Re: BUG nf_conntrack_ffff880863c50000: Objects remaining on kmem_cache_close()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le 09/02/2012 16:57, Pablo Neira Ayuso a écrit :

On Wed, Feb 08, 2012 at 03:45:21PM +0100, Jean-Philippe Menil wrote:

Hi,

I'm seeing bug in a host with a 3.2.1 kernel.
This host is running both kvm and lxc guest.
It seems that it happened just after the restart of a lxc guest.

However, it doesn't seem to affect any guest.

I was just wondering if this was problematic, and if so, what should
I do to debug this further.

Could you provide more information on your setup? Is it using
conntrackd or anything you think it can be relevant to this bug.

It can make it easier for us to know what's wrong with this.


Hi,
the server hosts two kvm guest (one firewall running contrackd, one captive portal) and a lxc guest (running squid). This setup remain unchanged for month, except the kernel (reboot with a 3.2.1 one week ago). 

Attached rules are applied on the host.
For the lxc guest, filtering is done on the host, for the two kvm, filtering is done inside. 

For information, the firewall is in passive mode.
As this bug appears only one time, just after restart the lxc guest, i think it's related to containers. 
But it semmes to be a non-blocking bug.

Hope this help.

Regards

--
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@xxxxxxxxxxxxxx
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09


