[Bug 1436] nf_conntrack_update fails in fedora kernels 5.6.16 and 5.6.18

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Wed Jun 24 17:07:54 CEST 2020 

https://bugzilla.netfilter.org/show_bug.cgi?id=1436

--- Comment #1 from rce-dev at protonmail.com ---
Created attachment 597
  --> https://bugzilla.netfilter.org/attachment.cgi?id=597&action=edit
kernel 5.6.19 reporter-print (1) output

kernel 5.6.19 reporter-print (1) output

This bug makes it impossible to run an IPS process under kernels 5.6.16-19.

Bug is still present in 5.6.19;
IPS is run with:
/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
-v -D -q 1 -q 2 -q 3

IPS is able to pass small packets (ie echo, echo-reply) but kernel oops occurs
under increased network activity such as opening a web page.

It appears that an oops occurs with attempt of IPS to use each of the NFQUEUEs
1-3. Once an oops occurs, IPS traffic is blocked - IPS useless.

Restarting IPS results in failure to open previously used queues:
<Error> - [ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)] - nfq_create_queue failed

An IPS process can open previously unused queues (ie q4) but with the same
ultimate result.


The most recently attached file is the 3rd of 3 oops events corresponding with
an attempt to open a web page. These events resulted in blocking all subsequent
traffic from the IPS process.

Note that each oops references a very short-lived tainted process which I've
been unable to identify with `ps -e` run at `sleep 1e-03` interval.
first oops:
CPU: 1 PID: 14850 Comm: TX#01 Not tainted 5.6.19-200.fc31.x86_64 #1
[  109.483740] CPU: 1 PID: 14850 Comm: TX#01 Not tainted 5.6.19-200.fc31.x86_64
#1
[  110.064602] CPU: 3 PID: 14851 Comm: TX#02 Tainted: G      D          
5.6.19-200.fc31.x86_64 #1
2nd oops:
kernel_tainted_long: D - Kernel has oopsed before
 3 PID: 14851 Comm: TX#02 Tainted: G      D           5.6.19-200.fc31.x86_64 #1
[  109.483740] CPU: 1 PID: 14850 Comm: TX#01 Not tainted 5.6.19-200.fc31.x86_64
#1
[  110.064602] CPU: 3 PID: 14851 Comm: TX#02 Tainted: G      D           
5.6.19-200.fc31.x86_64 #1
3rd oops
kernel_tainted_long: D - Kernel has oopsed before
/var/tmp/ProblemReport-C-5.6.19-200.fc31.txt::CPU: 3 PID: 14849 Comm: TX#00
Tainted: G      D           5.6.19-200.fc31.x86_64 #1
[  109.483740] CPU: 1 PID: 14850 Comm: TX#01 Not tainted 5.6.19-200.fc31.x86_64
#1
[  110.064602] CPU: 3 PID: 14851 Comm: TX#02 Tainted: G      D          
5.6.19-200.fc31.x86_64 #1
[  124.498896] CPU: 3 PID: 14849 Comm: TX#00 Tainted: G      D          
5.6.19-200.fc31.x86_64 #1

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200624/144bb88d/attachment.html>

More information about the netfilter-buglog mailing list