Last kernel broke ip_conntrack

nullvoid · 2011-02-09 18:01:52

Hey guys!

I'm using an Arch box as VPN-server and router at home. My private subnet is 10.5.5.0/24 on tap0. My WAN connection is eth0. Iptables looks like this:
-t nat -A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE

The setup works just fine. In the past, I was able to do `cat /proc/net/ip_conntrack` to get a list of all active connections on the NAT. After the last kernel (2.6.37-ARCH #1 SMP PREEMPT Sat Jan 29 19:40:04) it looks like this:
[root@Taurine ~]# cat /proc/net/ip_conntrack
cat: /proc/net/ip_conntrack: No space left on device

Mount shows the following:
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)

The NAT table is not full. I can still cat any other file but this one from /proc... I have been looking for a solution for this problem for the last 2 days. Does anyone know what may be the cause of this?

fukawi2 · 2011-02-09 22:56:24

Interesting one...!

Does dmesg or /var/log/messages reveal anything relevant?

dobedo · 2011-02-10 08:00:52

Yep, I fully agree that 2.6.37 has broken ip_conntrack. I've seen that 2 days ago (reported by Tarqi - a user of the vuurmuur firewall that I maintain) and looking at the vuurmuur code it's really an issue with /proc/net/ip_conntrack (no space left on device).

By doing a 'conntrack -F' I can empty the conntrak tables but as soon as I use again the network it fills up and becomes full (I guess) directly.

@nullvoid: have you already filed a bug for this ? if not I will do it.
Anyway, it's something to be checked upstream.

@fuckawi: in dmesg I can see plenty of vuurmuur messages (I can't post them right now as I'm at work) but it's things like vrmr: DROP no SYN...

Last edited by dobedo (2011-02-10 08:05:59)

nullvoid · 2011-02-10 08:03:06

Not much:

[root@Taurine ~]# cat /var/log/messages.log | grep -i conntrack
Feb 9 18:26:59 Taurine kernel: nf_conntrack version 0.5.0 (15901 buckets, 63604 max)
Feb 9 18:38:21 Taurine kernel: nf_conntrack version 0.5.0 (15901 buckets, 63604 max)
Feb 9 18:40:06 Taurine kernel: nf_conntrack version 0.5.0 (15901 buckets, 63604 max)

[root@Taurine ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
63604
[root@Taurine ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
16384

Edit: @dobedo: I haven't filled any bug report, please go ahead and do it :) Thanks for the answer btw

Last edited by nullvoid (2011-02-10 08:04:59)

dobedo · 2011-02-10 08:07:17

Ok, will do tonight when I have correct info to provide.

fukawi2 · 2011-02-10 10:22:40

I wonder if it's upstream or Arch specific... What is the config on your systems? I'm still on 2.6.36 and I've got this:

$ zgrep CONNTRACK /proc/config.gz
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_NF_CONNTRACK_IPV6=m

dobedo · 2011-02-10 11:56:10

I've got exactly the same on 2.6.37

Last edited by dobedo (2011-02-10 11:59:00)

nullvoid · 2011-02-10 12:41:40

Looks exactly the same to me. Running 2.6.37.

Leonid.I · 2011-02-10 14:51:39

Confirmed. No NAT, just a simple workstation. In case someone can read russian, here is a link to Ubuntu forums: http://forum.ubuntu.ru/index.php?topic=123722.0

However, those people never bothered to file a bug report...

Last edited by Leonid.I (2011-02-10 14:52:16)

dobedo · 2011-02-10 15:06:20

Ha, yes I google_translated that one. There is also that one which, I think, is the same problem: http://osdir.com/ml/debian-bugs-dist/20 … 01478.html as I have also that error with conntrack.

Anyway, I still have to file a bug report...but I'm still at work for few hours.
If anyone wants to do it for me, please feel free.

fukawi2 · 2011-02-10 21:56:31

dobedo wrote:

I've got exactly the same on 2.6.37

Must be upstream then I reckon... That's a pretty big bug to sneak through!

dobedo · 2011-02-10 22:12:52

archlinux follow-up: https://bugs.archlinux.org/task/22847
upstream: https://bugzilla.kernel.org/show_bug.cgi?id=28862

Note: I faced a niiiice trace in dmesg: WARNING: at mm/page_alloc.c:1990 __alloc_pages_nodemask+0x4be/0x600(), etc... see the report upstream for more info.

Don't hesitate to suggest info to better report the case upstream as I'm not used to that.
Cheers

Arch Linux

#1 2011-02-09 18:01:52

Last kernel broke ip_conntrack

#2 2011-02-09 22:56:24

Re: Last kernel broke ip_conntrack

#3 2011-02-10 08:00:52

Re: Last kernel broke ip_conntrack

#4 2011-02-10 08:03:06

Re: Last kernel broke ip_conntrack

#5 2011-02-10 08:07:17

Re: Last kernel broke ip_conntrack

#6 2011-02-10 10:22:40

Re: Last kernel broke ip_conntrack

#7 2011-02-10 11:56:10

Re: Last kernel broke ip_conntrack

#8 2011-02-10 12:41:40

Re: Last kernel broke ip_conntrack

#9 2011-02-10 14:51:39

Re: Last kernel broke ip_conntrack

#10 2011-02-10 15:06:20

Re: Last kernel broke ip_conntrack

#11 2011-02-10 21:56:31

Re: Last kernel broke ip_conntrack

#12 2011-02-10 22:12:52

Re: Last kernel broke ip_conntrack

Board footer