prevent the conntrack table from filling up in the kernel

Bug #1270237 reported by Chris J Arges on 2014-01-17
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Precise
Medium
Chris J Arges
Quantal
Medium
Chris J Arges
Raring
Medium
Unassigned
linux-lts-raring (Ubuntu)
Undecided
Unassigned
Precise
Medium
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned

Bug Description

[Impact]
When running a server for an extended amount of time the conntrack table can fill up.
Here is the netfilter discussion: http://www.spinics.net/lists/netfilter-devel/msg26759.html

[Fix]
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6547a221871f139cc56328a38105d47c14874cbe

Present in 3.11 >

[Test Case]
From the patch:
When loose tracking is enabled (default), non-syn packets cause
creation of new conntracks in established state with default timeout for
established state (5 days). This causes the table to fill up with UNREPLIED
when the 'new ack' packet happened to be the last-ack of a previous,
already timed-out connection.

Chris J Arges (arges) on 2014-01-17
description: updated
Changed in linux (Ubuntu Precise):
assignee: nobody → Chris J Arges (arges)
Changed in linux (Ubuntu):
assignee: Chris J Arges (arges) → nobody
status: New → Fix Released
Changed in linux (Ubuntu Precise):
status: New → In Progress
Changed in linux (Ubuntu Quantal):
status: New → In Progress
Changed in linux (Ubuntu Raring):
status: New → In Progress
Changed in linux (Ubuntu Quantal):
assignee: nobody → Chris J Arges (arges)
Changed in linux (Ubuntu Raring):
importance: Undecided → Medium
assignee: nobody → Chris J Arges (arges)
Changed in linux (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux (Ubuntu Quantal):
importance: Undecided → Medium
Chris J Arges (arges) on 2014-02-07
Changed in linux (Ubuntu Raring):
status: In Progress → Won't Fix
assignee: Chris J Arges (arges) → nobody
status: Won't Fix → In Progress
assignee: nobody → Chris J Arges (arges)
Andy Whitcroft (apw) on 2014-02-10
Changed in linux-lts-raring (Ubuntu Precise):
importance: Undecided → Medium
assignee: nobody → Chris J Arges (arges)
Changed in linux (Ubuntu Raring):
assignee: Chris J Arges (arges) → nobody
Changed in linux-lts-raring (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Raring):
status: New → Invalid
Changed in linux (Ubuntu Raring):
status: In Progress → Invalid
Changed in linux (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Quantal):
status: In Progress → Fix Committed
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-precise
tags: added: verification-needed-quantal
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-quantal' to 'verification-done-quantal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Chris J Arges (arges) on 2014-02-28
tags: added: verification-done-precise verification-done-quantal
removed: verification-needed-precise verification-needed-quantal
Launchpad Janitor (janitor) wrote :
Download full text (6.7 KiB)

This bug was fixed in the package linux - 3.2.0-60.91

---------------
linux (3.2.0-60.91) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1281800

  [ Andy Whitcroft ]

  * [Config] d-i -- add xts.ko to crypto-modules udeb
    - LP: #1276739

  [ Upstream Kernel Changes ]

  * ath9k_htc: properly set MAC address and BSSID mask
    - LP: #1252422
    - CVE-2013-4579
  * SELinux: Fix kernel BUG on empty security contexts.
    - CVE-2014-1874
  * net: do not pretend FRAGLIST support
    - LP: #1281620
  * rds: prevent BUG_ON triggered on congestion update to loopback
    - LP: #1281620
  * ipv6: don't count addrconf generated routes against gc limit
    - LP: #1281620
  * net: drop_monitor: fix the value of maxattr
    - LP: #1281620
  * tg3: Initialize REG_BASE_ADDR at PCI config offset 120 to 0
    - LP: #1281620
  * net: unix: allow bind to fail on mutex lock
    - LP: #1281620
  * net: inet_diag: zero out uninitialized idiag_{src,dst} fields
    - LP: #1281620
  * drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()
    - LP: #1281620
  * hamradio/yam: fix info leak in ioctl
    - LP: #1281620
  * rds: prevent dereference of a NULL device
    - LP: #1281620
  * net: rose: restore old recvmsg behavior
    - LP: #1281620
  * vlan: Fix header ops passthru when doing TX VLAN offload.
    - LP: #1281620
  * net: llc: fix use after free in llc_ui_recvmsg
    - LP: #1281620
  * bridge: use spin_lock_bh() in br_multicast_set_hash_max
    - LP: #1281620
  * bnx2x: fix DMA unmapping of TSO split BDs
    - LP: #1281620
  * inet_diag: fix inet_diag_dump_icsk() timewait socket state logic
    - LP: #1281620
  * net: avoid reference counter overflows on fib_rules in multicast
    forwarding
    - LP: #1281620
  * xfs: Account log unmount transaction correctly
    - LP: #1281620
  * PCI: Enable ARI if dev and upstream bridge support it; disable
    otherwise
    - LP: #1281620
  * mm/memory-failure.c: recheck PageHuge() after hugetlb page migrate
    successfully
    - LP: #1281620
  * staging: comedi: cb_pcidio: fix for newer PCI-DIO48H
    - LP: #1281620
  * Fix warning from machine_kexec.c
    - LP: #1281620
  * hpfs: fix warnings when the filesystem fills up
    - LP: #1281620
  * KVM: x86: Convert vapic synchronization to _cached functions
    (CVE-2013-6368)
    - LP: #1281620
  * x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround
    - LP: #1281620
  * mm: ensure get_unmapped_area() returns higher address than
    mmap_min_addr
    - LP: #1281620
  * ceph: cleanup aborted requests when re-sending requests.
    - LP: #1281620
  * ceph: wake up 'safe' waiters when unregistering request
    - LP: #1281620
  * sh: always link in helper functions extracted from libgcc
    - LP: #1281620
  * libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for Seagate Momentus
    SpinPoint M8
    - LP: #1281620
  * ext4: call ext4_error_inode() if jbd2_journal_dirty_metadata() fails
    - LP: #1281620
  * ext4: fix use-after-free in ext4_mb_new_blocks
    - LP: #1281620
  * ext4: check for overlapping extents in ext4_valid_extent_entries()
    - LP: #1281620
  * ext2: Fix oops in ext2_get_block() called from ext2_quota_write()
    - LP...

