Re: BUG: soft lockup on kernel 5.19.9 when attempting FTP connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ah that was the reason why after update our Fedora 36 based firewall from 5.18.8 to 5.19.7 and everything looked fine from 1:00 AM to 4:40 AM and started to crash at 5:00 AM several times until VMware HA gave up to reset the VM

i didn't wish to see my boss the first time since 2019 in front of my apartment because of this and Google broke Anrdoid's "repeated callers are allowed" to ring...

----------------

and no i didn't have anything useful in the serial console file on the host except tons of "CPU#1 stuck for MANYs!"

obiosuly the webcams of some customers are starting to upload images at that time every few minutes.....

Am 20.09.22 um 16:12 schrieb Bruno de Paula Larini:
While testing my iptables ruleset on a Fedora 36, I've encountered an unexpected behaviour regarding FTP connection forwarding.
I've reduced the ruleset to look like below.
I've tried to "modprobe nf_conntrack_ftp" alone, but external clients still won't get data connections. Then I "modprobe nf_nat_ftp". It loads normally but after the first attempt to establish an FTP connection, the system freezes and sometimes prints the following message:

Message from syslogd@fw1-test at Sep 20 09:33:28 ...
  kernel:watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [swapper/1:0]

This problem happens on the newest Fedora 36 stock kernel as of 20/09/2022, version 5.19.9-200.fc36.x86_64 (and at least on the previous 5.19.8-200.fc36.x86_64), but (apparently) works normally on version 5.17.5-300.fc36.x86_64, which was the default kernel from ISO install.

Is it a bug, maybe?
Just wanted to report this, maybe someone on this list can do something about it.


### My eclipsed ruleset in which this problem happens
# eth0: LAN
# eth1: Public
# 192.168.22.5: internal FTP server

iptables -P INPUT DROP
iptables -P FORWARD DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

modprobe nf_conntrack_ftp
modprobe nf_nat_ftp

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.22.0/24 -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.22.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.22.5 -p tcp --dport 21 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to-destination 192.168.22.5
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux