Troy Dawson wrote:
> Takashi Ichihara wrote:
>
>> Hi, all
>>
>> We have been using SL4.6/4.7 (i386 and X86_64) on several nodes
>> and have experienced kernel panic frequently during the system
>> rebooting or system shutdown or even by /etc/init.d/ip_tables restart
>> since last summer in 2008.
>>
>> This is a known bug and still unresolved as reported at the
>> upstream vender's bugzilla.
>> https://bugzilla.redhat.com/show_bug.cgi?id=456664
>>
>> With several investigation, this Kernel panic related to [ip_conntrack]
>> occurs in the the following condition in our environment.
>>
>> 1) Kernel is
>> kernel-smp-2.6.9-78.1EL (SMP or hugemem) (Aug. 2008) to
>> kernel-smp-2.6.9-78.13EL (SMP or hugemem) (latest kernel)
>>
>> 2) ip-tables is enabled and in /etc/sysconfig/iptables-config
>> IPTABLES_MODULES="ip_conntrack_ftp"
>> is included.
>>
>> In this situation, during the rebooting or /etc/init.d/iptables stop
>> or /etc/init.d/iptables restart operations,
>>
>> kernel panic relating with [ip_conntrack] accrues. This kernel bug
>> is still unresolved.
>>
>> However, there is a workaround to avoid this problem. It is
>> described in the comment 31 in
>> https://bugzilla.redhat.com/show_bug.cgi?id=456664
>>
>>
>>> We have discovered that when the following is in the iptables-config:
>>>
>>> IPTABLES_MODULES="ip_conntrack_ftp ip_nat_ftp iptable_nat ipt_REJECT
>>>
>> iptable_mangle"
>>
>>> and on the 2.6.9-78.0.1 ( or .5) RHEL4 version kernel, the kernel
>>> panic does not occur when iptables is stopped.
>>>
>> We have tested this workaround in several nodes of SL4.6/7 (both
>> i386 and X86_64) with the kernel 2.6.9-78.0.13.ELsmp.
>>
>> After updating the /etc/sysconfig/iptables-config to include
>> IPTABLES_MODULES="ip_conntrack_ftp ip_nat_ftp iptable_nat ipt_REJECT
>> iptable_mangle",
>> the first rebooting failed with kernel panic because this update was not
>> reflected. But in the second rebooting and also
>> /etc/init.d/ip_tables stop or /etc/init.d/ip_tables restart command,
>> the kernel panic does not occur. So I think this is the current best
>> workaround against this kernel panic of kernel-smp-2.6.9-78.* (1-13)
>> relating to [ip_conntrack] or [ip_tables].
>>
>> PS: This problem does not occure at SL 5.2 (kernel 2.6.18-*)
>>
>> Best Regards,
>> Takashi Ichihara (RIKEN)
>>
>>
>
> Hi,
> Just for your information, a new kernel just came out right now for SL4,
> 2.6.9-78.0.17.EL
>
>
> As part of the things it's fixed is
>
> * when the iptables module was unloaded, it was assumed the correct entry
> for removal had been found if "wrapper->ops->pf" matched the value passed
> in by "reg->pf". If several ops ranges were registered against the same
> protocol family, however, (which was likely if you had both ip_conntrack
> and ip_contrack_* loaded) this assumption could lead to NULL list pointers
> and cause a kernel panic. With this update, "wrapper->ops" is matched to
> pointer values "reg", which ensures the correct entry is removed and
> results in no NULL list pointers. (BZ#477147)
>
> Looking at bugzilla 477147, it says
> "This bug has been copied from bug #456664"
>
> So, hopefully this new kernel will fix the problem.
>
> The new kernel should go into the errata tomorrow if all goes well.
>
> Troy
>
Hi
New Kernel for SL4 2.6.9-78.0.17.EL arrived last nigh (18th March)
to our mirror (ftp.riken.jp). We have confirmed that this problem
( bug #456664") since last summer is resolved at last both in
i386 and X86_64 at the kernel 2.6.9-78.0.17.ELsmp.
Thank you for your information and update.
Takashi Ichihara
|
