netfilter buglog - Feb 2003 - [Bug 36] New: Possible SMP-race in rule handling (or other memorycorrupting thing)

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=36

           Summary: Possible SMP-race in rule handling (or other
                    memorycorrupting thing)
           Product: netfilter/iptables
           Version: linux-2.4.x
          Platform: other
        OS/Version: other
            Status: NEW
          Severity: minor
          Priority: P2
         Component: ip_tables (kernel)
        AssignedTo: laforge@netfilter.org
        ReportedBy: gandalf@wlug.westbo.se
                CC: netfilter-buglog@lists.netfilter.org


I'm not certain this is a SMP-race, it could be any other kind of memory
corrupting thing...

Inserting a rule on an quite active SMP (2cpus) router may give you some
suprises it seems. Only seen once and I havn't tried to reproduce it yet
since
it's an important productionrouter but I'll test it on a testmachine.

Ok so here we go, the router enables forwarding before any iptables stuff is
activated (I should change the scripts :) and then it loads a few modules and
inserts a bunch of rules (not very many) and one of these rules got corrupted.

Inserted rule:
iptables -t mangle -A FORWARD -i hemmet -o eth1 -p tcp -m connmark \! --mark 0
-j CONNMARK --restore-mark

Resulting rule (iptables -vnL output):
    0     0 CONNMARK   144  --  hemmet !eth1   0.0.0.0/0            0.0.0.0/0  
       CONNMARK match !0x0 CONNMARK restore 

so proto was set to 144 not tcp, and output interface was !eth1 not eth1 as it
should.

And this is not all, no packets matched this rule as you can see but somehow all
packets get the TRACE target applied so all further matches was logged. I
don't
have any rule witch uses the TRACE target.

The TRACE stuff stopped after I replaced this rule with the same rule. Now it
looks correct and no more TRACE stuff. This is really weird and I'll see if
I
can reproduce it, although I don't have very high hopes for it. This report
is
mostly a note that we might have something wrong somewere (or maybe I have bad
memory, we'll see if the router crashes :)



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.