RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2126627 - Rebase to 1.4.6 or backport fixes
Summary: Rebase to 1.4.6 or backport fixes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: conntrack-tools
Version: 9.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Phil Sutter
QA Contact: Jianwen Ji
URL:
Whiteboard:
Depends On:
Blocks: 2126736
TreeView+ depends on / blocked
 
Reported: 2022-09-14 07:46 UTC by Renaud Métrich
Modified: 2023-01-23 15:21 UTC (History)
4 users (show)

Fixed In Version: conntrack-tools-1.4.5-17.el9_1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2126736 (view as bug list)
Environment:
Last Closed: 2023-01-23 15:18:04 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-133896 0 None None None 2022-09-14 07:52:25 UTC
Red Hat Knowledge Base (Solution) 6975677 0 None None None 2022-09-14 08:04:52 UTC
Red Hat Product Errata RHBA-2023:0310 0 None None None 2023-01-23 15:18:08 UTC

Description Renaud Métrich 2022-09-14 07:46:22 UTC
Description of problem:

I just got a customer seeing SEGFAULT when using his custom configuration for conntrackd.conf, **not** containing the following stanzas:
~~~
General {
    ...
    HashSize <somevalue>
    HashLimit <somevalue>
    ...
}
~~~

This is a known issue fixed upstream by commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45:
~~~
$ git show 3276471d23d4d96d55e9a0fb7a10983d8097dc45
commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45
Author: Pablo Neira Ayuso <pablo>
Date:   Mon Mar 8 16:29:25 2021 +0100

    conntrackd: set default hashtable buckets and max entries if not specified
    
    Fall back to 65536 buckets and 262144 entries.
    
    It would be probably good to add code to autoadjust by reading
    /proc/sys/net/netfilter/nf_conntrack_buckets and
    /proc/sys/net/nf_conntrack_max.
    
    Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491
    Signed-off-by: Pablo Neira Ayuso <pablo>

diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 31109c4..b215a72 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1780,5 +1780,11 @@ init_config(char *filename)
                                         NF_NETLINK_CONNTRACK_DESTROY;
        }
 
+       /* default hashtable buckets and maximum number of entries */
+       if (!CONFIG(hashsize))
+               CONFIG(hashsize) = 65536;
+       if (!CONFIG(limit))
+               CONFIG(limit) = 262144;
+
        return 0;
 }
~~~

All releases we ship (on RHEL7, RHEL8 and RHEL9) don't have this commit.
It would be nice to hence rebase to latest upstream.

If that's not possible, please backport the commit to RHEL9 and RHEL8 as well.

Version-Release number of selected component (if applicable):

conntrack-tools-1.4.5-10.el9
conntrack-tools-1.4.4-10.el8

How reproducible:

Always on customer system

Steps to Reproduce:

See https://bugzilla.netfilter.org/show_bug.cgi?id=1491

Comment 1 Phil Sutter 2022-09-14 10:15:40 UTC
(In reply to Renaud Métrich from comment #0)
> Description of problem:
> 
> I just got a customer seeing SEGFAULT when using his custom configuration
> for conntrackd.conf, **not** containing the following stanzas:
> ~~~
> General {
>     ...
>     HashSize <somevalue>
>     HashLimit <somevalue>
>     ...
> }
> ~~~
> 
> This is a known issue fixed upstream by commit
> 3276471d23d4d96d55e9a0fb7a10983d8097dc45:

Thanks for the report and identifying the fix!

[...]
> All releases we ship (on RHEL7, RHEL8 and RHEL9) don't have this commit.
> It would be nice to hence rebase to latest upstream.
> 
> If that's not possible, please backport the commit to RHEL9 and RHEL8 as
> well.
> 
> Version-Release number of selected component (if applicable):
> 
> conntrack-tools-1.4.5-10.el9
> conntrack-tools-1.4.4-10.el8

The commit in question is not part of a release yet. Upstream is 102 commits
and 2.5 years overdue, so there should be a release soon. Yet I would rather
backport for RHEL8 given the deviation. And if we backport into RHEL9 as well,
we get the 9.1 update for free.

Comment 4 Phil Sutter 2022-10-12 19:37:55 UTC
Jiji, please note that kernel conntrack system is not active by default. To enable it, add a (harmless) firewall rule like so:

# iptables -A INPUT -m conntrack --ctstate NEW

The segfault happens when conntrackd tries to add a new entry to the hash table.

Comment 16 errata-xmlrpc 2023-01-23 15:18:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (conntrack-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0310


Note You need to log in before you can comment on or make changes to this bug.