On Wednesday 11 June 2008 15:25, Pablo Neira Ayuso wrote: > Hi Marco, > Marco Barbero wrote: > > conntrack-tools-0.9.7 > > libnetfilter_conntrack-0.0.94 > > libnfnetlink-0.0.38 > > > > kernel 2.6.25.5 > > Mode ALARM > > > > conntrackd -c from node master: > > > > looking logs: > > > > a lot of [ERROR] commit: Invalid argument > > Mon Jun 9 15:01:26 2008 tcp 6 180 TIME_WAIT > > src=192.168.200.14 dst=62.149.195.137 sport=47144 dport=80 src=x.x.x.x > > dst=192.168.200.14 sport=80 dport=47144 [ASSURED] mark=0 > > > > and at the end: > > > > [Mon Jun 9 15:01:26 2008] (pid=13176) [notice] Committed 1172 new > > entries [Mon Jun 9 15:01:26 2008] (pid=13176) [notice] 3294 entries > > can't be committed > > > > Any hints? > > Are your scripts committing the entries twice (ie. invoking conntrackd > -c several times)? In my case - yes I did. > The only way to reproduce this that I have found is > to double insert an existing conntrack with some NAT handling. In the > upcoming 2.6.26 you'll get a EBUSY instead of EINVAL which sounds more > reasonable. > > Anyhow, does the patch attached fix this behaviour? The idea behind it > is to check if there is a conntrack present in kernel, if so, just > update the attributes of the conntrack object that are changeable to > avoid the error. Would you mind testing it? Thanks for the patch! Now I see no more "commit: Invalid argument" in the logs. Instead I get something like this, which looks much fiendlier: Jun 11 15:36:48 fw1b conntrack-tools[13273]: committing external cache Jun 11 15:36:48 fw1b conntrack-tools[13273]: Committed 69 new entries Jun 11 15:36:48 fw1b conntrack-tools[13273]: 53 entries ignored, already exist But in rare cases I can see "commit-create: Cannot allocate memory". I also noticed this a few times before applying this patch. Is this something I should worry about? Jun 11 15:40:07 fw1b conntrack-tools[13383]: committing external cache Jun 11 15:40:07 fw1b conntrack-tools[13383]: commit-create: Cannot allocate memory Jun 11 15:40:07 fw1b conntrack-tools[13383]: Committed 33 new entries Jun 11 15:40:07 fw1b conntrack-tools[13383]: 25 entries ignored, already exist Jun 11 15:40:07 fw1b conntrack-tools[13383]: 1 entries can't be committed Thanks, -Rainer -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
