Bug 2126627
| Summary: | Rebase to 1.4.6 or backport fixes | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Renaud Métrich <rmetrich> | |
| Component: | conntrack-tools | Assignee: | Phil Sutter <psutter> | |
| Status: | CLOSED ERRATA | QA Contact: | Jianwen Ji <jiji> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 9.0 | CC: | egarver, jiji, psutter, shuali | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | conntrack-tools-1.4.5-17.el9_1 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2126736 (view as bug list) | Environment: | ||
| Last Closed: | 2023-01-23 15:18:04 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2126736 | |||
(In reply to Renaud Métrich from comment #0) > Description of problem: > > I just got a customer seeing SEGFAULT when using his custom configuration > for conntrackd.conf, **not** containing the following stanzas: > ~~~ > General { > ... > HashSize <somevalue> > HashLimit <somevalue> > ... > } > ~~~ > > This is a known issue fixed upstream by commit > 3276471d23d4d96d55e9a0fb7a10983d8097dc45: Thanks for the report and identifying the fix! [...] > All releases we ship (on RHEL7, RHEL8 and RHEL9) don't have this commit. > It would be nice to hence rebase to latest upstream. > > If that's not possible, please backport the commit to RHEL9 and RHEL8 as > well. > > Version-Release number of selected component (if applicable): > > conntrack-tools-1.4.5-10.el9 > conntrack-tools-1.4.4-10.el8 The commit in question is not part of a release yet. Upstream is 102 commits and 2.5 years overdue, so there should be a release soon. Yet I would rather backport for RHEL8 given the deviation. And if we backport into RHEL9 as well, we get the 9.1 update for free. Jiji, please note that kernel conntrack system is not active by default. To enable it, add a (harmless) firewall rule like so: # iptables -A INPUT -m conntrack --ctstate NEW The segfault happens when conntrackd tries to add a new entry to the hash table. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (conntrack-tools bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:0310 |
Description of problem: I just got a customer seeing SEGFAULT when using his custom configuration for conntrackd.conf, **not** containing the following stanzas: ~~~ General { ... HashSize <somevalue> HashLimit <somevalue> ... } ~~~ This is a known issue fixed upstream by commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45: ~~~ $ git show 3276471d23d4d96d55e9a0fb7a10983d8097dc45 commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45 Author: Pablo Neira Ayuso <pablo> Date: Mon Mar 8 16:29:25 2021 +0100 conntrackd: set default hashtable buckets and max entries if not specified Fall back to 65536 buckets and 262144 entries. It would be probably good to add code to autoadjust by reading /proc/sys/net/netfilter/nf_conntrack_buckets and /proc/sys/net/nf_conntrack_max. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491 Signed-off-by: Pablo Neira Ayuso <pablo> diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 31109c4..b215a72 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -1780,5 +1780,11 @@ init_config(char *filename) NF_NETLINK_CONNTRACK_DESTROY; } + /* default hashtable buckets and maximum number of entries */ + if (!CONFIG(hashsize)) + CONFIG(hashsize) = 65536; + if (!CONFIG(limit)) + CONFIG(limit) = 262144; + return 0; } ~~~ All releases we ship (on RHEL7, RHEL8 and RHEL9) don't have this commit. It would be nice to hence rebase to latest upstream. If that's not possible, please backport the commit to RHEL9 and RHEL8 as well. Version-Release number of selected component (if applicable): conntrack-tools-1.4.5-10.el9 conntrack-tools-1.4.4-10.el8 How reproducible: Always on customer system Steps to Reproduce: See https://bugzilla.netfilter.org/show_bug.cgi?id=1491