after having a new firewall system with F28 running for over 3 weeks without any issue last saturday at 9:30 crash with 4.18.15 (see screenshot from VMware HA) guilty conscience for holding back kernel updates -> 4.18.18 today at nearly the same time identical error ------------------------------------------------- despite of https://bugzilla.kernel.org/show_bug.cgi?id=201685 i gave 4.19.4 a chance, shortly after boot he same error, hard power off and boot again -> "Fatal exception in interrupt" after a few seconds and so back to 4.18.18 what i don't get is that the system is running the whole week forwaridng a ton of traffic, blocking xt_recenter-abusers without any issue and it's not the uptime, there was a short reboot a few days ago switching from single interface to a bridge to prepare for second uplink router xt_recent counters are low because of --reap option while otherwise they reached all the 30000 limit after a few days leading to waste a lot of memory - the VM has 3 GB assigend and so also no problem ------------------------------------------------- [root@firewall:~]$ cat /etc/modprobe.d/iptables-recent.conf options ipt_recent ip_list_tot=30000 ip_pkt_list_tot=255 options xt_recent ip_list_tot=30000 ip_pkt_list_tot=255 ------------------------------------------------- # Kernel sysctl configuration file for Red Hat Linux # run "sysctl -p" after changes ##### SysRq Debugging ##### kernel.sysrq = 0 ##### Core-Dumps ##### kernel.core_uses_pid = 1 fs.suid_dumpable = 0 ##### TCP-Tuning ##### net.core.default_qdisc = fq_codel net.core.somaxconn = 65535 net.core.rmem_max = 65536 net.core.wmem_max = 65536 net.core.rmem_default = 32768 net.core.wmem_default = 32768 net.ipv4.tcp_rmem = 4096 32768 65536 net.ipv4.tcp_wmem = 4096 32768 65536 net.ipv4.tcp_mem = 4096 32768 65536 net.ipv4.udp_mem = 4096 32768 65536 net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_moderate_rcvbuf = 1 net.ipv4.tcp_fastopen = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_dsack = 1 net.ipv4.ip_local_port_range = 1024 65000 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_max_tw_buckets = 131072 net.ipv4.tcp_max_orphans = 50000 net.ipv4.tcp_orphan_retries = 3 net.ipv4.tcp_ecn = 2 net.ipv4.tcp_autocorking = 1 net.ipv4.ip_nonlocal_bind = 1 ##### Secure TCP ##### net.ipv4.tcp_challenge_ack_limit = 1500 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.conf.default.bootp_relay = 0 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.proxy_arp = 0 net.ipv4.conf.all.bootp_relay = 0 net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_fin_timeout = 5 net.ipv4.tcp_retries1 = 5 net.ipv4.tcp_syn_retries = 5 net.ipv4.tcp_synack_retries = 3 net.ipv4.tcp_max_syn_backlog = 32768 net.ipv4.tcp_abort_on_overflow = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_keepalive_time = 270 net.ipv4.tcp_keepalive_intvl = 30 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.ip_default_ttl = 80 net.ipv4.ip_dynaddr = 0 net.ipv4.igmp_max_memberships = 10 net.ipv4.tcp_rfc1337 = 1 net.ipv4.conf.all.accept_redirects = 0 ##### Connection-Tracking ##### net.netfilter.nf_conntrack_max = 1048576 net.netfilter.nf_conntrack_buckets = 65536 net.netfilter.nf_conntrack_acct = 0 net.netfilter.nf_conntrack_checksum = 1 net.netfilter.nf_conntrack_events = 1 net.netfilter.nf_conntrack_helper = 0 net.netfilter.nf_conntrack_log_invalid = 0 net.netfilter.nf_conntrack_tcp_be_liberal = 0 net.netfilter.nf_conntrack_tcp_loose = 1 net.netfilter.nf_conntrack_tcp_max_retrans = 3 net.netfilter.nf_conntrack_timestamp = 0 net.netfilter.nf_conntrack_tcp_timeout_close = 2 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10 net.netfilter.nf_conntrack_tcp_timeout_established = 1800 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 5 net.netfilter.nf_conntrack_tcp_timeout_last_ack = 10 net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 60 net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 10 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 10 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10 net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 60 net.netfilter.nf_conntrack_generic_timeout = 120 net.netfilter.nf_conntrack_udp_timeout_stream = 120 net.netfilter.nf_conntrack_icmp_timeout = 15 net.netfilter.nf_conntrack_udp_timeout = 15 ##### Disable IPv6 ##### net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_source_route = 0 ##### Do not follow links in directories with sticky bit ##### fs.protected_symlinks = 1 fs.protected_hardlinks = 1 ##### Kernel hardening ##### kernel.dmesg_restrict = 1 kernel.kptr_restrict = 2 kernel.yama.ptrace_scope = 2 kernel.pid_max = 4000000 kernel.randomize_va_space = 2 ##### VMware-Optimizings ##### vm.swappiness = 1 vm.overcommit_memory = 1 vm.overcommit_ratio = 60 vm.vfs_cache_pressure = 75 vm.dirty_background_ratio = 5 vm.dirty_ratio = 20 vm.dirty_expire_centisecs = 1500 vm.dirty_writeback_centisecs = 1500 vm.zone_reclaim_mode = 0 fs.leases-enable = 0 net.unix.max_dgram_qlen = 1024 ##### Forwarding ##### net.ipv4.ip_forward = 1 net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 net.ipv4.ip_forward_use_pmtu = 0 net.ipv4.tcp_mtu_probing = 1 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.all.log_martians = 0 ##### DDOS-Hardening ##### fs.file-max = 3000000 kernel.msgmax = 65536 kernel.msgmnb = 65536 net.core.netdev_max_backlog = 65536 net.ipv4.neigh.default.gc_interval = 5 net.ipv4.neigh.default.gc_stale_time = 120 net.ipv4.neigh.default.gc_thresh1 = 4096 net.ipv4.neigh.default.gc_thresh2 = 8192 net.ipv4.neigh.default.gc_thresh3 = 16384 _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
