[pkg-netfilter-team] Bug#888695: nftables: Enabled systemd service blocks boot sequence

Paolo Rosquin pasrospa at gmail.com
Sun Jan 28 19:12:41 UTC 2018 

Package: nftables
Version: 0.8.1-1
Severity: important
Tags: upstream

Dear Maintainer,

When nftables is enabled at boot time, it will fail to load and stop the whole
booting process with "A start job is running for...". If I am not mistaken, it
started when I updated to kernel 4.14.

A workaround is to comment out the following lines from
/lib/systemd/system/nftables.service:

#Wants=network-pre.target
#Before=network-pre.target shutdown.target
#Conflicts=shutdown.target
#DefaultDependencies=no

Here an extract of the relevant syslog part:

Jan 28 15:27:48 kernel: [  242.652106] INFO: task (t-daemon):932 blocked for
more than 120 seconds.
Jan 28 15:27:48 kernel: [  242.652175]       Not tainted 4.14.0-3-amd64 #1
Debian 4.14.13-1
Jan 28 15:27:48 kernel: [  242.652229] "echo 0 >
/proc/sys/kernel/hung_task_timeout_secs" disables this message.
Jan 28 15:27:48 kernel: [  242.652299] (t-daemon)      D    0   932      1
0x00000004
Jan 28 15:27:48 kernel: [  242.652353] Call Trace:
Jan 28 15:27:48 kernel: [  242.652391]  ? __schedule+0x28e/0x880
Jan 28 15:27:48 kernel: [  242.652432]  schedule+0x28/0x80
Jan 28 15:27:48 kernel: [  242.652468]  schedule_preempt_disabled+0xa/0x10
Jan 28 15:27:48 kernel: [  242.652512]  __mutex_lock.isra.1+0x1a0/0x4e0
Jan 28 15:27:48 kernel: [  242.652562]  ? nft_register_afinfo+0x2e/0x70
[nf_tables]
Jan 28 15:27:48 kernel: [  242.652616]  nft_register_afinfo+0x2e/0x70
[nf_tables]
Jan 28 15:27:48 kernel: [  242.652670]  nf_tables_ipv4_init_net+0xe9/0x110
[nf_tables_ipv4]
Jan 28 15:27:48 kernel: [  242.652740]  ops_init+0x3d/0x120
Jan 28 15:27:48 kernel: [  242.652776]  ? kmem_cache_alloc+0x1c9/0x590
Jan 28 15:27:48 kernel: [  242.652818]  setup_net+0x96/0x160
Jan 28 15:27:48 kernel: [  242.652854]  copy_net_ns+0xc9/0x220
Jan 28 15:27:48 kernel: [  242.652891]  create_new_namespaces+0x11c/0x1b0
Jan 28 15:27:48 kernel: [  242.652937]  unshare_nsproxy_namespaces+0x59/0xb0
Jan 28 15:27:48 kernel: [  242.652983]  SyS_unshare+0x216/0x3d0
Jan 28 15:27:48 kernel: [  242.653023]  system_call_fast_compare_end+0xc/0x6f
Jan 28 15:27:48 kernel: [  242.653069] RIP: 0033:0x7f4c3dfeded7
Jan 28 15:27:48 kernel: [  242.653105] RSP: 002b:00007ffe485f1388 EFLAGS:
00000246
Jan 28 15:27:48 kernel: [  242.653115] INFO: task modprobe:991 blocked for more
than 120 seconds.
Jan 28 15:27:48 kernel: [  242.653221]       Not tainted 4.14.0-3-amd64 #1
Debian 4.14.13-1
Jan 28 15:27:48 kernel: [  242.653274] "echo 0 >
/proc/sys/kernel/hung_task_timeout_secs" disables this message.
Jan 28 15:27:48 kernel: [  242.653343] modprobe        D    0   991    223
0x80000000
Jan 28 15:27:48 kernel: [  242.653396] Call Trace:
Jan 28 15:27:48 kernel: [  242.653426]  ? __schedule+0x28e/0x880
Jan 28 15:27:48 kernel: [  242.653465]  schedule+0x28/0x80
Jan 28 15:27:48 kernel: [  242.653505]  schedule_preempt_disabled+0xa/0x10
Jan 28 15:27:48 kernel: [  242.653549]  __mutex_lock.isra.1+0x1a0/0x4e0
Jan 28 15:27:48 kernel: [  242.653592]  ? __kmem_cache_alias+0x1a/0x30
Jan 28 15:27:48 kernel: [  242.653635]  ? 0xffffffffc09c1000
Jan 28 15:27:48 kernel: [  242.653671]  ? register_pernet_subsys+0x15/0x40
Jan 28 15:27:48 kernel: [  242.653716]  register_pernet_subsys+0x15/0x40
Jan 28 15:27:48 kernel: [  242.653762]  nf_ct_frag6_init+0x76/0xa0
[nf_defrag_ipv6]
Jan 28 15:27:48 kernel: [  242.653815]  nf_defrag_init+0x6/0x1000
[nf_defrag_ipv6]
Jan 28 15:27:48 kernel: [  242.653868]  do_one_initcall+0x4b/0x190
Jan 28 15:27:48 kernel: [  242.656152]  ? __vunmap+0x6d/0xb0
Jan 28 15:27:48 kernel: [  242.657490]  do_init_module+0x5b/0x1f1
Jan 28 15:27:48 kernel: [  242.658018]  load_module+0x2542/0x2c00
Jan 28 15:27:48 kernel: [  242.658543]  ? SYSC_finit_module+0xe9/0x110
Jan 28 15:27:48 kernel: [  242.659068]  SYSC_finit_module+0xe9/0x110
Jan 28 15:27:48 kernel: [  242.659589]  system_call_fast_compare_end+0xc/0x6f
Jan 28 15:27:48 kernel: [  242.660114] RIP: 0033:0x7f4c1ec65e19


BR



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nftables depends on:
ii  dpkg          1.19.0.5
ii  libc6         2.26-4
ii  libgmp10      2:6.1.2+dfsg-1.2
ii  libmnl0       1.0.4-2
ii  libnftnl7     1.0.9-2
ii  libreadline7  7.0-3
ii  libxtables12  1.6.1-2+b1

nftables recommends no packages.

nftables suggests no packages.

-- Configuration Files:
/etc/nftables.conf changed [not included]

-- no debconf information

More information about the pkg-netfilter-team mailing list