Bug#1070685: linux-image-6.1.0-21-amd64: Found Trace in the logs about br_netfilter and nf_conntrack
On Fri, 6 Sep 2024 22:04:27 +0200
Salvatore Bonaccorso <carnil@debian.org> wrote:
> Control: tags -1 + moreinfo
>
> Hi,
>
> On Mon, Sep 02, 2024 at 11:09:42PM +0200, XXX XXX wrote:
> > Hi,
> > this bug seems to be fixed in linux kernel 6.1.107,
> > I suspect the commit that fixed it is:
> >
> > commit 6dcc8ba8a6074bb79040f502dc66ad23a58a1c86
> > Author: Florian Westphal <fw@strlen.de>
> > Date: Wed Aug 7 21:28:41 2024 +0200
> >
> > netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
> >
> > [ Upstream commit 7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb ]
> >
> > Conntrack assumes an unconfirmed entry (not yet committed to global hash
> > table) has a refcount of 1 and is not visible to other cores.
> >
> > With multicast forwarding this assumption breaks down because such
> > skbs get cloned after being picked up, i.e. ct->use refcount is > 1.
> >
> > Likewise, bridge netfilter will clone broad/mutlicast frames and
> > all frames in case they need to be flood-forwarded during learning
> > phase.
> >
> > For ip multicast forwarding or plain bridge flood-forward this will
> > "work" because packets don't leave softirq and are implicitly
> > serialized.
> >
> > With nfqueue this no longer holds true, the packets get queued
> > and can be reinjected in arbitrary ways.
> >
> > Disable this feature, I see no other solution.
> >
> > After this patch, nfqueue cannot queue packets except the last
> > multicast/broadcast packet.
> >
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
>
> Would you be able to confirm this? In case this is true, then this
> would imply that the issue should be visible as well current testing
> until <= 6.10.7-1.
>
> Regards,
> Salvatore
Hi,
for sure it was visible in linux-image-6.10.6+bpo-amd64 that I tried from
stable backports after the trace popped up again after upgrading to
linux-image-6.1.0-25-amd64.
So by checking the changelog for the source file and line shown in the traces on kernel.org
I've spotted this patch that was interesting because I use suricata in nfqueue
mode and because the trace happened always at boot (during the learning phase).
So I first erroneously I tried 6.1.106 and the trace was still there
and then 6.1.107 and it was gone.
Hope this helps.
Ciao,
Tito
Reply to: