I'm using an Arch box as VPN-server and router at home. My private subnet is 10.5.5.0/24 on tap0. My WAN connection is eth0. Iptables looks like this:
The setup works just fine. In the past, I was able to do `cat /proc/net/ip_conntrack` to get a list of all active connections on the NAT. After the last kernel (2.6.37-ARCH #1 SMP PREEMPT Sat Jan 29 19:40:04) it looks like this:
Mount shows the following:
The NAT table is not full. I can still cat any other file but this one from /proc... I have been looking for a solution for this problem for the last 2 days. Does anyone know what may be the cause of this?
Yep, I fully agree that 2.6.37 has broken ip_conntrack. I've seen that 2 days ago (reported by Tarqi - a user of the vuurmuur firewall that I maintain) and looking at the vuurmuur code it's really an issue with /proc/net/ip_conntrack (no space left on device).
By doing a 'conntrack -F' I can empty the conntrak tables but as soon as I use again the network it fills up and becomes full (I guess) directly.
@nullvoid: have you already filed a bug for this ? if not I will do it.
Anyway, it's something to be checked upstream.
@fuckawi: in dmesg I can see plenty of vuurmuur messages (I can't post them right now as I'm at work) but it's things like vrmr: DROP no SYN...
Last edited by dobedo (2011-02-10 08:05:59)
[root@Taurine ~]# cat /var/log/messages.log | grep -i conntrack
Feb 9 18:26:59 Taurine kernel: nf_conntrack version 0.5.0 (15901 buckets, 63604 max)
Feb 9 18:38:21 Taurine kernel: nf_conntrack version 0.5.0 (15901 buckets, 63604 max)
Feb 9 18:40:06 Taurine kernel: nf_conntrack version 0.5.0 (15901 buckets, 63604 max)
[root@Taurine ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
[root@Taurine ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
Edit: @dobedo: I haven't filled any bug report, please go ahead and do it :) Thanks for the answer btw
Last edited by nullvoid (2011-02-10 08:04:59)
Ok, will do tonight when I have correct info to provide.
I wonder if it's upstream or Arch specific... What is the config on your systems? I'm still on 2.6.36 and I've got this:
$ zgrep CONNTRACK /proc/config.gz CONFIG_NF_CONNTRACK=m CONFIG_NF_CONNTRACK_MARK=y CONFIG_NF_CONNTRACK_SECMARK=y CONFIG_NF_CONNTRACK_ZONES=y CONFIG_NF_CONNTRACK_EVENTS=y CONFIG_NF_CONNTRACK_AMANDA=m CONFIG_NF_CONNTRACK_FTP=m CONFIG_NF_CONNTRACK_H323=m CONFIG_NF_CONNTRACK_IRC=m CONFIG_NF_CONNTRACK_NETBIOS_NS=m CONFIG_NF_CONNTRACK_PPTP=m CONFIG_NF_CONNTRACK_SANE=m CONFIG_NF_CONNTRACK_SIP=m CONFIG_NF_CONNTRACK_TFTP=m CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m CONFIG_NF_CONNTRACK_IPV4=m CONFIG_NF_CONNTRACK_PROC_COMPAT=y CONFIG_NF_CONNTRACK_IPV6=m
I've got exactly the same on 2.6.37
Last edited by dobedo (2011-02-10 11:59:00)
Looks exactly the same to me. Running 2.6.37.
Confirmed. No NAT, just a simple workstation. In case someone can read russian, here is a link to Ubuntu forums: http://forum.ubuntu.ru/index.php?topic=123722.0
However, those people never bothered to file a bug report...
Last edited by Leonid.I (2011-02-10 14:52:16)
Arch Linux is more than just GNU/Linux -- it's an adventure
Ha, yes I google_translated that one. There is also that one which, I think, is the same problem: http://osdir.com/ml/debian-bugs-dist/20 … 01478.html as I have also that error with conntrack.
Anyway, I still have to file a bug report...but I'm still at work for few hours.
If anyone wants to do it for me, please feel free.
Note: I faced a niiiice trace in dmesg: WARNING: at mm/page_alloc.c:1990 __alloc_pages_nodemask+0x4be/0x600(), etc... see the report upstream for more info.
Don't hesitate to suggest info to better report the case upstream as I'm not used to that.