Why system gets crash shortly after restarting iptables service ?

Solution Verified - Updated -

Issue

  • When iptables service is restarted, system is getting crash with below traces.
ip_tables: (C) 2000-2006 Netfilter Core Team
BUG: unable to handle kernel NULL pointer dereference at 000000000000003e
IP: [<ffffffffa01fef3c>] nf_nat_setup_info+0x55c/0x670 [nf_nat]
PGD 0 
Oops: 0000 [#1] SMP 
last sysfs file: /sys/module/ip_tables/initstate
CPU 0 
Modules linked in: iptable_filter ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 ip_tables ipt_REJECT ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack xt_multiport ip6table_filter ip6_tables ipv6 power_meter iTCO_wdt iTCO_vendor_support dcdbas serio_raw lpc_ich mfd_core ses enclosure sg i7core_edac edac_core e1000e ptp pps_core bnx2 ext4 jbd2 mbcache sr_mod cdrom sd_mod crc_t10dif pata_acpi ata_generic ata_piix megaraid_sas wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: nf_defrag_ipv4]

Pid: 0, comm: swapper Not tainted 2.6.32-431.5.1.el6.x86_64 #1 Dell Inc. PowerEdge R610/0F0XJ6
RIP: 0010:[<ffffffffa01fef3c>]  [<ffffffffa01fef3c>] nf_nat_setup_info+0x55c/0x670 [nf_nat]
RSP: 0018:ffff880053603720  EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff880c713fdd10 RCX: 0000000000000011
RDX: 0000000000000011 RSI: ffff880c735afaa8 RDI: 0000000028e25985
RBP: ffff8800536037f0 R08: 00000000463ce0c4 R09: 0000000000000002
R10: ffff880c6f0f1508 R11: ffff880053603938 R12: 0000000000000000
R13: ffff880053603800 R14: ffff880053603760 R15: ffff8806fba92770
FS:  0000000000000000(0000) GS:ffff880053600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 000000000000003e CR3: 0000000c7281d000 CR4: 00000000000007f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper (pid: 0, threadinfo ffffffff81a00000, task ffffffff81a8d020)
Stack:
 ffff8802fde69380 ffffffff81b18540 ffff880053616840 0000000000000000
<d> 0000000000000000 ffff8800536168a8 ffff8800536168d8 ffff8800536168a8
<d> ffff880c7028d538 000000000083ec45 ffff880c7028d500 0000000000000000
Call Trace:
 <IRQ> 
 [<ffffffff81068ff5>] ? enqueue_entity+0x125/0x450
 [<ffffffffa00b01ef>] masquerade_tg+0xcf/0xec [ipt_MASQUERADE]
 [<ffffffffa008520b>] ipt_do_table+0x3cb/0x678 [ip_tables]
 [<ffffffff81065e02>] ? default_wake_function+0x12/0x20
 [<ffffffff81054839>] ? __wake_up_common+0x59/0x90
 [<ffffffffa021f224>] nf_nat_rule_find+0x24/0x80 [iptable_nat]
 [<ffffffffa021f4c1>] nf_nat_fn+0x111/0x260 [iptable_nat]
 [<ffffffffa021f738>] nf_nat_out+0x48/0xd0 [iptable_nat]
 [<ffffffff814895f9>] nf_iterate+0x69/0xb0
 [<ffffffff8149a2a0>] ? ip_finish_output+0x0/0x310
 [<ffffffff814897b6>] nf_hook_slow+0x76/0x120
 [<ffffffff8149a2a0>] ? ip_finish_output+0x0/0x310
 [<ffffffff8149a654>] ip_output+0xa4/0xc0
 [<ffffffff814958ef>] ip_forward_finish+0x4f/0x60
 [<ffffffff81495afc>] ip_forward+0x1fc/0x430
 [<ffffffff81493c1d>] ip_rcv_finish+0x12d/0x440
 [<ffffffff814941a5>] ip_rcv+0x275/0x350
 [<ffffffff8145b74b>] __netif_receive_skb+0x4ab/0x750
 [<ffffffff8145f3b8>] netif_receive_skb+0x58/0x60
 [<ffffffff8145f4c0>] napi_skb_finish+0x50/0x70
 [<ffffffff81460c29>] napi_gro_receive+0x39/0x50
 [<ffffffffa01353af>] bnx2_poll_work+0xdef/0x1290 [bnx2]
 [<ffffffff810149b9>] ? read_tsc+0x9/0x20
 [<ffffffff810a17a0>] ? __blocking_notifier_call_chain+0x20/0x80
 [<ffffffff812987a0>] ? swiotlb_map_page+0x0/0x100
 [<ffffffff814500a0>] ? __alloc_skb+0x50/0x180
 [<ffffffffa013588d>] bnx2_poll_msix+0x3d/0xc0 [bnx2]
 [<ffffffff81460d43>] net_rx_action+0x103/0x2f0
 [<ffffffff8107a8e1>] __do_softirq+0xc1/0x1e0
 [<ffffffff810e6eb0>] ? handle_IRQ_event+0x60/0x170
 [<ffffffff8100c30c>] call_softirq+0x1c/0x30
 [<ffffffff8100fa75>] do_softirq+0x65/0xa0
 [<ffffffff8107a795>] irq_exit+0x85/0x90
 [<ffffffff815312f5>] do_IRQ+0x75/0xf0
 [<ffffffff8100b9d3>] ret_from_intr+0x0/0x11
 <EOI> 
 [<ffffffff812e09ae>] ? intel_idle+0xde/0x170
 [<ffffffff812e0991>] ? intel_idle+0xc1/0x170
 [<ffffffff814268f7>] cpuidle_idle_call+0xa7/0x140
 [<ffffffff81009fc6>] cpu_idle+0xb6/0x110
 [<ffffffff8150cf1a>] rest_init+0x7a/0x80
 [<ffffffff81c26f8f>] start_kernel+0x424/0x430
 [<ffffffff81c2633a>] x86_64_start_reservations+0x125/0x129
 [<ffffffff81c26453>] x86_64_start_kernel+0x115/0x124
Code: 03 49 03 b7 78 02 00 00 4c 8b 3e 4d 85 ff 75 17 e9 f0 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 4d 8b 3f 4d 85 ff 74 68 49 8b 47 20 <38> 50 3e 75 ef 8b 48 18 3b 4d a0 75 e7 0f b7 48 28 66 3b 4d b0 
RIP  [<ffffffffa01fef3c>] nf_nat_setup_info+0x55c/0x670 [nf_nat]
 RSP <ffff880053603720>
CR2: 000000000000003e
  • For some systems modprobe process can show 100% CPU while stopping iptables service. The process will not get kill with command #kill -9 as well.
PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                                                                          
38447 root      20   0  4160  604  536 R 100.0  0.0   1092:06 modprobe
  • How to resolve this ?

Environment

  • Red Hat Enterprise Linux 6.5
  • kernel-2.6.32-431.5.1.el6
  • iptables

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content