From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Markus Wigge <wigge@bht-berlin.de>
Cc: netfilter@vger.kernel.org
Subject: Re: commit to kernel fails since Debian 12 (bookworm)
Date: Fri, 13 Oct 2023 16:41:41 +0200 [thread overview]
Message-ID: <ZSlXJdqfKFxF0OcO@calendula> (raw)
In-Reply-To: <faf92623-95a9-4999-b02a-e40108f133ca@bht-berlin.de>
Hi,
On Fri, Oct 13, 2023 at 04:02:01PM +0200, Markus Wigge wrote:
> Hello,
>
> we are encountering a strange problem with conntrackd after upgrading to
> Debian 12 (bookworm).
> First the logs were flooded with errors like this:
> > 2023-10-13T12:49:06.724542+02:00 fw-dc-c conntrackd[421008]: [Fri Oct 13
> > 12:49:06 2023] (pid=421008) [warning] could not add new ct entry: Device
> > or resource busy
> > 2023-10-13T12:49:06.724690+02:00 fw-dc-c conntrackd[421008]: [Fri Oct 13
> > 12:49:06 2023] (pid=421008) [warning] could not add new ct entry: Device
> > or resource busy
> > 2023-10-13T12:49:06.724847+02:00 fw-dc-c conntrackd[421008]: [Fri Oct 13
> > 12:49:06 2023] (pid=421008) [warning] could not add new ct entry: Device
> > or resource busy
> > 2023-10-13T12:49:06.725048+02:00 fw-dc-c conntrackd[421008]: [Fri Oct 13
> > 12:49:06 2023] (pid=421008) [warning] could not update ct entry, even if
> > creating it instead: Device or resource busy
> > 2023-10-13T12:49:06.725182+02:00 fw-dc-c conntrackd[421008]: [Fri Oct 13 12:49:06 2023] (pid=421008) [warning] could not update ct entry, even if creating it instead: Device or resource busy
> > 2023-10-13T12:49:06.725271+02:00 fw-dc-c conntrackd[421008]: [Fri Oct 13 12:49:06 2023] (pid=421008) [warning] could not update ct entry, even if creating it instead: Device or resource busy
> > 2023-10-13T12:49:06.725406+02:00 fw-dc-c conntrackd[421008]: [Fri Oct 13 12:49:06 2023] (pid=421008) [warning] could not update ct entry, even if creating it instead: Device or resource busy
Could you describe your setup? From your report, I can see you are
using:
DisableExternalCache Off
Is this an active-active asymmetric path cluster?
EBUSY can be triggered in nf_conntrack_netlink.c in a few spots, this
is most likely ct status flags and conntrackd losing race to update
and entry that is being picked up from packet path.
Is your ruleset dropping invalid packets to disable lazy pick up?
That is, nf_conntrack_tcp_loose sysctl is set to zero.
next prev parent reply other threads:[~2023-10-13 14:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-13 14:02 commit to kernel fails since Debian 12 (bookworm) Markus Wigge
2023-10-13 14:26 ` Kevin P. Fleming
2023-10-13 14:41 ` Pablo Neira Ayuso [this message]
[not found] ` <6289ae8d-7d8e-40a5-a012-3e6e32251942@bht-berlin.de>
[not found] ` <ZS0TvfCRySTWfdW6@calendula>
[not found] ` <43708702-0f37-4ea6-9b3d-4dc8ac2913a1@bht-berlin.de>
2023-10-16 21:24 ` Pablo Neira Ayuso
2023-10-18 11:31 ` Markus Wigge
2023-10-18 12:05 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZSlXJdqfKFxF0OcO@calendula \
--to=pablo@netfilter.org \
--cc=netfilter@vger.kernel.org \
--cc=wigge@bht-berlin.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.