Page MenuHomeVyOS Platform
Create Task
Maniphest T7549

Memory Leak in VyOS 1.4.2 with Flowtable and NHRP (kmalloc-256 Slab Growth)
Open, NormalPublicBUG
Actions

Description

Category:
Kernel / Flowtable / NHRP / Memory Management

Version Affected:
VyOS 1.4.2
Linux Kernel 6.x (confirmation needed)

Description:
When a tunnel endpoint (NHRP peer) goes down or is disabled, the kmalloc-256 slab cache begins to grow indefinitely, eventually exhausting system memory and leading to a crash (kernel panic).

Steps to Reproduce:

Enable Flowtable.

Set up multiple NHRP-based tunnels.

Disable or disconnect one tunnel endpoint.

Monitor /proc/slabinfo — observe uncontrolled growth in kmalloc-256.

Workarounds:

Disable Flowtable: The issue disappears.

Keep all tunnels continuously connected: Prevents the leak from occurring.

Observation:
The issue is tightly correlated with the combination of Flowtable and NHRP. Either component alone does not cause the problem.

Expected Behaviour:

NHRP should handle disconnected peers without triggering memory leaks.

Flowtable and NHRP should work together without causing unbounded memory allocation.

Details

Version
1.4.2
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

lawrencepan created this task.Jun 13 2025, 9:00 AM
Viacheslav triaged this task as Normal priority.Jun 13 2025, 11:52 AM
Viacheslav subscribed.

Could you send the minimum "set of commands" to reproduce?
Do you use a flowtable on tun or ethernet only?

pasik subscribed.Jun 15 2025, 1:49 PM
lawrencepan added a comment.Jun 16 2025, 4:07 AM

Use flowtable on all interfaces including tun.

Hub1
set firewall flowtable DMVPN interface 'eth0'
set firewall flowtable DMVPN interface 'tun0'
set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 10 action 'offload'
set firewall ipv4 forward filter rule 10 offload-target 'DMVPN'
set firewall ipv4 forward filter rule 10 state 'established'
set firewall ipv4 forward filter rule 10 state 'related'
set firewall ipv4 forward filter rule 20 action 'accept'
set interfaces tunnel tun0 address '192.168.0.1/24'
set interfaces tunnel tun0 enable-multicast
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 ip adjust-mss '1400'
set interfaces tunnel tun0 parameters ip key '12345678'
set interfaces tunnel tun0 source-address '10.10.10.1'
set protocols nhrp tunnel tun0 cisco-authentication '12345678'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 multicast 'dynamic'
set protocols nhrp tunnel tun0 redirect

Hub2
set firewall flowtable DMVPN interface 'eth0'
set firewall flowtable DMVPN interface 'tun0'
set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 10 action 'offload'
set firewall ipv4 forward filter rule 10 offload-target 'DMVPN'
set firewall ipv4 forward filter rule 10 state 'established'
set firewall ipv4 forward filter rule 10 state 'related'
set firewall ipv4 forward filter rule 20 action 'accept'
set interfaces tunnel tun0 address '192.168.1.1/24'
set interfaces tunnel tun0 enable-multicast
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 ip adjust-mss '1400'
set interfaces tunnel tun0 parameters ip key '87654321'
set interfaces tunnel tun0 source-address '10.10.20.1'
set protocols nhrp tunnel tun0 cisco-authentication '12345678'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 multicast 'dynamic'
set protocols nhrp tunnel tun0 redirect

Spoke1-4 (Tunnel IP : .2-.5)
set firewall flowtable DMVPN interface 'eth0'
set firewall flowtable DMVPN interface 'eth1'
set firewall flowtable DMVPN interface 'tun0'
set firewall flowtable DMVPN interface 'tun1'
set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 10 action 'offload'
set firewall ipv4 forward filter rule 10 offload-target 'DMVPN'
set firewall ipv4 forward filter rule 10 state 'established'
set firewall ipv4 forward filter rule 10 state 'related'
set firewall ipv4 forward filter rule 20 action 'accept'
set interfaces tunnel tun0 address '192.168.0.2/24'
set interfaces tunnel tun0 disable
set interfaces tunnel tun0 enable-multicast
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 ip adjust-mss '1400'
set interfaces tunnel tun0 parameters ip key '12345678'
set interfaces tunnel tun0 source-address '10.10.10.2'
set interfaces tunnel tun1 address '192.168.1.2/24'
set interfaces tunnel tun1 enable-multicast
set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 ip adjust-mss '1400'
set interfaces tunnel tun1 parameters ip key '87654321'
set interfaces tunnel tun1 source-address '10.10.20.2'
set protocols nhrp tunnel tun0 cisco-authentication '12345678'
set protocols nhrp tunnel tun0 map 192.168.0.1/24 nbma-address '10.10.10.1'
set protocols nhrp tunnel tun0 map 192.168.0.1/24 register
set protocols nhrp tunnel tun0 multicast 'nhs'
set protocols nhrp tunnel tun0 redirect
set protocols nhrp tunnel tun0 shortcut
set protocols nhrp tunnel tun1 cisco-authentication '12345678'
set protocols nhrp tunnel tun1 map 192.168.1.1/24 nbma-address '10.10.20.1'
set protocols nhrp tunnel tun1 map 192.168.1.1/24 register
set protocols nhrp tunnel tun1 multicast 'nhs'
set protocols nhrp tunnel tun1 redirect
set protocols nhrp tunnel tun1 shortcut

syncer edited projects, added VyOS Rolling; removed VyOS 1.4 Sagitta.Jun 30 2025, 11:17 PM