netfilter buglog - Feb 2005 - [Bug 91] conntrack unload loops forever (reproducible)

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=91


netfilter@linuxace.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |netfilter@linuxace.com




------- Additional Comments From netfilter@linuxace.com  2005-02-24 02:10 MET
-------
Any recent testing on this?  In the year since this was last commented on, a
number of expectation-related patches have been merged which may have been
related, and using 2.6.11-rc4, I am unable to reproduce the symptoms seen in
this report.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=91





------- Additional Comments From mschwendt@users.sf.net  2005-02-24 03:58 MET
-------
Well, in the same year the symptoms were confirmed as affecting the 2.6 kernel
series, too,

  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=112630

and unless a fix has been applied _very_ recently, I assume the problem
persists. There are still users who see Fedora Core's iptables service
script
hang upon "Unloading iptables modules". And I bet debugging will
reveal that
it's modprobe again, waiting forever for removal of a netfilter module .
E.g.
here https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=112630#c9 but also
yesterday on fedora-list.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=91





------- Additional Comments From netfilter@linuxace.com  2005-02-24 06:53 MET
-------
Without trying to disrespect RedHat and/or FC, the policies of:

1) unloading then reloading netfilter modules on restart
2) unloading netfilter modules on shutdown

don't seem to be a bright idea (and I certainly don't do this on the
production
firewalls I operate).  

So is this a bug in redhat or netfilter?  You seem undecided yourself, since
you've posted bugs in both places.

I would posit that the netfilter modules were not designed to be
unloaded/reloaded on an operational firewall, which would tend to agree with
Dave Miller's network driver module removal policy as noted here:

http://marc.theaimsgroup.com/?l=linux-kernel&m=105915495603446&w=2

Perhaps the netfilter modules should follow suit?

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=91





------- Additional Comments From mschwendt@users.sf.net  2005-02-24 07:27 MET
-------
"modprobe -r ip_conntrack" is possible, and hence it ought to work. Or
do you
want to require a reboot to remove kernel modules? Unloading of iptables modules
on service script restart is optional in Fedora Core. And with knowledge of a
work-around, my personal interest in a fix is not high. It would be in the
interest of the netfilter project to fix this, though.
> So is this a bug in redhat or netfilter?
Consider re-reading the comments within this ticket.
> You seem undecided yourself,
> since you've posted bugs in both places.
No. That's misimpression based on not reading through the comments. Both
tickets
were not opened by me.

It is common procedure to inform a Linux distribution vendor about defects in
its product and expect the vendor to develop an erratum or forward bug reports
upstream. Especially if "user == customer" holds true. Customers are
not
expected to get access to hundreds or thousands of individual bug tracking
systems or mailing-lists of upstream software vendors.
> I would posit that the netfilter modules were not designed to be
> unloaded/reloaded on an operational firewall, 
Even on an isolated machine with no traffic, see e.g. comment 18, and an empty
connection tracking table, unloading of ip_conntrack was not possible.


And yes, if this apparent misbehaviour (99% CPU usage with a hanging modprobe
-r) is by design, module removal ought to be made impossible.


-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=91





------- Additional Comments From kaber@trash.net  2005-02-24 09:38 MET -------
I've seen the problem happening on 2.4.29 recently, so we should keep it
open for
now. It would be great if RH and others could feed their information regarding
this problem upstream.



-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=91





------- Additional Comments From mschwendt@users.sf.net  2005-02-24 09:44 MET
-------
As linked before:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=103177 (WONTFIX)
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=112630 (still open)


-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=91





------- Additional Comments From kaber@trash.net  2005-02-24 09:55 MET -------
Unfortunately both don't contain useful information. Some information about
the
environment in which this happens would be useful. Like: kernel config, iptables
rules, traffic patterns (TCP, NFS, fragments, ...), routes, routing rules,
traffic
control, ...




-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=91





------- Additional Comments From mschwendt@users.sf.net  2005-02-24 10:23 MET
-------
Hmm, I can't assist with that anymore, considering that here was more than a
year of silence, after I had offered interest here and also tried the suggested
patches.

The open rh ticket lists the used iptables rules set.

An old duplicate one lists loaded netfilter modules:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=103573

Kernel config is either stock Red Hat Linux 7.3, 8.0, 9, (all three have reached
end-of-life) to Fedora Core 1, 2, and 3.


-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=91





------- Additional Comments From netfilter@linuxace.com  2005-03-15 06:17 MET
-------
Created an attachment (id=109)
 -->
(https://bugzilla.netfilter.org/bugzilla/attachment.cgi?id=109&action=view)
proposed patch

The attached fixes the problem for me...submitted to netfilter-devel for
comments.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.