Bug 102561 - Impossible to remove ip_conntrack module after some time.
Impossible to remove ip_conntrack module after some time.
Status: CLOSED DUPLICATE of bug 103177
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
i586 Linux
medium Severity medium
: ---
: ---
Assigned To: Arjan van de Ven
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2003-08-17 21:33 EDT by Dams
Modified: 2007-04-18 12:56 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 13:58:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dams 2003-08-17 21:33:03 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.7 (X11; Linux i686; U;) Gecko/20030131

Description of problem:
Sometimes i cannot remove the ip_conntrack module from the kernel. Especially
when i have a lot of connections tracked (according to /proc/ip_conntrack).

Version-Release number of selected component (if applicable):
kernel-2.4.20-19.8.i586 (ran on k6-2 processor)

How reproducible:

Steps to Reproduce:
1. Load modules ip_conntrack_* ip_nat_*. Apply iptables rules. Wait some times.
(can be long)
2. service iptables stop.
3. Remove all iptables modules that are dependent of ip_conntrack module.
4. modprobe -r ip_nat_ftp ip_nat_irc
5. modprobe -r ip_conntrack_ftp
6. modprobe -r ip_conntrack_irc (last module ip_conntrack is dependent of.
modprobe will try to remove ip_conntrack module).

Actual Results:  [root@confiote ~]# modprobe -r -v ip_conntrack_irc
# delete ip_conntrack_irc
# delete ip_conntrack

and never returns. modprobe takes 90% of cpu. ctrl-z/c/\ wont suspend nor kill
the process. lsmod|grep conntrack reports : 
ip_conntrack               0   0  (deleted)

Expected Results:  modprobe should return... one day...

Additional info:

Before trying to modprobe -r : 
[root@confiote ~]# rpm -V kernel modutils
.M......   /dev/shm
zsh: exit 1     rpm -V kernel modutils
[root@confiote ~]# wc -l /proc/net/ip_conntrack
   4931 /proc/net/ip_conntrack
[root@confiote ~]# cat /proc/sys/net/ipv4/ip_conntrack_max

This is from the iptables rules on the machine :
iptables -t filter -N keep_state
iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A keep_state -j RETURN
iptables -t filter -A INPUT -j keep_state
iptables -t filter -A FORWARD -j keep_state
iptables -t filter -A OUTPUT -j keep_state

I think theese rules are related to ip_conntrack.

if you need all iptables rules. Just ask. modules ip_conntrack_ftp and
ip_nat_ftp are loaded. So *_irc modules are.

When there are few (0-500, didnt test between 500-4500) connections in
ip_conntrack, the module accept to be removed without complaining.
Comment 1 Nikolai Ivanyushin 2003-09-05 10:36:47 EDT
the same on kernel-2.4.20-19.7, kernel-2.4.20-20.7 and iptables-1.2.8-8.72.3 
on i686 (Red Hat Linux 7.3 + all updates)
my quick fix was
--- iptables.orig       Tue Aug  5 13:17:00 2003
+++ iptables    Fri Sep  5 17:19:12 2003
@@ -177,8 +177,8 @@
     rmmod_r ${IPV}_tables
     let ret+=$?;
-    rmmod_r ${IPV}_conntrack
-    let ret+=$?;
+    #rmmod_r ${IPV}_conntrack
+    #let ret+=$?;

     [ $ret -eq 0 ] && success || failure

Comment 2 Nils Philippsen 2003-09-26 02:51:01 EDT

*** This bug has been marked as a duplicate of 103177 ***
Comment 3 Red Hat Bugzilla 2006-02-21 13:58:07 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.