[Bug 91] conntrack unload loops forever (reproducible)

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Thu Feb 24 07:27:24 CET 2005


https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=91





------- Additional Comments From mschwendt at users.sf.net  2005-02-24 07:27 MET -------
"modprobe -r ip_conntrack" is possible, and hence it ought to work. Or do you
want to require a reboot to remove kernel modules? Unloading of iptables modules
on service script restart is optional in Fedora Core. And with knowledge of a
work-around, my personal interest in a fix is not high. It would be in the
interest of the netfilter project to fix this, though.

> So is this a bug in redhat or netfilter?

Consider re-reading the comments within this ticket.

> You seem undecided yourself,
> since you've posted bugs in both places.

No. That's misimpression based on not reading through the comments. Both tickets
were not opened by me.

It is common procedure to inform a Linux distribution vendor about defects in
its product and expect the vendor to develop an erratum or forward bug reports
upstream. Especially if "user == customer" holds true. Customers are not
expected to get access to hundreds or thousands of individual bug tracking
systems or mailing-lists of upstream software vendors.

> I would posit that the netfilter modules were not designed to be
> unloaded/reloaded on an operational firewall, 

Even on an isolated machine with no traffic, see e.g. comment 18, and an empty
connection tracking table, unloading of ip_conntrack was not possible.


And yes, if this apparent misbehaviour (99% CPU usage with a hanging modprobe
-r) is by design, module removal ought to be made impossible.


-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



More information about the netfilter-buglog mailing list