAIL PROTECTED]> wrote: > > > Lukasz, > > > > I think I have a fix for you. Verify for me that it is the same > > problem. Send a large UDP packet through the bridge. I believe the > > problem is the ip_fragment code is not taking into account the VLAN > > header that needs to be added to the packet when it gets fragmented > > on the way out. > > > > Just send the large UDP packet through the bridge. I use ttcp. If > > it panics then I can send you the fix. There are further changed to > > ip_output.c > > Hello Joy, > > This is exactly this situation which you described. > Could you be so kind to send me this patch ? > > Best regards, > Lukasz Spaleniak > > -- > lspaleniak on wroc zigzag pl > GCM dpu s: a--- C++ UL P+ L+++ E--- W+ N+ K- w O- M V- > PGP t--- 5 X+ R- tv-- b DI- D- G e-- h! r y+ patch.isl Description: Binary data fix.vlan Description: Binary data
Re: Re[2]: kernel oops, fast ethernet bridge, 2.4.31
On Fri, 22 Jul 2005 15:13:33 + (UTC) Joy Leima <[EMAIL PROTECTED]> wrote: > Lukasz, > > I think I have a fix for you. Verify for me that it is the same > problem. Send a large UDP packet through the bridge. I believe the > problem is the ip_fragment code is not taking into account the VLAN > header that needs to be added to the packet when it gets fragmented > on the way out. > > Just send the large UDP packet through the bridge. I use ttcp. If > it panics then I can send you the fix. There are further changed to > ip_output.c Hello Joy, This is exactly this situation which you described. Could you be so kind to send me this patch ? Best regards, Lukasz Spaleniak -- lspaleniak on wroc zigzag pl GCM dpu s: a--- C++ UL P+ L+++ E--- W+ N+ K- w O- M V- PGP t--- 5 X+ R- tv-- b DI- D- G e-- h! r y+ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Re[2]: kernel oops, fast ethernet bridge, 2.4.31
On Fri, 22 Jul 2005 15:13:33 + (UTC) Joy Leima [EMAIL PROTECTED] wrote: Lukasz, I think I have a fix for you. Verify for me that it is the same problem. Send a large UDP packet through the bridge. I believe the problem is the ip_fragment code is not taking into account the VLAN header that needs to be added to the packet when it gets fragmented on the way out. Just send the large UDP packet through the bridge. I use ttcp. If it panics then I can send you the fix. There are further changed to ip_output.c Hello Joy, This is exactly this situation which you described. Could you be so kind to send me this patch ? Best regards, Lukasz Spaleniak -- lspaleniak on wroc zigzag pl GCM dpu s: a--- C++ UL P+ L+++ E--- W+ N+ K- w O- M V- PGP t--- 5 X+ R- tv-- b DI- D- G e-- h! r y+ - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Re[2]: kernel oops, fast ethernet bridge, 2.4.31
I have included a patch that adds Cisco ISL support to the ethernet bridge code. When I first debugged it I had to make changes to ip_output.c and netfilter_bridge.h to leave room for the ISL header. The changes to ip_output.c I got from looking at the 2.6 changes and tweeking them a bit. The same problem I had w/ large UDP packets are going to happen to you as we need to reserve space for the extra bytes that the VLAN uses when fragmenting the UDP packet that is being forwarded. I think if you take the ip_output.c diffs, along with the nf_bridge_pad() from netfilter_bridge.h you should be fine. nf_bridge_tail() is only needed for ISL as it has an extra checksum at the end of the packet.That can be removed for VLAN only I have attached the patch, patch.isl is the patch that I have running w/ ISL support and is working for me. fix.vlan is just the code I think you need to add. It wasn't generated by diff so you will need to hand edit it. If you have questions let me know. If it fixes your problem, we need to submit it to the ebtables person that is maintaining the 2.4.31 tree as it needs to be released from them. These changes are in 2.6 already. - joy leima - On Fri, 22 Jul 2005 15:13:33 + (UTC) Joy Leima [EMAIL PROTECTED] wrote: Lukasz, I think I have a fix for you. Verify for me that it is the same problem. Send a large UDP packet through the bridge. I believe the problem is the ip_fragment code is not taking into account the VLAN header that needs to be added to the packet when it gets fragmented on the way out. Just send the large UDP packet through the bridge. I use ttcp. If it panics then I can send you the fix. There are further changed to ip_output.c Hello Joy, This is exactly this situation which you described. Could you be so kind to send me this patch ? Best regards, Lukasz Spaleniak -- lspaleniak on wroc zigzag pl GCM dpu s: a--- C++ UL P+ L+++ E--- W+ N+ K- w O- M V- PGP t--- 5 X+ R- tv-- b DI- D- G e-- h! r y+ patch.isl Description: Binary data fix.vlan Description: Binary data
Re: Re[2]: kernel oops, fast ethernet bridge, 2.4.31
