khorwood, 10 months ago

@jerry I'm glad you were able to figure it out, despite the brain fog. I swear it took months before I could properly use my brain to solve complex puzzles after recovering from COVID.

SpaceLifeForm, 10 months ago

@jerry

Interesting.

Netfilter data corruption?

Are you trying magic with dynamic rule changes?

jerry, 10 months ago

@SpaceLifeForm I do use dynamic rule changes.

SpaceLifeForm, 10 months ago

@jerry

Is eBPF in the picture?

jerry, 10 months ago

@SpaceLifeForm no, just a script that adds rules based on certain events

SpaceLifeForm, 10 months ago

@jerry

Those events can occur at supposedly random times and frequently, correct?

That the events are externally driven outside of your control, correct?

Is SMT Disabled?

SpaceLifeForm, 10 months ago

@jerry

Bottom line, it sure looks like a bug in the kernel code, either Netfilter or WireGuard.

I will bet you that it is a Race Condition bug due to having SMT enabled.

Either way, it is important that we find it.

jtk, 10 months ago

@jerry connection table state full?

frehi, 10 months ago

@jerry
I once had problems because newer iptables on #debian is basically a compatibility layer using #nftables in the background. Flushing all rules with iptables would remove the nftables rules but not the #netfilter rules. I had to use iptables-legacy to flush the #netfilter rules.

starchy, 10 months ago

@jerry did you maybe hit a netfilter conntrack limit? That’s bit me before when ramping up traffic

jerry, 10 months ago

@starchy that sounds like a possibility. Do you know how you fixed that?

starchy, 10 months ago

@jerry iirc bumping the limit hilariously high (into the billions)

starchy, 10 months ago

@jerry Just getting back to this now. Mind you this was on a less recent Debian version, so ymmv, but I had the line

net.netfilter.nf_conntrack_max = 4000000

in /etc/sysctl.d/netfilter.conf. You can also echo the value to /proc/net/netfilter/nf_conntrack_max if you want to set it without a reboot.

If the values of /proc/net/netfilter/nf_conntrack_count and /proc/net/netfilter/nf_conntrack_max are ever equal, you're in trouble for sure.

Also note this will be under /proc/net/ipv4 or /proc/net/ipv6 on some distros.

hadret, 10 months ago

@jerry Yep, happened to me as well, number of times

jerry, 10 months ago

and let me tell you - this was fun to solve with covid brain fog...

NorCal_Lynne, 10 months ago

@jerry I haven’t had Covid yet, that I know of, but a lot of people have reported what sounds kinda scary “brain fog “ , hope it goes away and you start feeling better

Fog GIF

redezem, 10 months ago

@jerry Oh dude, vibe. When I had it last it was hard enough to make instant ramen, can't imagine doing network infra debugging. I feel for you man, get well soon.

gangrif, 10 months ago

@jerry your torment is appreciated.. or i assume it is.. i appreciate you whether i’m on your instance or not.

alex, 10 months ago

@jerry hugs! I hope you won’t get the post covid fatigue. I still have some after almost 2 years since my last covid :(

uzayran, 10 months ago

@jerry oof, no idea how you're getting any work done. Going through the same rn. I hope you'll get well soon