Thanks for the quick reply. So far, no crashes on the standby which gets a little traffic. I'll run it on the active firewall on Friday but expect the same -- James On 10/3/12 1:33 PM, "Pablo Neira Ayuso" <pablo@xxxxxxxxxxxxx> wrote: >On Wed, Oct 03, 2012 at 06:52:08PM +0000, Gutholm, James wrote: >> >> Under heavy load conntrackd is crashing. Running under gdb I was able >>to determine that the crashes are caused by an unchecked null pointer >>returned by nfexp_get_attr in both exp_filter_find() in filter.c and >>exp_build_str() in build.c >> i >> This only happens when expectation sync is being used. Setting >>"ExpectationSync Off" in conntrackd.conf stops the crashes. >> >> I coded in a couple of checks on the pointer returned which at least >>stop the errors. I've included the changes as diffs and also the gdb >>output in case it is helpful. If there's something else I can provide, >>I'm happy to help but this might be pushing the limit of my expertise. >> >> James >> >> This is on RHEL6 (2.6.32-300.32.2.el6uek.x86_64) with conntrack-tool >>built from source. > >I see, I forgot to document that Linux kernel >= 3.5 to get >ExpectationSync working flawlessly is required. > >I have attached the following patch. It fixes the crash, and document >this accordingly but you still will have to upgrade your kernel if you >want expectation synchronization. > >BTW, thanks a lot for the report, really accurate. > >I'd appreciate if you give it a test, just to make sure we don't crash >anymore, even if you will not get the expectsync feature working >correctly in all possible scenarios. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