Lukasz Spaleniak wroc.zigzag.pl> writes: > > On Wednesday, July 20, 2005, 9:44:57 PM, Willy Tarreau wrote: > changed. At least it should have been oopsing from day one. > It is strange to me too. There is no dependency when it happens. > Sometimes traffic is small, sometimes it's normal. Packet rates are > around ~2000-3000 pkt/sec - so not so high. > > Regards, > Lukasz > Lukasz, I think I have a fix for you. Verify for me that it is the same problem. Send a large UDP packet through the bridge. I believe the problem is the ip_fragment code is not taking into account the VLAN header that needs to be added to the packet when it gets fragmented on the way out. Just send the large UDP packet through the bridge. I use ttcp. If it panics then I can send you the fix. There are further changed to ip_output.c - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Re[2]: kernel oops, fast ethernet bridge, 2.4.31
Lukasz Spaleniak lspaleniak at wroc.zigzag.pl writes: On Wednesday, July 20, 2005, 9:44:57 PM, Willy Tarreau wrote: changed. At least it should have been oopsing from day one. It is strange to me too. There is no dependency when it happens. Sometimes traffic is small, sometimes it's normal. Packet rates are around ~2000-3000 pkt/sec - so not so high. Regards, Lukasz Lukasz, I think I have a fix for you. Verify for me that it is the same problem. Send a large UDP packet through the bridge. I believe the problem is the ip_fragment code is not taking into account the VLAN header that needs to be added to the packet when it gets fragmented on the way out. Just send the large UDP packet through the bridge. I use ttcp. If it panics then I can send you the fix. There are further changed to ip_output.c - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re[2]: kernel oops, fast ethernet bridge, 2.4.31
On Wednesday, July 20, 2005, 9:44:57 PM, Willy Tarreau wrote: > Hello, Hello Willy, > just some basic questions : > - did your configuration change before the oopses started ? (eg: new > matches, etc...) One new machine appears but it generates small traffic rate (by now it's almost unused). > - did the traffic change recently (protocols, data rate) ? eg: new > applications on the network, etc... No - firewall is bridging IPv4 only. There was no dramatic topology change. Those VLANs which are going through this firewall were untouched. > - is it possible that it's being targetted by an attack where it is > installed (unfiltered internet, holiday employees who like to play > with the network, etc...) ? I don't think so that managed IP of firewall was targetet, maybe machines behid firewall but problem appears on eth2 interface which is: internet <-trunk-> eth1(firewall/iptables)eth2<-trunk->(switch ports) <-> servers So it's after iptables ... > I really find it strange that it suddenly started oopsing if nothing > changed. At least it should have been oopsing from day one. It is strange to me too. There is no dependency when it happens. Sometimes traffic is small, sometimes it's normal. Packet rates are around ~2000-3000 pkt/sec - so not so high. Regards, Lukasz -- lspaleniak on wroc zigzag pl GCM dpu s: a--- C++ UL P+ L+++ E--- W+ N+ K- w O- M V- PGP t--- 5 X+ R- tv-- b DI- D- G e-- h! r y+ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re[2]: kernel oops, fast ethernet bridge, 2.4.31
On Wednesday, July 20, 2005, 9:44:57 PM, Willy Tarreau wrote: Hello, Hello Willy, just some basic questions : - did your configuration change before the oopses started ? (eg: new matches, etc...) One new machine appears but it generates small traffic rate (by now it's almost unused). - did the traffic change recently (protocols, data rate) ? eg: new applications on the network, etc... No - firewall is bridging IPv4 only. There was no dramatic topology change. Those VLANs which are going through this firewall were untouched. - is it possible that it's being targetted by an attack where it is installed (unfiltered internet, holiday employees who like to play with the network, etc...) ? I don't think so that managed IP of firewall was targetet, maybe machines behid firewall but problem appears on eth2 interface which is: internet -trunk- eth1(firewall/iptables)eth2-trunk-(switch ports) - servers So it's after iptables ... I really find it strange that it suddenly started oopsing if nothing changed. At least it should have been oopsing from day one. It is strange to me too. There is no dependency when it happens. Sometimes traffic is small, sometimes it's normal. Packet rates are around ~2000-3000 pkt/sec - so not so high. Regards, Lukasz -- lspaleniak on wroc zigzag pl GCM dpu s: a--- C++ UL P+ L+++ E--- W+ N+ K- w O- M V- PGP t--- 5 X+ R- tv-- b DI- D- G e-- h! r y+ - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
