View Issue Details

IDProjectCategoryView StatusLast Update
0010308CentOS-7kernelpublic2018-03-25 16:10
ReporterMarcus Sundberg 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Platformi686OSCentOSOS Version7.2.1511
Product Version7.2.1511 
Target VersionFixed in Version 
Summary0010308: Unable to load any netfilter table kernel modules
DescriptionUsing a freshly booted minimal install iptables doesn't work at all,
due to none of the iptable_* or ip6table_* kernel modules loading.

This is due the finit_module() syscall made by modprobe returning ENOMEM.
Steps To Reproduce# cd /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/
# for m in *; do modprobe ${m%.ko}; done
modprobe: ERROR: could not insert 'arptable_filter': Cannot allocate memory
modprobe: ERROR: could not insert 'iptable_filter': Cannot allocate memory
modprobe: ERROR: could not insert 'iptable_mangle': Cannot allocate memory
modprobe: ERROR: could not insert 'iptable_nat': Cannot allocate memory
modprobe: ERROR: could not insert 'iptable_raw': Cannot allocate memory
modprobe: ERROR: could not insert 'iptable_security': Cannot allocate memory
# cd /lib/modules/$(uname -r)/kernel/net/ipv6/netfilter/
# for m in *; do modprobe ${m%.ko}; done
modprobe: ERROR: could not insert 'ip6table_filter': Cannot allocate memory
modprobe: ERROR: could not insert 'ip6table_mangle': Cannot allocate memory
modprobe: ERROR: could not insert 'ip6table_nat': Cannot allocate memory
modprobe: ERROR: could not insert 'ip6table_raw': Cannot allocate memory
modprobe: ERROR: could not insert 'ip6table_security': Cannot allocate memory
#
Additional InformationHappens with both kernel-3.10.0-327.el7.i686 and kernel-3.10.0-327.4.5.el7.i686

Other netfilter related modules load fine, for example:
ip6_tables 17819 0
nf_conntrack_ipv6 18282 0
nf_defrag_ipv6 26163 1 nf_conntrack_ipv6
nf_conntrack_ipv4 14366 1
nf_defrag_ipv4 12649 1 nf_conntrack_ipv4
nf_nat_ipv4 13803 0
nf_nat 21038 1 nf_nat_ipv4
nf_conntrack 88214 4 nf_nat,nf_nat_ipv4,nf_conntrack_ipv4,nf_conntrack_ipv6
ip_tables 17987 0

And lots of memory free:
              total used free shared buff/cache available
Mem: 1899012 52548 1624584 8524 221880 1800776
Swap: 2097148 0 2097148

iptables seem to work fine on kernel-PAE-4.2.0-1.centos.el7.i686 from the experimental repo though (iptable_filter is apparently compiled into the kernel, but all iptable_* and ip6table_* modules do load and everything works.)
TagsNo tags attached.
abrt_hash
URL

Activities

toracat

toracat

2016-02-04 18:35

manager   ~0025611

Do you see some hints in dmesg or /var/log/messages that seem related? How about vmalloc?
Marcus Sundberg

Marcus Sundberg

2016-02-05 09:05

reporter   ~0025627

dmesg and system log are completely silent during the failing modprobe.
vmalloc space seems to be available in plenty:

VmallocTotal: 122880 kB
VmallocUsed: 11240 kB
VmallocChunk: 111032 kB
Marcus Sundberg

Marcus Sundberg

2016-02-08 15:44

reporter   ~0025665

Started digging into this, and the problem is that (most of - some were
actually fixed) the 32-bit incompatibilities in the RHEL 7 kernel
was "solved" for altarch i386 by simply removing -Werror from the
compiler flags...

I'm currently working on providing patches to fix this properly,
so that an i686 kernel can be built with -Werror.
Marcus Sundberg

Marcus Sundberg

2016-02-08 21:50

reporter   ~0025671

Ok, got the kernel building for i686 with -Werror enabled now, and as
expected all iptables modules load fine.

Complete changes can be pulled from:
https://github.com/adamel/centos-kernel/commits/c7-i686

Most of the fixes are just warnings. The things that are actually
broken in the current i686 builds are AFAICS:
* iptables
* PTP support in the bnx2x and ixgbe network drivers, due to function
  prototypes changed to 64 bit by existing altarch i386 patches but
  function pointers assigned still being the old 32 bit ones.
* Missing parameter check in queue_store_unpriv_sgio(). Haven't
  investigated further if this can be used to cause anything bad.
JohnnyHughes

JohnnyHughes

2016-02-11 16:45

administrator   ~0025699

added changes and built testing kernel:

http://buildlogs.centos.org/c7.1511.u/kernel/20160211154951/3.10.0-327.4.5.el7.1.i686/

http://buildlogs.centos.org/c7.1511.u/kernel/20160211155849/3.10.0-327.4.5.el7.1.noarch/

This seems to fix the above issues. Will release after some more testing.
Marcus Sundberg

Marcus Sundberg

2016-02-17 22:51

reporter   ~0025765

kernel-3.10.0-327.10.1.el7.i686.rpm as released to altarch updates
seems to work fine with iptables.
toracat

toracat

2016-02-18 16:42

manager   ~0025769

Centosplus kernel (kernel-plus-3.10.0-327.10.1.el7) also has the patches.

Issue History

Date Modified Username Field Change
2016-02-03 16:22 Marcus Sundberg New Issue
2016-02-04 18:35 toracat Note Added: 0025611
2016-02-05 09:05 Marcus Sundberg Note Added: 0025627
2016-02-08 15:44 Marcus Sundberg Note Added: 0025665
2016-02-08 21:50 Marcus Sundberg Note Added: 0025671
2016-02-09 08:46 toracat Status new => assigned
2016-02-11 16:45 JohnnyHughes Note Added: 0025699
2016-02-17 22:51 Marcus Sundberg Note Added: 0025765
2016-02-18 16:42 toracat Note Added: 0025769
2016-11-17 14:32 toracat Status assigned => resolved
2016-11-17 14:32 toracat Resolution open => fixed