Bug 333481
Summary: | failure upon service stop | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Curtis Doty <curtis> |
Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 7 | CC: | chris.brown, eric.fedora, redhat-bugzilla, twoerner |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-16 02:34:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Curtis Doty
2007-10-16 04:18:47 UTC
Please post the oiutput of "lsmod | grep conntrack" before and after the "service iptables stop". Can you manually unload the nf_conntrack_ipv4 module with "rmmod nf_conntrack_ipv4"? Is there a message in /var/log/messages? # lsmod |grep conntrack nf_conntrack_ipv4 15049 2 iptable_nat nf_conntrack 63049 4 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4 nfnetlink 9945 3 nf_nat,nf_conntrack_ipv4,nf_conntrack And none are loaded after stop. Do note *two* initial references to nf_conntrack_ipv4. And that this test case is unusual in that it has nat table but no filter. If I restart, and then attempt to manually unload nf_conntrack_ipv4 it will error with: ERROR: Module nf_conntrack_ipv4 is in use by iptable_nat Here's a test/debugging hack that I hope enlightens further: --- /etc/init.d/iptables.orig 2007-09-19 03:41:35.000000000 -0700 +++ /etc/init.d/iptables 2007-10-16 09:11:06.000000000 -0700 @@ -64,8 +64,12 @@ # The extra test is for 2.6: The module might have autocleaned, # after all referring modules are unloaded. if grep -q "^${mod}" /proc/modules ; then - modprobe -r $mod > /dev/null 2>&1 + echo -e "\nDEBUG: unloading $mod..." + lsmod |grep conntrack >/tmp/iptables.$$ + modprobe -r $mod let ret+=$?; + lsmod |grep conntrack |diff -u /tmp/iptables.$$ - + rm /tmp/iptables.$$ fi return $ret # service iptables stop Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: nat [ OK ] Unloading iptables modules: DEBUG: unloading iptable_nat... --- /tmp/iptables.5900 2007-10-16 09:11:27.000000000 -0700 +++ - 2007-10-16 09:11:27.267291729 -0700 @@ -1,3 +1,3 @@ -nf_conntrack_ipv4 15049 2 iptable_nat -nf_conntrack 63049 4 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4 +nf_conntrack_ipv4 15049 1 +nf_conntrack 63049 3 ipt_MASQUERADE,nf_nat,nf_conntrack_ipv4 nfnetlink 9945 3 nf_nat,nf_conntrack_ipv4,nf_conntrack DEBUG: unloading nf_conntrack_ipv4... FATAL: Module nf_conntrack_ipv4 is in use. DEBUG: unloading ipt_MASQUERADE... --- /tmp/iptables.5900 2007-10-16 09:11:27.000000000 -0700 +++ - 2007-10-16 09:11:27.483907615 -0700 @@ -1,3 +1,3 @@ -nf_conntrack_ipv4 15049 1 -nf_conntrack 63049 3 ipt_MASQUERADE,nf_nat,nf_conntrack_ipv4 -nfnetlink 9945 3 nf_nat,nf_conntrack_ipv4,nf_conntrack +nf_conntrack_ipv4 15049 0 +nf_conntrack 63049 1 nf_conntrack_ipv4 +nfnetlink 9945 2 nf_conntrack_ipv4,nf_conntrack DEBUG: unloading nf_conntrack_ipv4... --- /tmp/iptables.5900 2007-10-16 09:11:27.000000000 -0700 +++ - 2007-10-16 09:11:27.688103378 -0700 @@ -1,3 +0,0 @@ -nf_conntrack_ipv4 15049 0 -nf_conntrack 63049 1 nf_conntrack_ipv4 -nfnetlink 9945 2 nf_conntrack_ipv4,nf_conntrack [FAILED] Nothing unusual shows up in dmesg. This is netfilter kernel problem. There is a usage count for the conntrack_ipv4 module from the nf_nat module, which is not reported by lsmod. How to reproduce: # modprobe nf_conntrack_ipv4 # lsmod | grep nf_conntrack_ipv4 nf_conntrack_ipv4 11717 0 nf_conntrack 51977 2 nf_conntrack_ipv4,nf_conntrack_ipv6 nfnetlink 8281 3 nf_conntrack_ipv4,nf_conntrack_ipv6,nf_conntrack # modprobe nf_nat # lsmod | grep nf_conntrack_ipv4 nf_conntrack_ipv4 11717 1 nf_conntrack 51977 3 nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6 nfnetlink 8281 4 nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,nf_co nntrack # lsmod | grep nf_nat nf_nat 18669 0 nf_conntrack 51977 3 nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6 nfnetlink 8281 4 nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,nf_co nntrack # rmmod nf_conntrack_ipv4 ERROR: Module nf_conntrack_ipv4 is in use # rmmod nf_nat # rmmod nf_conntrack_ipv4 # Assigning to kernel. This also is a problem for 2.6.23+ in F8 and devel. Looks like this is fixed in 2.6.23. kernel-2.6.23.1-37.fc8PAE is affected by this problem. kernel-2.6.23.8-63.fc8 is affected by this problem |