[pve-devel] [PATCH firewall] log and ignore ENOBUFS in nfct_catch

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Jan 9 17:16:50 CET 2019


On 1/9/19 4:57 PM, Alexandre DERUMIER wrote:
> Ok, it's correctly continue to work after the error message now.
> 
> But I still have hang after that (after some seconds, or minutes).
> Any error message in this case.

Can you check cat /proc/PID/stack or attach with GDB to see
where exactly it hangs then?

> 
> (This is a really busy server, I have around 400MB log for 10minutes)
> 

Which sort of traffic runs over it? Maybe we/David can produce some
similar test traffic it to reproduce it.

> cat /var/log/pve-firewall.log |grep -c NEW
> 1465965
> # cat /var/log/pve-firewall.log |grep -c DESTROY
> 658931
> 
> maybe it could be great to have an option like ulogd, to choose to log DESTROY or NEW or both.
> Maybe able to add some src + dst filtering option. (If I want to filter internal->external traffic for example).




More information about the pve-devel mailing list