Re: [Shorewall-users] Call Trace with conntrak shorewall 5.0.15.6 on Debian 9.4

OddieX Sat, 21 Apr 2018 23:31:48 -0700

2018-04-21 13:01 GMT-03:00 Tom Eastep <teas...@shorewall.net>:
> On 04/20/2018 05:53 PM, OddieX wrote:
>> Have an issue!
>>
>> I runing Shorewall 5.0.15.6 on Debian 9.4 over Xen... When I put
>> conntrak file and restart shorewall, have the following error or
>> similar call trace with diferents tasks:
>>
>>
>> Apr 20 16:06:04 proxy kernel: [11934.459248] INFO: rcu_sched
>> self-detected stall on CPU
>> Apr 20 16:06:04 proxy kernel: [11934.459248]    3-...: (1 GPs behind)
>> idle=281/140000000000001/0 softirq=281310/281311 fqs=2616
>> Apr 20 16:06:04 proxy kernel: [11934.459248]     (t=5251 jiffies
>> g=863760 c=863759 q=8428)
>> Apr 20 16:06:04 proxy kernel: [11934.459248] Task dump for CPU 3:
>> Apr 20 16:06:04 proxy kernel: [11934.459248] ext_ldap_group_ R
>> running task        0  1510   1508 0x00000008
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  ffffffff81d18cc0
>> ffffffff810a487b 0000000000000003 ffffffff81d18cc0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  ffffffff8117d54b
>> ffff8803eb8d9680 ffffffff81c4fc00 0000000000000000
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  ffffffff81d18cc0
>> 00000000ffffffff ffffffff810e00ca 0000000000000000
>> Apr 20 16:06:04 proxy kernel: [11934.459248] Call Trace:
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  <IRQ>
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810a487b>] ?
>> sched_show_task+0xcb/0x130
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8117d54b>] ?
>> rcu_dump_cpu_stacks+0x92/0xb2
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810e00ca>] ?
>> rcu_check_callbacks+0x75a/0x8b0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810f6070>] ?
>> tick_sched_handle.isra.12+0x50/0x50
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810e6c88>] ?
>> update_process_times+0x28/0x50
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810f6040>] ?
>> tick_sched_handle.isra.12+0x20/0x50
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810f60a8>] ?
>> tick_sched_timer+0x38/0x70
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810e771e>] ?
>> __hrtimer_run_queues+0xde/0x250
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810e7dfc>] ?
>> hrtimer_interrupt+0x9c/0x1a0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8101b98e>] ?
>> xen_timer_interrupt+0x1e/0x30
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810d1dde>] ?
>> __handle_irq_event_percpu+0x7e/0x1a0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810d1f30>] ?
>> handle_irq_event_percpu+0x30/0x70
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810d5f7a>] ?
>> handle_percpu_irq+0x3a/0x60
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810d1137>] ?
>> generic_handle_irq+0x27/0x30
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8140d597>] ?
>> __evtchn_fifo_handle_events+0x187/0x1b0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8140a222>] ?
>> __xen_evtchn_do_upcall+0x42/0x80
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8140c2ec>] ?
>> xen_evtchn_do_upcall+0x2c/0x40
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8161236e>] ?
>> xen_do_hypervisor_callback+0x1e/0x40
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  <EOI>
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8100122a>] ?
>> xen_hypercall_xen_version+0xa/0x20
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8100122a>] ?
>> xen_hypercall_xen_version+0xa/0x20
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8101b8c9>] ?
>> xen_force_evtchn_callback+0x9/0x10
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8101bf52>] ?
>> check_events+0x12/0x20
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8101bf3f>] ?
>> xen_restore_fl_direct_reloc+0x4/0x4
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810ce8db>] ?
>> console_unlock+0x24b/0x610
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810cefb6>] ?
>> vprintk_emit+0x316/0x4d0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff810c02e0>] ?
>> cpuacct_stats_show+0x90/0x100
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8117d2f3>] ?
>> printk+0x5a/0x76
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff81544380>] ?
>> nf_log_buf_close+0x20/0x50
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff81543e1d>] ?
>> nf_log_packet+0xdd/0x120
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8158d236>] ?
>> inet_dev_addr_type+0xa6/0xf0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffffc0285077>] ?
>> log_tg+0x67/0x90 [xt_LOG]
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffffc008ce36>] ?
>> ipt_do_table+0x306/0x620 [ip_tables]
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffffc02de050>] ?
>> iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffffc021e207>] ?
>> __nf_nat_alloc_null_binding+0x57/0x80 [nf_nat]
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff81543654>] ?
>> nf_iterate+0x54/0x60
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff815436c7>] ?
>> nf_hook_slow+0x67/0xc0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8154fc13>] ?
>> __ip_local_out+0xe3/0x150
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8154dcf0>] ?
>> ip_forward_options+0x1b0/0x1b0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8154fc97>] ?
>> ip_local_out+0x17/0x40
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff81568640>] ?
>> tcp_transmit_skb+0x510/0x970
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8156a0cf>] ?
>> tcp_connect+0x64f/0x8a0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff814ff59d>] ?
>> secure_tcp_sequence_number+0x7d/0xd0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff8156f651>] ?
>> tcp_v4_connect+0x2c1/0x470
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff81585cbc>] ?
>> __inet_stream_connect+0xbc/0x300
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff811e386c>] ?
>> kmem_cache_alloc+0x9c/0x530
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff81585f33>] ?
>> inet_stream_connect+0x33/0x50
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff814ebdd5>] ?
>> SYSC_connect+0xc5/0xf0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff814e9367>] ?
>> sock_alloc_file+0xa7/0x140
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff814ecab2>] ?
>> SyS_setsockopt+0x82/0xf0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff81003b7f>] ?
>> do_syscall_64+0x8f/0xf0
>> Apr 20 16:06:04 proxy kernel: [11934.459248]  [<ffffffff816113b8>] ?
>> entry_SYSCALL_64_after_swapgs+0x42/0xb0
>>
>>
>>
>> If I delete the conntrak file, this error do not appear!
>>
>> Someone can help me?
>>
>> Tank U!
>
> This is obviously a kernel issue and not something in Shorewall; it
> should be reported to Debian.
>
> What are the contents of your conntrack file?
>
> -Tom
> --
> Tom Eastep        \   Q: What do you get when you cross a mobster with
> Shoreline,         \     an international standard?
> Washington, USA     \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>                       \_______________________________________________
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>



