iptables - long pause during booting (modules.conf problem)

Ian Goldby · Last edited by Ian Goldby on Wed Dec 10, 2003 1:05 am; edited 1 time in total

During the boot process, my machine hangs for about 2-3 minutes after printing

Ian Goldby · Posted: Sun Dec 07, 2003 11:44 am Post subject:

asiobob · Posted: Mon Dec 08, 2003 1:51 am Post subject:

perhaps its because its 1.2.8?

I installed gentoo fresh and put on the 2.6 kernel test 11 and 1.2.8 doesn't compile but the masked 1.2.9 does....

Ian Goldby · Posted: Mon Dec 08, 2003 9:38 pm Post subject:

Wierd. Which patchset for the kernel are you using? I'm using linux-2.6.0-test11-gentoo, which I am aware does not yet contain the patch needed for iptables 1.2.9. This thread has more about this.

Do you think applying the patch and emerge-ing 1.2.9 would be worthwhile, or shall I wait for the mm-sources for test11?

asiobob · Posted: Mon Dec 08, 2003 11:08 pm Post subject:

wierd, I'm using 2.6.0test11 no patch set.
emerging 1.2.9 worked the non masked version did not.

I haven't actually tried starting it at boot yet or using it.

edit: the URL you gave me appears to related to a problem emerging 1.2.9 on the 2.4xx kernel.
Several people have emerged 1.2.8 on the stock 2.6.0test11 kernel.

I'm new to 2.6 as well, guess it has to mature more

Ian Goldby · Posted: Mon Dec 08, 2003 11:31 pm Post subject:

Ian Goldby · Posted: Tue Dec 09, 2003 7:26 pm Post subject:

Well, I got iptables v1.2.9 installed, but the problem persists.

What's particularly strange is that once the system is finally up, I can stop and restart iptables all I want, and it happens instantly. Unfortunately, that also means that the only way I can test if a change to the configuration makes any difference is to reboot.

Any other ideas?

Praxxus · Posted: Tue Dec 09, 2003 9:38 pm Post subject:

Could it be a name resolution error? If you're referring to a host in your iptables init script before name resolution is available (networking is down, dns ports blocked, etc.), it could cause the system to "hang" while the name resolution attempt times out.

If you are referring to things by name in the iptables script, either replace them with IP addresses or make sure they're listed in /etc/hosts.
_________________
My glaucoma just got worse!

Ian Goldby · Posted: Wed Dec 10, 2003 12:20 am Post subject:

I've got slightly further with this. It's not name resolution - I think it is a problem loading a module.

When I stopped iptables, then unloaded all of the associated kernel modules, and then tried to start iptables again, the cpu usage shot up to 100%. After about 3-4 minutes of that (during which the mouse and keyboard were completely unresponsive), the X display started to blank parts of various windows. About 10 minutes later, X died completely and I was returned to the KDM login screen.

I'm going to download the latest gentoo-dev-sources and rebuild my kernel and all modules with the linux symlink pointing to that rather than the 2.4 kernel to see if that makes any difference. I'll probably nuke everything in /lib/modules too.

Ian Goldby · Posted: Wed Dec 10, 2003 12:43 am Post subject:

Well, I haven't done the above yet, because I locked my machine up solid trying to do a rmmod ip_conntrack_ftp.

I removed autoloading of ip_conntrack_ftp (I had a line in /etc/modules.d/iptables that said "add above ip_conntrack ip_conntrack_ftp") and that cleared up the pause during booting. Unfortunately, it also means I cannot now use ftp through the firewall.

Ok, so I'll redefine the question:

When iptables starts up, it automatically loads most of the modules it needs. But it doesn't load ip_conntrack_ftp. I put a line in /etc/modules.d/iptables

Ian Goldby · Posted: Wed Dec 10, 2003 1:35 am Post subject:

My final post on this tonight:

Although