Hello,i am using ipset longer then year on many routers. On routers under high load (gigabit network, 300Mbps+, many packets.) we discover problem with ipset (debian stretch ipset version 6.30, vanilla kernel 4.19.12)
I often swap and destroy sets (ipset), for "zeroing counters" (on time in 5 minutes)
After few days of router normal operation the command #ipset destroy <table_name>hang in kernel, proccess is seeing as D - uninterruptable. After this happen, i couldn't make succesfully any "ipset destroy .." or "ipset swap .." operation, or command iptables -S hang too and we have other problem with mount or other kernel operation. After that load is higher and higher, use of memory is higher and only way how to solve this is reboot router, panic ocurs aproximately 4-6 hours after the comannd hangs.
We try change the debian package ipset 6.30, with ipset 7.1 and compile last kernel ipset modules from source against kernel 4.19.12 as extra/ and change it in our kernel router. The problem still persist with this new ipset modules too.
We do not se any messages in kernel log with problem.The problem occurs with r8169 driver, with r8168 driver too. The problem ocurs with e1000e driver on other hardware.
In older kernel 4.16.8 this do not happen.Is this kernel problem or problem with ipset? Is other way how to zeroing counter in ipset? Or is it problem with swapping and destroying sets, when we do it so often?
Thanks. Martin MaKr Kratochvíl
Attachment:
smime.p7s
Description: Elektronicky podpis S/MIME