Read more...

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (22.3 KiB)

This bug was fixed in the package linux - 3.5.0-47.71

---------------
linux (3.5.0-47.71) quantal; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1281828

  [ Upstream Kernel Changes ]

  * Revert "mm: ensure get_unmapped_area() returns higher address than
    mmap_min_addr"
    - LP: #1277722
  * net: clamp ->msg_namelen instead of returning an error
    - LP: #1269053
  * netfilter: nf_conntrack: avoid large timeout for mid-stream pickup
    - LP: #1270237
  * SELinux: Fix kernel BUG on empty security contexts.
    - CVE-2014-1874
  * lirc_zilog: Don't use dynamic static allocation
    - LP: #1277722
  * net: Fix "ip rule delete table 256"
    - LP: #1277722
  * ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv
    - LP: #1277722
  * random32: fix off-by-one in seeding requirement
    - LP: #1277722
  * bonding: don't permit to use ARP monitoring in 802.3ad mode
    - LP: #1277722
  * 6lowpan: Uncompression of traffic class field was incorrect
    - LP: #1277722
  * bonding: fix two race conditions in bond_store_updelay/downdelay
    - LP: #1277722
  * isdnloop: use strlcpy() instead of strcpy()
    - LP: #1277722
  * connector: improved unaligned access error fix
    - LP: #1277722
  * ipv4: fix possible seqlock deadlock
    - LP: #1277722
  * inet: prevent leakage of uninitialized memory to user in recv syscalls
    - LP: #1277722
  * atm: idt77252: fix dev refcnt leak
    - LP: #1277722
  * net: core: Always propagate flag changes to interfaces
    - LP: #1277722
  * net: rework recvmsg handler msg_name and msg_namelen logic
    - LP: #1277722
  * net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct
    sockaddr_storage)
    - LP: #1277722
  * packet: fix use after free race in send path when dev is released
    - LP: #1277722
  * inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu
    functions
    - LP: #1277722
  * ipv6: fix leaking uninitialized port number of offender sockaddr
    - LP: #1277722
  * net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST
    - LP: #1277722
  * inet: fix possible seqlock deadlocks
    - LP: #1277722
  * ipv6: fix possible seqlock deadlock in ip6_finish_output2
    - LP: #1277722
  * af_packet: block BH in prb_shutdown_retire_blk_timer()
    - LP: #1277722
  * {pktgen, xfrm} Update IPv4 header total len and checksum after
    tranformation
    - LP: #1277722
  * bridge: flush br's address entry in fdb when remove the
    - LP: #1277722
  * mmc: block: fix a bug of error handling in MMC driver
    - LP: #1277722
  * NFSv4: Update list of irrecoverable errors on DELEGRETURN
    - LP: #1277722
  * Update of blkg_stat and blkg_rwstat may happen in bh context. While
    u64_stats_fetch_retry is only preempt_disable on 32bit UP system. This
    is not enough to avoid preemption by bh and may read strange 64 bit
    value.
    - LP: #1277722
  * ASoC: wm8990: Mark the register map as dirty when powering down
    - LP: #1277722
  * irq: Enable all irqs unconditionally in irq_resume
    - LP: #1277722
  * xen/gnttab: leave lazy MMU mode in the case of a m2p override failure
    - LP: #1277722
  * libsas: fix usage of ata_tf_to_f...

Changed in linux (Ubuntu Quantal):
status: Fix Committed → Fix Released
Chris J Arges (arges) wrote :

This patch was also released in:

Ubuntu-lts-3.8.0-37.53

Changed in linux-lts-raring (Ubuntu Precise):
assignee: Chris J Arges (arges) → nobody
status: Fix Committed → Won't Fix
status: Won't Fix → Fix Committed
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers