I think I've triggered a bug in the ipchains/iptables part of the kernel. Here is the
story :
The server was a 866MHz PIII with 384 MByte of RAM running RH7.1 with a 2.4.5-ac21 kernel.
It was used as a router/firewall with 2 netcards (not sure which type, but I don't think
that's important). Using this machine as a plain router was no problem at all, and serving
a class C net onto a 3 MBit line was a just a walk in the park, the machine was idle for
most of the time. Then we decided to set up transparent proxy and used a pretty standard
setup redirecting all port 80 accesses with ipchains to squid. Things worked fine for a
while (about 2 hrs) until we noticed that the machine got extremly unresponsive on the
console. A 'top' session showed us that the machine was almost a 100% in system time. If
we disconnected the some of the segments on the C net, system time went down a bit. We
rebooted the machine and noticed that the system time started at zero and went slowly
upwards until it reached 100 (after about 2hrs) and we just needed to reboot again. We
just disabled the ipchains stuff, and now the server is rock solid with a 'normal' proxy
setup (and 100% idle almost all the time). Just for the record : We also tried standard
RH7.1 kernels (2.4.2-2 and 2.4.3) with the same results.
Any ideas ? Anybody experienced similar behaviour ? It looks like a resource leak
somewhere in the IP filter code to me.
Regards,
-- Steffen Persvold Systems Engineer Email : mailto:sp@scali.no Scali AS (http://www.scali.com) Tlf : (+47) 22 62 89 50 Olaf Helsets vei 6 Fax : (+47) 22 62 89 51 N-0621 Oslo, Norway - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/