Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
I just got a customer seeing SEGFAULT when using his custom configuration for conntrackd.conf, **not** containing the following stanzas:
~~~
General {
...
HashSize <somevalue>
HashLimit <somevalue>
...
}
~~~
This is a known issue fixed upstream by commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45:
~~~
$ git show 3276471d23d4d96d55e9a0fb7a10983d8097dc45
commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45
Author: Pablo Neira Ayuso <pablo>
Date: Mon Mar 8 16:29:25 2021 +0100
conntrackd: set default hashtable buckets and max entries if not specified
Fall back to 65536 buckets and 262144 entries.
It would be probably good to add code to autoadjust by reading
/proc/sys/net/netfilter/nf_conntrack_buckets and
/proc/sys/net/nf_conntrack_max.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491
Signed-off-by: Pablo Neira Ayuso <pablo>
diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 31109c4..b215a72 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1780,5 +1780,11 @@ init_config(char *filename)
NF_NETLINK_CONNTRACK_DESTROY;
}
+ /* default hashtable buckets and maximum number of entries */
+ if (!CONFIG(hashsize))
+ CONFIG(hashsize) = 65536;
+ if (!CONFIG(limit))
+ CONFIG(limit) = 262144;
+
return 0;
}
~~~
All releases we ship (on RHEL7, RHEL8 and RHEL9) don't have this commit.
It would be nice to hence rebase to latest upstream.
If that's not possible, please backport the commit to RHEL9 and RHEL8 as well.
Version-Release number of selected component (if applicable):
conntrack-tools-1.4.5-10.el9
conntrack-tools-1.4.4-10.el8
How reproducible:
Always on customer system
Steps to Reproduce:
See https://bugzilla.netfilter.org/show_bug.cgi?id=1491
(In reply to Renaud Métrich from comment #0)
> Description of problem:
>
> I just got a customer seeing SEGFAULT when using his custom configuration
> for conntrackd.conf, **not** containing the following stanzas:
> ~~~
> General {
> ...
> HashSize <somevalue>
> HashLimit <somevalue>
> ...
> }
> ~~~
>
> This is a known issue fixed upstream by commit
> 3276471d23d4d96d55e9a0fb7a10983d8097dc45:
Thanks for the report and identifying the fix!
[...]
> All releases we ship (on RHEL7, RHEL8 and RHEL9) don't have this commit.
> It would be nice to hence rebase to latest upstream.
>
> If that's not possible, please backport the commit to RHEL9 and RHEL8 as
> well.
>
> Version-Release number of selected component (if applicable):
>
> conntrack-tools-1.4.5-10.el9
> conntrack-tools-1.4.4-10.el8
The commit in question is not part of a release yet. Upstream is 102 commits
and 2.5 years overdue, so there should be a release soon. Yet I would rather
backport for RHEL8 given the deviation. And if we backport into RHEL9 as well,
we get the 9.1 update for free.
Jiji, please note that kernel conntrack system is not active by default. To enable it, add a (harmless) firewall rule like so:
# iptables -A INPUT -m conntrack --ctstate NEW
The segfault happens when conntrackd tries to add a new entry to the hash table.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (conntrack-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:0310
Description of problem: I just got a customer seeing SEGFAULT when using his custom configuration for conntrackd.conf, **not** containing the following stanzas: ~~~ General { ... HashSize <somevalue> HashLimit <somevalue> ... } ~~~ This is a known issue fixed upstream by commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45: ~~~ $ git show 3276471d23d4d96d55e9a0fb7a10983d8097dc45 commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45 Author: Pablo Neira Ayuso <pablo> Date: Mon Mar 8 16:29:25 2021 +0100 conntrackd: set default hashtable buckets and max entries if not specified Fall back to 65536 buckets and 262144 entries. It would be probably good to add code to autoadjust by reading /proc/sys/net/netfilter/nf_conntrack_buckets and /proc/sys/net/nf_conntrack_max. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491 Signed-off-by: Pablo Neira Ayuso <pablo> diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 31109c4..b215a72 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -1780,5 +1780,11 @@ init_config(char *filename) NF_NETLINK_CONNTRACK_DESTROY; } + /* default hashtable buckets and maximum number of entries */ + if (!CONFIG(hashsize)) + CONFIG(hashsize) = 65536; + if (!CONFIG(limit)) + CONFIG(limit) = 262144; + return 0; } ~~~ All releases we ship (on RHEL7, RHEL8 and RHEL9) don't have this commit. It would be nice to hence rebase to latest upstream. If that's not possible, please backport the commit to RHEL9 and RHEL8 as well. Version-Release number of selected component (if applicable): conntrack-tools-1.4.5-10.el9 conntrack-tools-1.4.4-10.el8 How reproducible: Always on customer system Steps to Reproduce: See https://bugzilla.netfilter.org/show_bug.cgi?id=1491