# Generated by iptables-save v1.4.8 on Thu Feb  9 17:07:09 2012
*filter
:INPUT DROP [10417510:1703902887]
:FORWARD DROP [0:0]
:OUTPUT DROP [5:300]
:GENERAL-IN - [0:0]
:GENERAL-OUT - [0:0]
:GUEST-IN - [0:0]
:GUEST-IN_cache2-crous - [0:0]
:GUEST-IN_cache2-crous_LO - [0:0]
:GUEST-OUT - [0:0]
:GUEST-OUT_cache2-crous - [0:0]
:GUEST-OUT_cache2-crous_LO - [0:0]
:LOCAL-IN - [0:0]
:LOCAL-OUT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -j GENERAL-IN 
-A INPUT -j LOCAL-IN 
-A INPUT -m limit --limit 20/sec --limit-burst 30 -j LOG --log-prefix "INPUT ayrshire " --log-level 7 
-A FORWARD -m physdev --physdev-out fwcnec -j ACCEPT 
-A FORWARD -m physdev --physdev-in fwcnec -j ACCEPT 
-A FORWARD -m physdev --physdev-out fwcnec-ren -j ACCEPT 
-A FORWARD -m physdev --physdev-in fwcnec-ren -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-v2037 -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-v2037 -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-v2036 -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-v2036 -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-v2035 -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-v2035 -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-v2033 -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-v2033 -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-v2032 -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-v2032 -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-v2031 -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-v2031 -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-v2030 -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-v2030 -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-v197 -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-v197 -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-v196 -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-v196 -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-v195 -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-v195 -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-v194 -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-v194 -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-v193 -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-v193 -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-v192 -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-v192 -j ACCEPT 
-A FORWARD -m physdev --physdev-out pcrous-dmz -j ACCEPT 
-A FORWARD -m physdev --physdev-in pcrous-dmz -j ACCEPT 
-A FORWARD -m physdev --physdev-out fwcite-ren -j ACCEPT 
-A FORWARD -m physdev --physdev-in fwcite-ren -j ACCEPT 
-A FORWARD -m physdev --physdev-out fwcite-dmz -j ACCEPT 
-A FORWARD -m physdev --physdev-in fwcite-dmz -j ACCEPT 
-A FORWARD -j GUEST-IN 
-A FORWARD -j GUEST-OUT 
-A FORWARD -m limit --limit 20/sec --limit-burst 30 -j LOG --log-prefix "FORWARD ayrshire " --log-level 7 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -j GENERAL-OUT 
-A OUTPUT -j LOCAL-OUT 
-A OUTPUT -m limit --limit 20/sec --limit-burst 30 -j LOG --log-prefix "OUTPUT ayrshire " --log-level 7 
-A GENERAL-IN -i lo -j ACCEPT 
-A GENERAL-IN -s 172.20.13.0/24 -p tcp -m tcp --dport 22 -j ACCEPT 
-A GENERAL-IN -s 193.52.101.133/32 -p tcp -m tcp --dport 22 -j ACCEPT 
-A GENERAL-IN -p icmp -m limit --limit 30/sec --limit-burst 30 -j ACCEPT 
-A GENERAL-IN -p icmp -j DROP 
-A GENERAL-IN -s 172.20.12.96/32 -p tcp -m tcp --dport 22 -j ACCEPT 
-A GENERAL-IN -s 172.20.12.35/32 -p udp -m multiport --dports 20030:20070 -j ACCEPT 
-A GENERAL-IN -s 172.20.12.35/32 -p tcp -m multiport --dports 20030:20070 -j ACCEPT 
-A GENERAL-IN -s 172.20.11.91/32 -p udp -m multiport --dports 20030:20070 -j ACCEPT 
-A GENERAL-IN -s 172.20.11.91/32 -p tcp -m multiport --dports 20030:20070 -j ACCEPT 
-A GENERAL-IN -s 172.20.12.160/32 -p tcp -m tcp --dport 22 -j ACCEPT 
-A GENERAL-IN -s 172.20.12.135/32 -p tcp -m tcp --dport 5308 -j ACCEPT 
-A GENERAL-IN -s 172.20.12.116/32 -p udp -m udp --dport 161 -j ACCEPT 
-A GENERAL-IN -s 172.20.12.71/32 -p udp -m udp --dport 161 -j ACCEPT 
-A GENERAL-IN -s 172.20.12.14/32 -p udp -m udp --dport 161 -j ACCEPT 
-A GENERAL-OUT -o lo -j ACCEPT 
-A GENERAL-OUT -p icmp -m limit --limit 30/sec --limit-burst 30 -j ACCEPT 
-A GENERAL-OUT -p icmp -j DROP 
-A GENERAL-OUT -d 172.26.4.20/32 -p udp -m udp --dport 53 -j ACCEPT 
-A GENERAL-OUT -d 172.26.4.20/32 -p tcp -m tcp --dport 53 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.22/32 -p udp -m udp --dport 53 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.23/32 -p udp -m udp --dport 53 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.11/32 -p udp -m udp --dport 53 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.11/32 -p tcp -m tcp --dport 53 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.22/32 -p tcp -m tcp --dport 53 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.23/32 -p tcp -m tcp --dport 53 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.96/32 -p tcp -m tcp --dport 22 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.56/32 -p tcp -m tcp --dport 25 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.55/32 -p tcp -m tcp --dport 25 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.88/32 -p tcp -m tcp --dport 389 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.89/32 -p tcp -m tcp --dport 389 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.90/32 -p tcp -m tcp --dport 389 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.240/32 -p tcp -m tcp --dport 389 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.90/32 -p tcp -m tcp --dport 636 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.88/32 -p tcp -m tcp --dport 636 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.89/32 -p tcp -m tcp --dport 636 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.240/32 -p tcp -m tcp --dport 636 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.31/32 -p udp -m udp --dport 123 -j ACCEPT 
-A GENERAL-OUT -d 193.52.101.123/32 -p udp -m udp --dport 123 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.35/32 -p udp -m multiport --dports 20030:20070 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.35/32 -p tcp -m multiport --dports 20030:20070 -j ACCEPT 
-A GENERAL-OUT -d 172.20.11.91/32 -p udp -m multiport --dports 20030:20070 -j ACCEPT 
-A GENERAL-OUT -d 172.20.11.91/32 -p tcp -m multiport --dports 20030:20070 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.48/32 -p tcp -m tcp --dport 873 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.135/32 -p tcp -m tcp --dport 5308 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.34/32 -p tcp -m tcp --dport 21 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.74/32 -p tcp -m tcp --dport 3128 -j ACCEPT 
-A GENERAL-OUT -d 172.20.11.67/32 -p tcp -m tcp --dport 22 -j ACCEPT 
-A GENERAL-OUT -d 172.20.12.14/32 -p udp -m udp --dport 514 -j ACCEPT 
-A GUEST-IN -m physdev --physdev-out cache2-crous -j GUEST-IN_cache2-crous 
-A GUEST-IN_cache2-crous -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A GUEST-IN_cache2-crous -j GENERAL-IN 
-A GUEST-IN_cache2-crous -j GUEST-IN_cache2-crous_LO 
-A GUEST-IN_cache2-crous -m limit --limit 20/sec --limit-burst 30 -j LOG --log-prefix "INBOUND cache2-crous " --log-level 7 
-A GUEST-IN_cache2-crous -j DROP 
-A GUEST-IN_cache2-crous_LO -d 224.0.0.18/32 -p vrrp -j ACCEPT 
-A GUEST-IN_cache2-crous_LO -d 224.0.0.18/32 -p ah -j ACCEPT 
-A GUEST-IN_cache2-crous_LO -d 193.52.102.11/32 -p udp -m udp --dport 5001 -j ACCEPT 
-A GUEST-IN_cache2-crous_LO -d 193.52.102.12/32 -p tcp -m tcp --dport 5001 -j ACCEPT 
-A GUEST-IN_cache2-crous_LO -d 225.0.0.50/32 -j DROP 
-A GUEST-IN_cache2-crous_LO -d 224.0.0.111/32 -j DROP 
-A GUEST-IN_cache2-crous_LO -p tcp -m tcp --dport 3128 -j ACCEPT 
-A GUEST-IN_cache2-crous_LO -s 172.20.12.116/32 -p tcp -m tcp --dport 22 -j ACCEPT 
-A GUEST-IN_cache2-crous_LO -s 172.20.12.160/32 -p tcp -m tcp --dport 22 -j ACCEPT 
-A GUEST-IN_cache2-crous_LO -s 172.20.12.160/32 -p tcp -m tcp --dport 873 -j ACCEPT 
-A GUEST-OUT -m physdev --physdev-in cache2-crous -j GUEST-OUT_cache2-crous 
-A GUEST-OUT_cache2-crous -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A GUEST-OUT_cache2-crous -j GENERAL-OUT 
-A GUEST-OUT_cache2-crous -j GUEST-OUT_cache2-crous_LO 
-A GUEST-OUT_cache2-crous -m limit --limit 20/sec --limit-burst 30 -j LOG --log-prefix "OUTBOUND cache2-crous " --log-level 7 
-A GUEST-OUT_cache2-crous -j DROP 
-A GUEST-OUT_cache2-crous_LO -d 224.0.0.18/32 -p vrrp -j ACCEPT 
-A GUEST-OUT_cache2-crous_LO -d 224.0.0.18/32 -p ah -j ACCEPT 
-A GUEST-OUT_cache2-crous_LO -p tcp -m tcp --dport 80 -j ACCEPT 
-A GUEST-OUT_cache2-crous_LO -p tcp -m tcp --dport 443 -j ACCEPT 
-A GUEST-OUT_cache2-crous_LO -p tcp -m tcp --dport 21 -j ACCEPT 
-A GUEST-OUT_cache2-crous_LO -d 172.20.12.116/32 -p udp -m udp --dport 162 -j ACCEPT 
-A LOCAL-IN -s 172.20.13.0/24 -p tcp -m multiport --dports 5900:5999 -j ACCEPT 
COMMIT
# Completed on Thu Feb  9 17:07:09 2012
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux