[pve-devel] [PATCH firewall] log and ignore ENOBUFS in nfct_catch

[Alexandre DERUMIER]

>>Can you check cat /proc/PID/stack or attach with GDB to see 
>>where exactly it hangs then? 

I have tried again this morning, and it don't hang.
I need to check my disk, maybe I had some iowait.

I have also notice that logs are write twice, in /var/log/pve-firewall.log, but also syslog /var/log/user.log.

I'll check the /proc/PID/stack if it's happen again.

>>Which sort of traffic runs over it? Maybe we/David can produce some 
>>similar test traffic it to reproduce it. 
I have a big application, running websockets over haproxy. (so a lot from internet->proxy, and proxy->servers)
That's a lot of new connections by seconds.

I have also increase my sysctl rmem, it's possible that ENOBUFS come from here. (and I never notice it before)


Thanks you again for your great work !



----- Mail original -----
De: "Thomas Lamprecht" <t.lamprecht at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>, "Alexandre Derumier" <aderumier at odiso.com>
Envoyé: Mercredi 9 Janvier 2019 17:16:50
Objet: Re: [pve-devel] [PATCH firewall] log and ignore ENOBUFS in nfct_catch

On 1/9/19 4:57 PM, Alexandre DERUMIER wrote: 
> Ok, it's correctly continue to work after the error message now. 
> 
> But I still have hang after that (after some seconds, or minutes). 
> Any error message in this case. 

Can you check cat /proc/PID/stack or attach with GDB to see 
where exactly it hangs then? 

> 
> (This is a really busy server, I have around 400MB log for 10minutes) 
> 

Which sort of traffic runs over it? Maybe we/David can produce some 
similar test traffic it to reproduce it. 

> cat /var/log/pve-firewall.log |grep -c NEW 
> 1465965 
> # cat /var/log/pve-firewall.log |grep -c DESTROY 
> 658931 
> 
> maybe it could be great to have an option like ulogd, to choose to log DESTROY or NEW or both. 
> Maybe able to add some src + dst filtering option. (If I want to filter internal->external traffic for example).