Migration to new hardened kernel 2.6.24-r1 brokes local transparent proxy on SQUID. Some POST requests are not passed correctly by proxy to their destination. The symptoms is malfunction of a number of web services, where relativly large files are uploaded by a client. One of them is gmail.com. Deeping into the trouble I've figure out difference in working of REDIRECT target in iptables between versions 2.6.23-r11 and 2.6.24-r1 of hardened kernels. For redirecting outgoing HTTP connections to my transparent proxy I'm using similar iptables line -A OUTPUT -o ! lo -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8082 Reproducing series of tests on this redirect like $ dd if=/dev/urandom bs=1024 count=$[1024*8] of=smp.orig $ netcat -l -p 8082 > rec.01 & $ cat smp.orig | netcat some_outer_address 80 shows periodical stalls in data transfer. So the most files rec.x has been transfered incompletely under version 2.6.24-r1. Under kernel 2.6.23-r11 all transferts have been done completely and direct transfer to port 8082 also gives positive result on both kernels. May be this difference is connected with malfunction of my proxy.
NEEDINFO. emerge --info ; attach kernel.config and reopen.
Created attachment 152869 [details] kernel 2.6.24-r1 config
$ emerge --info Portage 2.1.5_rc1 (default-linux/x86/2007.0, gcc-4.2.3, glibc-2.7-r2, 2.6.23-hardened-r11 i686) ================================================================= System uname: 2.6.23-hardened-r11 i686 Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz Timestamp of tree: Sat, 10 May 2008 17:03:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.2-r1 dev-lang/python: 2.4.4, 2.5.2-r2 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.2.3 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.24 ACCEPT_KEYWORDS="x86 ~x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CPPFLAGS="-march=pentium4 -O2 -pipe" CXXFLAGS="-march=pentium4 -O2 -pipe" DISTDIR="/var/db/portage/distfiles" FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://c.aliki.ru/pub/mirror/gentoo" LANG="ru_RU.UTF-8" LDFLAGS="" LINGUAS="en" MAKEOPTS="-j3" PKGDIR="/var/db/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/var/db/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acl acpi alsa avi bash-completion berkdb bzip2 chroot cli consolekit cracklib crypt cups dba dbus divx4linux dri exif fbcon fontconfig fortran gdbm gtk2 hal iconv ipv6 isdnlog jbig jpeg jpeg2k lcms matroska memlimit midi mmx mpeg mudflap ncurses nptl nptlonly openexr opengl openmp pam pcre pic png pppd python qt readline reflection rtc sasl session spl sse sse2 ssl svg tcpd threads tiff unicode usb x86 xorg xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authz_groupfile authz_user authz_owner authn_file auth_basic authz_svn_module filter unique_id access authz_host auth auth_dbm auth_anon auth_digest alias file_cache echo charset_lite cache disk_cache mem_cache ext_filter case_filter case_filter_in deflate mime_magic cern_meta expires headers usertrack proxy proxy_connect proxy_ftp proxy_http info include cgi cgid dav dav_fs dav_lock vhost_alias speling rewrite log_config logio env setenvif mime status autoindex asis negotiation dir actions so" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="v4l fbcon vesa" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
I've looked into this bug. A lot has changed between these releases, but I can't find any changes that would obviously create the problem you describe. Further, PaX/grsec don't touch ipt_REDIRECT and friends so I don't see where they could interfere. Could be a regression in one of the networking hardware drivers itself. Are you by any chance in a position to test gentoo-sources-2.6.23-r9 vs. gentoo-sources-2.6.24-r8 (which is really the more important test of the two)? Thanks.
(In reply to comment #4) > Are you by any chance in a position to test gentoo-sources-2.6.23-r9 vs. > gentoo-sources-2.6.24-r8 (which is really the more important test of the two)? > Thanks. Thank you for your attention to my problem. I've checked this issue against gentoo kernels and result is the same. I.e. under gentoo-sources-2.6.23-r9 everything is OK (except transfering 4-6 Mb file takes about two minutes. But in buggy kernel transfers do instantly if it not stalles) and under gentoo-sources-2.6.24-r8 I still have my bug. Yes, it seems it is not hardened bug.
Changing summary, re-assigning to kernel team and CCing myself. Thanks for testing. Would also be interesting to know how 2.6.25 works for you - hopefully the situation improved. If a fix can be found/isolated and does not appear unsafe/experimental, etc. I'll consider it for inclusion in a later hardened-sources-2.6.24 release. I have an inkling you may have to get real friendly with git bisect to find what's causing this particular problem.
Did anything interesting show up in dmesg after the stalls started?
(In reply to comment #6) > Thanks for testing. Would also be interesting to know how 2.6.25 works for you > - hopefully the situation improved. 2.6.25 works fine. Series of data has been transfered instantly and without stalls. But compiled new kernel with old config file refuced to load iptables line with REDIRECT targets (ipt_REDIRECT module was loaded successfully). I haven't deep into this problem, making all available iptables modules solve this fault. > If a fix can be found/isolated and does not appear unsafe/experimental, etc. > I'll consider it for inclusion in a later hardened-sources-2.6.24 release. I > have an inkling you may have to get real friendly with git bisect to find > what's causing this particular problem. Ok, I'll look at recent patches between .24-.25 kernels on ongoing weekends. (In reply to comment #7) > Did anything interesting show up in dmesg after the stalls started? Nope, nothing extraordinary.
Closing as this is fixed in 2.6.25, which we'll hopefully have headed towards stable soon.
(In reply to comment #9) > Closing as this is fixed in 2.6.25, which we'll hopefully have headed towards > stable soon. > I've do mistake. Unfortunately this issue valid for 2.6.25 kernel too. It was difficult to detect where this bug appear with git bisect as there is no reliable method of detection it. I have worked with new hardened kernel 2.6.25 without probles for a 2 or 3 weeks. But Today the problem arise again. I have no idea why. Actualy, there is only one thing with my system bother me. It is network card driver sky2. In dmesg it outs strings like this sky2 eth0: rx error, status 0x2cc0020 length 720 sky2 eth0: rx error, status 0x5ea0002 length 1514 sky2 eth0: rx error, status 0x5ea0002 length 1514 sky2 eth0: rx error, status 0x1f20020 length 498 sky2 eth0: rx error, status 0x4dc0020 length 1248 sky2 eth0: rx error, status 0x4a10020 length 1185 sky2 eth0: rx error, status 0x2dc0020 length 732 sky2 eth0: rx error, status 0x5ea0002 length 1514 And MTU by default set to 576 while real is 1500. Every time after reboot I'm changing MTU by hand via ifconfig as mtu_eth0="1500" in /etc/conf.d/net does not work. May be this feature someway connected with this issue.