Hi Jozsef, thank you for your work on diagnostic problem. (To mailling list sent without attachment) Dne 12.1.2019 v 14:51 Jozsef Kadlecsik napsal(a):
Hi Martin, On Fri, 11 Jan 2019, Martin Kratochvíl wrote:Is there any ipset operation (list/swap/etc.) executed in parallel with the destroy command which hangs? Is there any kernel message during this time? Couldn't you capture a panic message?We run only sequence of command on two sets like function zeroing() { #create table with name zero_$1 same as $1 with zero counters ipset save $1 | sed 's/packets [0-9]* bytes [0-9]* //g' | sed "s/$1/zero_$1/g" | ipset -! restore #swap new zeroed table with current one ipset swap $1 zero_$1 #send to stdout set with value on counters ipset save zero_$1 #destroy set with old values, we are counting from zero in new one ipset destroy zero_$1 } zeroing set1 zeroing set2 No other "ipset is running from parallel", only iptables packet match against ipset.Could you send me a saved set with the counters on? I'd attempt to reproduce the issue.
I sending ipset and iptables from one router, where Dprocess "ipset destroy " occured. Function zeroing is called from cron every 5minutes and is protected by file lock, so i hope it run only one time.
Now, I try on one machine change "function zeroing" to only listing (#ipset store) and couting increment by awk. I hope it will help for now and it could show where problem could be or what part "of my router scripts" cause it.I will try solve my situation with not zeroing sets, and count difference of packets by script or zeroing each record in set individually.That's only a workaround, there should be no problem whatsoever in the usage above.
If you provide me some manual how i can get more information for you, i do it. Or i could provide you ssh access to one of router, when situation occurs again. I will try simulate problems in lab on local router with monitor, but no success cause it in lab. Only in network with real traffic after 2 days or later.If i could help you, i can compile any different version of kernel and try it on routers or different version of ipset with extra kernel modules of this version. if is possible to compile ipset (or load ipset) in debug mode, i could do itThanks! First I'd like to reproduce it and then fix whatever causes the hang of destroying a set.
Best regards, Jozsef - E-mail :kadlec@xxxxxxxxxxxxxxxxx,kadlecsik.jozsef@xxxxxxxxxxxxx PGP key :http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary
Best regards Martin
Attachment:
smime.p7s
Description: Elektronicky podpis S/MIME
