You are not logged in.

#1 2011-02-09 18:01:52

nullvoid
Member
Registered: 2009-01-18
Posts: 33

Last kernel broke ip_conntrack

Hey guys!

I'm using an Arch box as VPN-server and router at home. My private subnet is 10.5.5.0/24 on tap0. My WAN connection is eth0. Iptables looks like this:
-t nat -A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE

The setup works just fine. In the past, I was able to do `cat /proc/net/ip_conntrack` to get a list of all active connections on the NAT. After the last kernel (2.6.37-ARCH #1 SMP PREEMPT Sat Jan 29 19:40:04) it looks like this:
[root@Taurine ~]# cat /proc/net/ip_conntrack
cat: /proc/net/ip_conntrack: No space left on device

Mount shows the following:
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)

The NAT table is not full. I can still cat any other file but this one from /proc... I have been looking for a solution for this problem for the last 2 days. Does anyone know what may be the cause of this?

Offline

#2 2011-02-09 22:56:24

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Last kernel broke ip_conntrack

Interesting one...!

Does dmesg or /var/log/messages reveal anything relevant?

Offline

#3 2011-02-10 08:00:52

dobedo
Member
From: Belgium
Registered: 2008-10-04
Posts: 113

Re: Last kernel broke ip_conntrack

Yep, I fully agree that 2.6.37 has broken ip_conntrack. I've seen that 2 days ago (reported by Tarqi - a user of the vuurmuur firewall that I maintain) and looking at the vuurmuur code it's really an issue with /proc/net/ip_conntrack (no space left on device).

By doing a 'conntrack -F' I can empty the conntrak tables but as soon as I use again the network it fills up and becomes full (I guess) directly.

@nullvoid: have you already filed a bug for this ? if not I will do it.
Anyway, it's something to be checked upstream.

@fuckawi: in dmesg I can see plenty of vuurmuur messages (I can't post them right now as I'm at work) but it's things like  vrmr: DROP no SYN...

Last edited by dobedo (2011-02-10 08:05:59)

Offline

#4 2011-02-10 08:03:06

nullvoid
Member
Registered: 2009-01-18
Posts: 33

Re: Last kernel broke ip_conntrack

Not much:

[root@Taurine ~]# cat /var/log/messages.log | grep -i conntrack
Feb  9 18:26:59 Taurine kernel: nf_conntrack version 0.5.0 (15901 buckets, 63604 max)
Feb  9 18:38:21 Taurine kernel: nf_conntrack version 0.5.0 (15901 buckets, 63604 max)
Feb  9 18:40:06 Taurine kernel: nf_conntrack version 0.5.0 (15901 buckets, 63604 max)

[root@Taurine ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
63604
[root@Taurine ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
16384

Edit: @dobedo: I haven't filled any bug report, please go ahead and do it :) Thanks for the answer btw

Last edited by nullvoid (2011-02-10 08:04:59)

Offline

#5 2011-02-10 08:07:17

dobedo
Member
From: Belgium
Registered: 2008-10-04
Posts: 113

Re: Last kernel broke ip_conntrack

Ok, will do tonight when I have correct info to provide.

Offline

#6 2011-02-10 10:22:40

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Last kernel broke ip_conntrack

I wonder if it's upstream or Arch specific... What is the config on your systems? I'm still on 2.6.36 and I've got this:

$ zgrep CONNTRACK /proc/config.gz
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_NF_CONNTRACK_IPV6=m

Offline

#7 2011-02-10 11:56:10

dobedo
Member
From: Belgium
Registered: 2008-10-04
Posts: 113

Re: Last kernel broke ip_conntrack

I've got exactly the same on 2.6.37

Last edited by dobedo (2011-02-10 11:59:00)

Offline

#8 2011-02-10 12:41:40

nullvoid
Member
Registered: 2009-01-18
Posts: 33

Re: Last kernel broke ip_conntrack

Looks exactly the same to me. Running 2.6.37.

Offline

#9 2011-02-10 14:51:39

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: Last kernel broke ip_conntrack

Confirmed. No NAT, just a simple workstation. In case someone can read russian, here is a link to Ubuntu forums: http://forum.ubuntu.ru/index.php?topic=123722.0

However, those people never bothered to file a bug report...

Last edited by Leonid.I (2011-02-10 14:52:16)


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#10 2011-02-10 15:06:20

dobedo
Member
From: Belgium
Registered: 2008-10-04
Posts: 113

Re: Last kernel broke ip_conntrack

Ha, yes I google_translated that one. There is also that one which, I think, is the same problem: http://osdir.com/ml/debian-bugs-dist/20 … 01478.html as I have also that error with conntrack.

Anyway, I still have to file a bug report...but I'm still at work for few hours.
If anyone wants to do it for me, please feel free.

Offline

#11 2011-02-10 21:56:31

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Last kernel broke ip_conntrack

dobedo wrote:

I've got exactly the same on 2.6.37

Must be upstream then I reckon... That's a pretty big bug to sneak through! yikes

Offline

#12 2011-02-10 22:12:52

dobedo
Member
From: Belgium
Registered: 2008-10-04
Posts: 113

Re: Last kernel broke ip_conntrack

archlinux follow-up: https://bugs.archlinux.org/task/22847
upstream: https://bugzilla.kernel.org/show_bug.cgi?id=28862

Note: I faced a niiiice trace in dmesg: WARNING: at mm/page_alloc.c:1990 __alloc_pages_nodemask+0x4be/0x600(), etc... see the report upstream for more info.

Don't hesitate to suggest info to better report the case upstream as I'm not used to that.
Cheers

Offline

Board footer

Powered by FluxBB