bugzilla-daemon at netfilter.org
2014-May-19 02:46 UTC
[Bug 941] New: --queue-balance sending all traffic to queue 0
https://bugzilla.netfilter.org/show_bug.cgi?id=941
Summary: --queue-balance sending all traffic to queue 0
Product: netfilter/iptables
Version: linux-2.6.x
Platform: x86_64
OS/Version: other
Status: NEW
Severity: normal
Priority: P5
Component: nfnetlink_queue
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: dnadle at hotmail.com
Estimated Hours: 0.0
I have this forwarding rule in my iptables:
-A FORWARD -j NFQUEUE --queue-balance 0:3
The queues are processed by Suricata. Suricata stats show no activity on queues
1:3. Also, /proc/net/netfilter/nfnetlink_queue looks like this soon after a
reboot:
$ sudo cat /proc/net/netfilter/nfnetlink_queue
0 2010 0 2 65535 0 0 92116 1
1 -4195 0 2 65535 0 0 0 1
2 -4196 0 2 65535 0 0 0 1
3 -4197 0 2 65535 0 0 0 1
If instead I set rules like:
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j NFQUEUE
--queue-num 0
-A FORWARD -i eth1 -o eth0 -j NFQUEUE --queue-num 1
Suricata stats.log and /proc/net/netfilter/nfnetlink_queue report activity on
both queues. I can't find any previous report of this issue online. Please
advise.
Additional information:
OS: Centos 6.5
Kernel: 2.6.32-431.17.1.el6.x86_64
iptables: 1.4.7-11.el6
libnetfilter_queue: 0.0.15-1
libnfnetlink: 1.0.0-1.el6
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2014-May-19 09:49 UTC
[Bug 941] --queue-balance sending all traffic to queue 0
https://bugzilla.netfilter.org/show_bug.cgi?id=941
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |pablo at netfilter.org
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> 2014-05-19
11:49:04 CEST ---
Are you generating traffic from the same source address?
The load sharing uses a hash-based approach based on that and the layer 4
protocol number.
http://lxr.free-electrons.com/source/net/netfilter/xt_NFQUEUE.c?v=2.6.32
See hash_v4() for instance.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2014-May-19 12:51 UTC
[Bug 941] --queue-balance sending all traffic to queue 0
https://bugzilla.netfilter.org/show_bug.cgi?id=941 --- Comment #2 from David Nadle <dnadle at hotmail.com> 2014-05-19 14:50:59 CEST --- (In reply to comment #1)> Are you generating traffic from the same source address? > > The load sharing uses a hash-based approach based on that and the layer 4 > protocol number.The hash appears to be based on the source IP xor'ed with the destination IP. A quick peek at iptstate reveals multiple source IP, destination IP, and protocols in use. I am running NAT. Does that make a difference? -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2014-Jun-20 15:14 UTC
[Bug 941] --queue-balance sending all traffic to queue 0
https://bugzilla.netfilter.org/show_bug.cgi?id=941 --- Comment #3 from David Nadle <dnadle at hotmail.com> 2014-06-20 17:14:52 CEST --- The problem continues with kernel 2.6.32-431.20.3.el6.x86_64. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2014-Jul-30 13:36 UTC
[Bug 941] --queue-balance sending all traffic to queue 0
https://bugzilla.netfilter.org/show_bug.cgi?id=941 --- Comment #4 from David Nadle <dnadle at hotmail.com> 2014-07-30 15:36:42 CEST --- The problem continues with kernel 2.6.32-431.20.5.el6.x86_64. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2014-Aug-08 19:22 UTC
[Bug 941] --queue-balance sending all traffic to queue 0
https://bugzilla.netfilter.org/show_bug.cgi?id=941 --- Comment #5 from David Nadle <dnadle at hotmail.com> 2014-08-08 21:22:47 CEST --- The problem continues with kernel 2.6.32-431.23.3.el6.x86_64. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2016-Feb-16 19:46 UTC
[Bug 941] --queue-balance sending all traffic to queue 0
https://bugzilla.netfilter.org/show_bug.cgi?id=941
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |WONTFIX
--- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Please contact your kernel vendor, we only take care of vanilla Linux kernel
bug reports.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160216/33e0bb3b/attachment.html>
Maybe Matching Threads
- [Bug 1436] New: nf_conntrack_update fails in fedora kernels 5.6.16 and 5.6.18
- [Bug 1440] New: kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters
- traffic distribution not happening in centos 6.5
- [Bug 1742] New: using nfqueue breaks SCTP connection (tracking)
- Non-linear skbs apparently prevent NFQUEUE from working properly