[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Scrub and Kernel Panics

On Thu, 2002-11-14 at 05:25, Daniel Hartmeier wrote:
> On Thu, Nov 14, 2002 at 11:16:42AM +0100, Dries Schellekens wrote:
> > I think PR 2309 (pf crashes kernel when pool_get() exhausts memory)
> > is still open. So it's still possible to crash a firewall if you don't
> > have a state limit set. And apparantly it's possible to crash it even when
> > a fragment limit is set.
> Yes, pool exhaustion still causes crashes. If you don't set frag/state
> limits (or set them too high), you'll get them. It's certainly possible
> to fix it, but not exactly trivial. The PR is still open, and [email protected] knows
> about the problem. Set low enough limits (there's no precise formula to
> calculate the numbers, but you can verify chosen limits are safe by
> sending traffic that creates fragment and stat entries, increasing the
> relevant timeouts if needed, during the test).
Is "pool exhaustion" equatable to "memory exhaustion"?  If that's the
case, that is definitely *not* what I'm experiencing.  The box has
plenty of available memory and CPU.  It's busy cranking away with a 5k
frag limit, when it will simply panic.  If you'd like me to provide some
of the error messages, I'll be happy to.  They always refer to some sort
of packet normalization code (ip_norm?), usually a pointer error.