Debian Bug report logs - #511165
linux-image-2.6.26-1-openvz-amd64: Kernel panic with nf_conntrack and FTP

version graph

Package: linux-image-2.6.26-1-openvz-amd64; Maintainer for linux-image-2.6.26-1-openvz-amd64 is (unknown);

Reported by: Lars Hanke <[email protected]>

Date: Wed, 7 Jan 2009 22:21:04 UTC

Severity: important

Tags: patch

Found in version linux-2.6/2.6.26-12

Fixed in version linux-2.6/2.6.26-14

Done: dann frazier <[email protected]>

Bug is archived. No further changes may be made.

Full log

Message #10 received at [email protected] (full text, mbox, reply):

Received: (at 511165) by bugs.debian.org; 7 Jan 2009 23:54:17 +0000
From [email protected] Wed Jan 07 23:54:17 2009
X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02
	(2007-08-08) on rietz.debian.org
X-Spam-Level: 
X-Spam-Bayes: score:0.0000 Tokens: new, 69; hammy, 151; neutral, 95; spammy,
	0. spammytokens: hammytokens:0.000-+--UD:pid, 0.000-+--UD:conf,
	0.000-+--UD:log, 0.000-+--Etch, 0.000-+--grep
X-Spam-Status: No, score=-3.7 required=4.0 tests=AWL,BAYES_00,FOURLA,
	MDO_CABLE_TV3,MURPHY_WRONG_WORD2,SPF_HELO_PASS autolearn=no
	version=3.2.3-bugs.debian.org_2005_01_02
Return-path: <[email protected]>
Received: from moutng.kundenserver.de ([212.227.126.188])
	by rietz.debian.org with esmtp (Exim 4.63)
	(envelope-from <[email protected]>)
	id 1LKiE4-0002l9-SM
	for [email protected]; Wed, 07 Jan 2009 23:54:17 +0000
Received: from verdani.mgr (p5B366D96.dip.t-dialin.net [91.54.109.150])
	by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis)
	id 0ML31I-1LKiDx3lwx-0006FI; Thu, 08 Jan 2009 00:54:10 +0100
Received: from localhost (localhost [127.0.0.1])
	by verdani.mgr (Postfix) with ESMTP id 076F11701E
	for <[email protected]>; Thu,  8 Jan 2009 00:54:09 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at verdani.mgr
Received: from verdani.mgr ([127.0.0.1])
	by localhost (verdani.mgr [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id TL9H-PtJTI1V for <[email protected]>;
	Thu,  8 Jan 2009 00:54:03 +0100 (CET)
Received: from [172.16.1.3] (sleipnir.mgr [172.16.1.3])
	by verdani.mgr (Postfix) with ESMTP id 42B5A16FFD
	for <[email protected]>; Thu,  8 Jan 2009 00:54:03 +0100 (CET)
Message-ID: <[email protected]>
Date: Thu, 08 Jan 2009 00:54:02 +0100
From: Lars Hanke <[email protected]>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.14eol) Gecko/20070505 Iceape/1.0.9 (Debian-1.0.13~pre080323b-0etch3)
MIME-Version: 1.0
To:  [email protected]
Subject: Does not show up with standard clients
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V01U2FsdGVkX1+z3CFfI08Qjswigm/EWeKzID64DtlwZxgE17T
 4FiKJ5WnjXOMrgjv+qOTKcgaxupvDpAQpPJC98cbYWoDBR/fum
 i8iSyH72DQjlCLSfhai7Q==

I tried to further locate when the bug appears. As it turned out the 
command line ftp client does not cause the kernel panic, neither in 
passive nor in standard mode. I also ran the ftpsync Perl script without 
problems.

In order to allow the systems to access ftp, I added the following rule 
to the applicable chain:

iptables -A _chain_ -p tcp -o ppp0 -s _client-system_ --syn -m state 
--state NEW -j ACCEPT

(yes, there is a state established, related rule somewhere at the top of 
the stack.) However, even after having performed the ftpsync, using gFTP 
through frox panicked the firewall.

However, during further searching for the point of no return, I found 
that my proxy did not even have permission to open a connection to port 
21. After allowing this, I can browse ftp:// URLs through the same 
squid3 as used by frox without problems. The kernel panic using gFTP 
still persists.

If nf_nat_ftp and nf_conntrack_ftp are not loaded during browser access, 
the data connection is just dropped by the firewall. Nothing evil happens.

This is the frox configuration file. So far untested, but a very similar 
one ran for a couple of years on my Etch server.

/# grep -v '^#' /etc/frox.conf | grep -v '^ *$'
Listen proxy.mgr
Port 2121
ResolvLoadHack wontresolve.doesntexist.abc
User frox
Group frox
WorkingDir /srv/proxy/frox
LogLevel 25
LogFile /var/log/frox.log
PidFile /var/run/frox.pid
BounceDefend yes
CacheModule http
HTTPProxy 127.0.0.1:8080
MinCacheSize 5000
DoNTP yes
MaxForks 10
MaxForksPerHost 4
ACL Allow sleipnir - *

gFTP on sleipnir is configured to use:
Proxy: proxy.mgr:2121
Typ: user@host NOAUTH
USER %hu@%hh
PASS %hp

... and yes proxy.mgr resolves to the OpenVZ container homing the frox.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Sat May 10 09:51:01 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.