Created attachment 450226 [details, diff] the working patch (for me) Hello, I'm testing a transparent proxying setup with squid web proxy (with tproxy). The first query, which is intercepted by the proxy, usually returns, but the second leads to problems. These problems include server hangs and reboots via watchdog (most probably kernel panic), kernel messages about "null pointer deference" and "Attempt to release TCP socket in state 10". An example is given at the end of the post. Doing a little research, I found a mailing list with a similar problem: https://www.mail-archive.com/netdev@vger.kernel.org/msg123468.html The proposed patch from the mailing list works for me (I attached it here). I'm not sure why it's not in the upstream yet though. kernel: IPv4: Attempt to release TCP socket in state 10 ffff8807f6e79680 <...> kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 kernel: IP: [<ffffffff8135c764>] 0xffffffff8135c764 kernel: PGD 0ยท kernel: Oops: 0000 [#1] SMP kernel: CPU: 0 PID: 2983 Comm: squid Not tainted 4.7.7-hardened #2 kernel: Hardware name: Supermicro X10SLL-F/X10SLL-F, BIOS 2.0 04/24/2014 kernel: task: ffff8807f8b8f0c0 ti: ffff8807f8b8f750 task.ti: ffff8807f8b8f750 kernel: RIP: 0010:[<ffffffff8135c764>] [<ffffffff8135c764>] 0xffffffff8135c764 kernel: RSP: 0018:ffffc90006713c20 EFLAGS: 00010246 kernel: RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 kernel: RDX: ffff8807f6ef7480 RSI: ffff8807f6e79680 RDI: ffffc90006713c78 kernel: RBP: ffffc90006713c98 R08: ffffc90006713c40 R09: 0000000000000000 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: ffff8807f6e79680 kernel: R13: ffff8807f8b8f0c0 R14: ffffc90006713d28 R15: ffff8807fbc1d600 kernel: FS: 0000036289839740(0000) GS:ffff88081fc00000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000000010 CR3: 0000000001ea6000 CR4: 00000000001606f0 kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 kernel: Stack: kernel: ffffffffffff4111 ffffffffffff4111 ffffffffffff4111 ffffffffffff4111 kernel: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 kernel: 0000000000000000 0000000000000000 0000000000000000 80196bbcd37b205e kernel: Call Trace: kernel: [<ffffffff8135c8ef>] 0xffffffff8135c8ef kernel: [<ffffffff813591e6>] 0xffffffff813591e6 kernel: [<ffffffff81870073>] 0xffffffff81870073 kernel: [<ffffffff81870151>] 0xffffffff81870151 kernel: [<ffffffff8121a15b>] 0xffffffff8121a15b kernel: [<ffffffff8121a2b1>] 0xffffffff8121a2b1 kernel: [<ffffffff8121a9d8>] 0xffffffff8121a9d8 kernel: [<ffffffff81a194d9>] 0xffffffff81a194d9 kernel: Code: 25 28 00 00 00 48 89 45 e0 31 c0 4c 8d 45 a8 31 c0 b9 07 00 00 00 4d 8b 94 24 58 02 00 00 4c 89 c7 f3 48 ab 49 8b 95 c8 06 00 00 <41> 8b 72 10 83 fe 01 74 > kernel: RIP [<ffffffff8135c764>] 0xffffffff8135c764 kernel: RSP <ffffc90006713c20> kernel: CR2: 0000000000000010 kernel: ---[ end trace 3167cad96581af32 ]---
Created attachment 450808 [details] emerge --info
Created attachment 450810 [details] kernel config
iptables rules to enable transparent proxying: -t mangle -N tproxy_bypass -t mangle -A tproxy_bypass -j MARK --set-xmark 0x10/0x10 -t mangle -A tproxy_bypass -j ACCEPT -t mangle -A PREROUTING -p tcp -m socket --transparent -j tproxy_bypass -t mangle -A PREROUTING ! -d $LOCAL_NET -i $INNER_IFACE -p tcp -m tcp --dport 80 -j TPROXY --on-port 50080 --on-ip 0.0.0.0 --tproxy-mark 0x10/0x0 -t mangle -A PREROUTING ! -d $LOCAL_NET -i $INNER_IFACE -p tcp -m tcp --dport 443 -j TPROXY --on-port 50443 --on-ip 0.0.0.0 --tproxy-mark 0x10/0x0 routing adjustments: ip rule add fwmark 0x10/0x10 table 10 ip route add local default dev lo table 10
Good news, everyone! The request could be closed since the patch landed in sys-kernel/hardened-sources-4.8.6.