Bug 133788 - ip_conntrack_in: Frag of proto 17
Summary: ip_conntrack_in: Frag of proto 17
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
(Show other bugs)
Version: 2
Hardware: i386 Linux
Target Milestone: ---
Assignee: Dave Jones
QA Contact: Brian Brock
URL: http://lists.netfilter.org/pipermail/...
Depends On:
TreeView+ depends on / blocked
Reported: 2004-09-27 13:57 UTC by Bernhard Ege
Modified: 2015-01-04 22:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-04-16 04:57:27 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fix for netfilter defrag bug (1.27 KB, patch)
2004-09-29 03:56 UTC, David Miller
no flags Details | Diff

Description Bernhard Ege 2004-09-27 13:57:35 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2)

Description of problem:
I have been using SFS (http://www.fs.net/sfswww/) for quite a while
but it has failed when I upgraded to the mentioned kernel. The failure
is that I cannot access any files on the remote sfs server, i.e. the
linux box with the problem runs the sfs client.

The problem appears to be linked with the ip_conntrack module as it is
causing a lot of log entries in /var/log/messages:

Sep 27 15:38:25 overmind kernel: ip_conntrack_in: Frag of proto 17
Sep 27 15:39:21 overmind last message repeated 3 times
Sep 27 15:40:29 overmind last message repeated 2 times
Sep 27 15:42:17 overmind last message repeated 3 times
Sep 27 15:44:13 overmind last message repeated 4 times
Sep 27 15:46:09 overmind last message repeated 4 times
Sep 27 15:46:33 overmind last message repeated 2 times

The messages stop when I stop the sfs client daemon. I have googled
for a solution but none appears to be available. The cause seems to be
that the ip_conntrack limits all packets to at most 8191 bytes. The
sfs client produces larger packets (UDP) and ip_conntrack fails to
handle those. SFS is effectively disabled as of kernel 2.6.8 (possibly
earlier, I didn't try every released kernel). According to articles
mentioning the problem, this happens for every loopback UDP NFS mount.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Load ip_conntrack module.
2. Make a loopback UDP NFS mount and use large rsize/wsize.
3. Access files on the loopback.

Actual Results:  Command paused and ip_conntrack_in messages are logged.

Expected Results:  Normal filesystem access should happen.

Additional info:

As I am depending on SFS I would really like to see this bug fixed
fast as I have to use older kernels (with other bugs) while I wait.

Comment 1 David Miller 2004-09-29 03:56:17 UTC
Created attachment 104488 [details]
Fix for netfilter defrag bug

This patch, from Patrick McHardy which I am about
to push upstream, fixes the problem.

Comment 2 Dave Jones 2004-11-20 20:25:30 UTC
fixed in updates ?

Comment 3 Dave Jones 2005-04-16 04:57:27 UTC
Fedora Core 2 has now reached end of life, and no further updates will be
provided by Red Hat.  The Fedora legacy project will be producing further kernel
updates for security problems only.

If this bug has not been fixed in the latest Fedora Core 2 update kernel, please
try to reproduce it under Fedora Core 3, and reopen if necessary, changing the
product version accordingly.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.