On Tue, Feb 11, 2020 at 5:33 PM Witold Tosta <witold.to...@gmail.com> wrote: > > > > > Now, xt_geoip is never loaded (nor are the other ones). > > Could you please explain why you don't want the module xt_geoip to be > loaded? For Linux system, loading it really doesn't matter.
Why? Well, I've been using xt_geoip and xtables-addons for years without issues, but recently I'm having nightmares. With recent kernels on different hardware I get very worrisome kernel traces in syslog. Things like: WARNING: CPU: 6 PID: 0 at net/ipv4/tcp_output.c:915 tcp_wfree.cold+0xc/0x13 It's always about tcp_output.c:915. Oh, and I've tried a whole bunch of kernel versions. I even suffered a system freeze/kernel panic after just one week of system uptime (the traces were the same). Regardless of the root cause, the main issue regarding xt_geoip and xtables-addons modules (that are not properly signed) was that whenever there's a trace, the kernel reports that it's tainted because of out-of-tree modules. People on the Linux Kernel mailing lists will simply ignore my bug reports if the kernel states that it's tainted. Further details here for those who might be curious: https://forums.gentoo.org/viewtopic-p-8419232.html?sid=ef4e980cc09c8f5029c827aa11d42f1b#8419232 So, yes, xt_geoip is great and probably faster than an ipset-based alternative. There's also some doubt as to whether xt_geoip can be used with nftables. Anyway, my main concern now are these dreaded kernel messages. Thanks, Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