Have a default conntrak file!

?if $AUTOHELPERS && __CT_TARGET

?if __AMANDA_HELPER
CT:helper:amanda:PO     -               -               udp     10080
?endif

?if __FTP_HELPER
CT:helper:ftp:PO        -               -               tcp     21
?endif

?if __H323_HELPER
CT:helper:RAS:PO        -               -               udp     1719
CT:helper:Q.931:PO      -               -               tcp     1720
?endif

?if __IRC_HELPER
CT:helper:irc:PO        -               -               tcp     6667
?endif

?if __NETBIOS_NS_HELPER
CT:helper:netbios-ns:PO -               -               udp     137
?endif

?if __PPTP_HELPER
CT:helper:pptp:PO       -               -               tcp     1723
?endif

?if __SANE_HELPER
CT:helper:sane:PO       -               -               tcp     6566
?endif

?if __SIP_HELPER
CT:helper:sip:PO        -               -               udp     5060
?endif

?if __SNMP_HELPER
CT:helper:snmp:PO       -               -               udp     161
?endif

?if __TFTP_HELPER
CT:helper:tftp:PO       -               -               udp     69
?endif

?endif



How could I know exactly which module of the kernel is failing?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Call Trace with conntrak shorewall 5.0.15.6 on Debian 9.4

Reply via email to