Version: 6.15 (other not tested)
Problem: router reboot
Cause: too many "connection tracker" connections
Context: stress test(curiosity). not geneal usage.
ip-firewall-connections-Max Entries: 220952
Code: Select all
jan/01/2002 04:00:07 system,error,critical System rebooted because of kernel failure jan/01/2002 04:00:08 system,error,critical Out of memory condition was detected jan/01/2002 04:00:08 system,error,critical router was rebooted without proper shutdown
Since "conntrack.UDP default timeout" is 30 seconds... we can easily abuse/stress it.
Goal: create huge amount of NAT records.
Details: send many UDP packets through NAT (connection tracker ON) with different dest./src ports.
Tested with script:
Each 100ms. until port 65535:
1. From 100 local UDP sockets send packet to IP to port range 50000 - 50300.
2. Change port offset by +300.
(65535 - 50000) * 100 NAT records. 30000(theoretical) records per second.
For me: ~40000 "firewall connections" already consume 90Mb.(no Queues enabled, no mangle rules enabled)Free memory => 0
"/ip firewall connection" count => 1553500
Router => reboot
Kernel failure. Out of memory. Router rebooted.
Drop packets. Don't try to create new NAT records when no more memory.
Nodejs script: https://gist.github.com/Befzz/88019748abcef04d3301
Usage: node udp_stress.js IP_WITH_NAT
In script file: change PORT_START and SOCKETS_COUNT to be more stressfull.