Re: ipchains redirect failing in 2.4.5 (and 2.4.13)

David Lang (david.lang@digitalinsight.com)
Tue, 30 Oct 2001 06:53:27 -0800 (PST)


not my morning, after fixing the redirect problem now get the same
failure intermittently when going through the redirect.

I can trigger the problem with as few as two sequential requests. the log
on the firewall shows that both requests are completed (with the same byte
counts in each direction) but the requesting machine apparently never sees
the end of the connection and so it hangs.

I would be suspecting network hardware except for the fact that I can only
duplicate the problem when hitting the redirect, never when hitting the
port directly.

I am in the process of gathering tcpdumps on all the machines to compare
them and will post them when I have them

David Lang

On Tue, 30 Oct 2001, David Lang wrote:

> never mind, there was a http redirect comeing back that was causing this
> test to fail.
>
> back to the trying to find out why the machine slowed down so drasticly
> :-(
>
> David Lang
>
> On Tue, 30 Oct 2001, David Lang wrote:
>
> > Date: Tue, 30 Oct 2001 05:39:33 -0800 (PST)
> > From: David Lang <david.lang@digitalinsight.com>
> > To: linux-kernel@vger.kernel.org
> > Subject: Re: ipchains redirect failing in 2.4.5 (and 2.4.13)
> >
> > I just confirmed that the problem still happens on 2.4.13.
> >
> > I also confirmed that I can suplicate the problem without multiple
> > simultanious connections. if I do ab -n 50 (50 connections as fast as an
> > athlon 1.2GHz can fire them off) I get the same failure. If the
> > connections arrive at a sufficiantly slow rate the redirect works (no idea
> > yet what that rate is yet)
> >
> > doing the test directly to the proxy port results in ~5
> > connections/second. I don't see any reason that this should be enough to
> > cause problems.
> >
> > David Lang
> >
> >
> > On Tue, 30 Oct 2001, David Lang wrote:
> >
> > > Date: Tue, 30 Oct 2001 05:04:35 -0800 (PST)
> > > From: David Lang <david.lang@digitalinsight.com>
> > > To: linux-kernel@vger.kernel.org
> > > Subject: ipchains redirect failing in 2.4.5
> > >
> > > I am attempting to track down a problem I have run into with 2.4.5
> > >
> > > I have a firewall that has proxies listening on ports 1433-1437. If I
> > > connect to these proxies on these ports I have no problems, however if I
> > > put in an ipchains rule to redirect port 1433 on a second IP address to
> > > port 1436 (for example) and then hammer the box with ab -n 500 -s 20 the
> > > first 20 or so connections get through and then the rest timeout. doing
> > > repeated netstat -an on the firewall during this process shows an inital
> > > burst of 15 connections that get established, a pause, and then a handfull
> > > more get established, followed by those 20 connections being in TIME_WAIT
> > >
> > > again, connection to the same IP address on the real port the proxy is
> > > listening on has no problems, it's only when going through the redirect
> > > that it fails.
> > >
> > > any suggestions, tuning paramaters I missed, or tests I need to run to
> > > track this down?
> > >
> > > David Lang
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > > Please read the FAQ at http://www.tux.org/lkml/
> > >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at http://www.tux.org/lkml/
> >
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/