Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: iptables: Devel

Kernel panic (destroy_conntrack) unloading nf_conntrack_ftp before

  

 
iptables devel RSS feed   Index | Next | Previous | View Threaded


thomas at gelf

Aug 10, 2007, 1:35 AM

Post #1 of 4 (784 views)
Permalink
Kernel panic (destroy_conntrack) unloading nf_conntrack_ftp before
Hi all,

that's my first "bug report" here, so please feel free to kick my ass
for whatever I'm doing wrong ;-)

Yesterday I experienced a kernel panic on 2.6.20.15-vs2.2.0.3-i686-smp
(vServer patch), caused by netfilter. I haven't been able to reproduce
it (and not been soooo desirous to do so) - but in my believes it has
been caused by the following steps:

* since some year we are using more or less the same kernel config to
build debian kernel packages for most of our servers

* 2.6.20 "broke" our behaviour as all the nf-thingies have been renamed

* we have read a lot of docs, mails etc to really understand what's
going on and modified our config accordingly

* we are using Shorewall on some servers (Debian Etch). Debian's
Shorewall (3.2) contain's a /usr/share/shorewall/modules file without
any knowledge about the 2.6.20 module names

* we substituted the modules file with a newer one (always 3.2) and
commented out the SIP module (as I'm a bit sceptic about it, we are
also running some SIP-Proxy-vServers)

* nf_conntrack_ftp has been loaded manually before as a customer
complained about having problems with passive ftp

* later we REMOVED (rmmod) the (at this moment seeming to be unused)
nf_conntrack_ftp module and restarted Shorewall (to see if it would
correctly load all modules)

* PENG! Kernel panic (you can find an ugly "screenshot" attached to this
mail)

I guess there may still have been active ftp sessions while unloading
the module, but even if that's the case in my believes either unloading
should be forbidden or netfilter should in some other way take care of
this - but NEVER panic.

Afterwards we did exactly the same thing (also modprobe / rmmod several
times) on three other servers, all of them running the same kernel,
shorewall and debian: no problem at all. The only difference was that
there has probably been no established ftp session.

Restarting the frozen server (including shorewall, loading the same
modules as before) was fine, also restarting shorewall more than once.

Kind regards,
Thomas Gelf


thomas at gelf

Aug 11, 2007, 5:01 AM

Post #2 of 4 (722 views)
Permalink
Kernel panic (destroy_conntrack) unloading nf_conntrack_ftp before [In reply to]
Hi all,

that's my first "bug report" here, so please feel free to kick my ass
for whatever I'm doing wrong ;-)

Yesterday I experienced a kernel panic on 2.6.20.15-vs2.2.0.3-i686-smp
(vServer patch), caused by netfilter. I haven't been able to reproduce
it (and not been soooo desirous to do so) - but in my believes it has
been caused by the following steps:

* since some year we are using more or less the same kernel config to
build debian kernel packages for most of our servers

* 2.6.20 "broke" our behaviour as all the nf-thingies have been renamed

* we have read a lot of docs, mails etc to really understand what's
going on and modified our config accordingly

* we are using Shorewall on some servers (Debian Etch). Debian's
Shorewall (3.2) contain's a /usr/share/shorewall/modules file without
any knowledge about the 2.6.20 module names

* we substituted the modules file with a newer one (always 3.2) and
commented out the SIP module (as I'm a bit sceptic about it, we are
also running some SIP-Proxy-vServers)

* nf_conntrack_ftp has been loaded manually before as a customer
complained about having problems with passive ftp

* later we REMOVED (rmmod) the (at this moment seeming to be unused)
nf_conntrack_ftp module and restarted Shorewall (to see if it would
correctly load all modules)

* PENG! Kernel panic (you can find an ugly "screenshot" attached to this
mail)

I guess there may still have been active ftp sessions while unloading
the module, but even if that's the case in my believes either unloading
should be forbidden or netfilter should in some other way take care of
this - but NEVER panic.

Afterwards we did exactly the same thing (also modprobe / rmmod several
times) on three other servers, all of them running the same kernel,
shorewall and debian: no problem at all. The only difference was that
there has probably been no established ftp session.

Restarting the frozen server (including shorewall, loading the same
modules as before) was fine, also restarting shorewall more than once.

Kind regards,
Thomas Gelf


--
Thomas Gelf <thomas [at] gelf>


thomas at gelf

Aug 11, 2007, 11:33 AM

Post #3 of 4 (724 views)
Permalink
Kernel panic (destroy_conntrack) unloading nf_conntrack_ftp before [In reply to]
Hi all,

that's my first "bug report" here, so please feel free to kick my ass
for whatever I'm doing wrong ;-)

Yesterday I experienced a kernel panic on 2.6.20.15-vs2.2.0.3-i686-smp
(vServer patch), caused by netfilter. I haven't been able to reproduce
it (and not been soooo desirous to do so) - but in my believes it has
been caused by the following steps:

* since some year we are using more or less the same kernel config to
build debian kernel packages for most of our servers

* 2.6.20 "broke" our behaviour as all the nf-thingies have been renamed

* we have read a lot of docs, mails etc to really understand what's
going on and modified our config accordingly

* we are using Shorewall on some servers (Debian Etch). Debian's
Shorewall (3.2) contain's a /usr/share/shorewall/modules file without
any knowledge about the 2.6.20 module names

* we substituted the modules file with a newer one (always 3.2) and
commented out the SIP module (as I'm a bit sceptic about it, we are
also running some SIP-Proxy-vServers)

* nf_conntrack_ftp has been loaded manually before as a customer
complained about having problems with passive ftp

* later we REMOVED (rmmod) the (at this moment seeming to be unused)
nf_conntrack_ftp module and restarted Shorewall (to see if it would
correctly load all modules)

* PENG! Kernel panic (you can find an ugly "screenshot" attached to this
mail)

I guess there may still have been active ftp sessions while unloading
the module, but even if that's the case in my believes either unloading
should be forbidden or netfilter should in some other way take care of
this - but NEVER panic.

Afterwards we did exactly the same thing (also modprobe / rmmod several
times) on three other servers, all of them running the same kernel,
shorewall and debian: no problem at all. The only difference was that
there has probably been no established ftp session.

Restarting the frozen server (including shorewall, loading the same
modules as before) was fine, also restarting shorewall more than once.

Kind regards,
Thomas Gelf


--
Thomas Gelf <thomas [at] gelf>


jengelh at computergmbh

Aug 14, 2007, 1:16 AM

Post #4 of 4 (722 views)
Permalink
Re: Kernel panic (destroy_conntrack) unloading nf_conntrack_ftp before [In reply to]
On Aug 10 2007 10:35, Thomas Gelf wrote:
>
> * 2.6.20 "broke" our behaviour as all the nf-thingies have been renamed

Blame your distro for not coping with it.
Try 2.6.22.2 in the meantime... :)

> * nf_conntrack_ftp has been loaded manually before as a customer
> complained about having problems with passive ftp

If you want to NAT FTP, you also need nf_nat_ftp.

> Afterwards we did exactly the same thing (also modprobe / rmmod several
> times) on three other servers, all of them running the same kernel,
> shorewall and debian: no problem at all. The only difference was that
> there has probably been no established ftp session.

Jan
--

iptables devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.