From: Florian Westphal <fw@strlen.de>
To: "Toralf Förster" <toralf.foerster@gmx.de>
Cc: netfilter-devel@vger.kernel.org,
Linux Kernel <linux-kernel@vger.kernel.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
kaber@trash.net, Marcelo Leitner <mleitner@redhat.com>
Subject: Re: nf_conntrack: falling back to vmalloc.
Date: Fri, 17 Jul 2015 12:10:09 +0200 [thread overview]
Message-ID: <20150717101009.GN25674@breakpoint.cc> (raw)
In-Reply-To: <55A8C428.1000005@gmx.de>
Toralf Förster <toralf.foerster@gmx.de> wrote:
> I do run a server with a 64 bit hardened Gentoo Linux (kernel currently 4.0.8).
> Around 12th of July it started to spew those messages into kern.log :
>
> /var/log/kern.log:Jul 12 15:26:07 tor-relay kernel: [538360.650490] nf_conntrack: falling back to vmalloc.
> /var/log/kern.log:Jul 12 15:26:07 tor-relay kernel: [538360.650615] nf_conntrack: falling back to vmalloc.
> /var/log/kern.log:Jul 12 15:26:08 tor-relay kernel: [538361.673649] nf_conntrack: falling back to vmalloc.
> /var/log/kern.log:Jul 12 15:26:08 tor-relay kernel: [538361.673786] nf_conntrack: falling back to vmalloc.
>
> I read https://bugzilla.openvz.org/show_bug.cgi?id=3092 but a reboot did not help.
> I got 1-2 thousends of those lines per day.
Most likely result of 88eab472ec21f01d3e36ff ("netfilter: conntrack:
adjust nf_conntrack_buckets default value".
Do you run containers?
This message can only be printed when a new network namespace is created
(or something is rmmod/modprobing nf_conntrack module all the time).
I wonder if this is caused by some program creating netns for
sandboxing?
Pablo, Patrick -- any idea on how to stop conntrack from becoming active
in a newly created netns automatically without breaking anything?
With upcoming per netns hooks, we might be able to delay registering
conntrack, defrag etc. until after a -m conntrack rule has been added.
Dou you think that could work?
For nft we could create an expression to configure conntrack explicitly
(inverse NOTRACK).
[ obviously we can also add that for xtables but that would break
setups if we suddently move to "you must ask for conntrack via
ruleset" model. ]
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Florian Westphal <fw@strlen.de>
To: "Toralf Förster" <toralf.foerster@gmx.de>
Cc: netfilter-devel@vger.kernel.org,
Linux Kernel <linux-kernel@vger.kernel.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
kaber@trash.net, Marcelo Leitner <mleitner@redhat.com>
Subject: Re: nf_conntrack: falling back to vmalloc.
Date: Fri, 17 Jul 2015 12:10:09 +0200 [thread overview]
Message-ID: <20150717101009.GN25674@breakpoint.cc> (raw)
In-Reply-To: <55A8C428.1000005@gmx.de>
Toralf Förster <toralf.foerster@gmx.de> wrote:
> I do run a server with a 64 bit hardened Gentoo Linux (kernel currently 4.0.8).
> Around 12th of July it started to spew those messages into kern.log :
>
> /var/log/kern.log:Jul 12 15:26:07 tor-relay kernel: [538360.650490] nf_conntrack: falling back to vmalloc.
> /var/log/kern.log:Jul 12 15:26:07 tor-relay kernel: [538360.650615] nf_conntrack: falling back to vmalloc.
> /var/log/kern.log:Jul 12 15:26:08 tor-relay kernel: [538361.673649] nf_conntrack: falling back to vmalloc.
> /var/log/kern.log:Jul 12 15:26:08 tor-relay kernel: [538361.673786] nf_conntrack: falling back to vmalloc.
>
> I read https://bugzilla.openvz.org/show_bug.cgi?id=3092 but a reboot did not help.
> I got 1-2 thousends of those lines per day.
Most likely result of 88eab472ec21f01d3e36ff ("netfilter: conntrack:
adjust nf_conntrack_buckets default value".
Do you run containers?
This message can only be printed when a new network namespace is created
(or something is rmmod/modprobing nf_conntrack module all the time).
I wonder if this is caused by some program creating netns for
sandboxing?
Pablo, Patrick -- any idea on how to stop conntrack from becoming active
in a newly created netns automatically without breaking anything?
With upcoming per netns hooks, we might be able to delay registering
conntrack, defrag etc. until after a -m conntrack rule has been added.
Dou you think that could work?
For nft we could create an expression to configure conntrack explicitly
(inverse NOTRACK).
[ obviously we can also add that for xtables but that would break
setups if we suddently move to "you must ask for conntrack via
ruleset" model. ]
next prev parent reply other threads:[~2015-07-17 10:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-17 9:00 nf_conntrack: falling back to vmalloc Toralf Förster
2015-07-17 10:10 ` Florian Westphal [this message]
2015-07-17 10:10 ` Florian Westphal
2015-07-17 14:34 ` Toralf Förster
2015-07-17 15:02 ` Florian Westphal
2015-07-17 15:02 ` Florian Westphal
2015-07-23 10:45 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150717101009.GN25674@breakpoint.cc \
--to=fw@strlen.de \
--cc=kaber@trash.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mleitner@redhat.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=toralf.foerster@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.