http://bugzilla.opensuse.org/show_bug.cgi?id=989176 Bug ID: 989176 Summary: Kernel 4.1.28 (from kernel:openSUSE-42.1 standard) iptables/iptabkes-batch hangs (SuSEfirewall2) Classification: openSUSE Product: openSUSE 13.1 Version: Final Hardware: x86 OS: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-maintainers@forge.provo.novell.com Reporter: AxelKoellhofer@web.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Now I know that my installation/system is certainly not standard, so if this can not be reproduced on Leap 42.1, just ignore/close this report. However, if this problem is also present with openSUSE Leap 42.1 (or 13.2) at least there is some report for other users to add comments. I am running 13.1 with kernel 4.1.X from Kernel:openSUSE-42.1/standard. After upgrading to latest release (4.1.28-1.1) the system became very slow and "top" showed a process "iptables-batch" eating up most of the available CPU. So I disabled SuSEfirewall2 and rebooted the machine to investigate a little further. As expected, the problem was gone and starting SuSEfirewall2 manually hung at "SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ..." with an iptables-batch process using 99% CPU. As the changelog entries shows a lot of changes to netfilter patches.fixes/netfilter-arp_tables-simplify-translate_compat_table.patch patches.fixes/netfilter-ip6_tables-simplify-translate_compat_table.patch patches.fixes/netfilter-ip_tables-simplify-translate_compat_table-.patch patches.fixes/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch patches.fixes/netfilter-x_tables-add-compat-version-of-xt_check_en.patch patches.fixes/netfilter-x_tables-assert-minimum-target-size.patch patches.fixes/netfilter-x_tables-check-for-bogus-target-offset.patch patches.fixes/netfilter-x_tables-check-standard-target-size-too.patch patches.fixes/netfilter-x_tables-do-compat-validation-via-translat.patch patches.fixes/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch patches.fixes/netfilter-x_tables-don-t-reject-valid-target-size-on.patch patches.fixes/netfilter-x_tables-fix-unconditional-helper.patch patches.fixes/netfilter-x_tables-kill-check_entry-helper.patch patches.fixes/netfilter-x_tables-make-sure-e-next_offset-covers-re.patch patches.fixes/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch patches.fixes/netfilter-x_tables-validate-e-target_offset-early.patch patches.fixes/netfilter-x_tables-validate-targets-of-jumps.patch patches.fixes/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch I tried to disable all entries in /etc/sysconfig/SuSEfirewall practically having a "no options set" file but this did not change anything. Even just using an empty /etc/sysconfig/SuSEfirewall2 still hung SuSEfirewall2 start. I am also running kernel 4.6.4 from Kernel:stable/standard without this problem and (as expected) previous kernel 4.1.27 from Kernel:openSUSE-42.1/standard is also not affected. Now I know that it might be a problem with the older versions of iptables/SuSEfirewall2 from 13.1, but as said before, if other users of 4.1.28 on newer versions of openSUSE experience the same behaviour, they might find this report here. AK P.S. I will try to install the same kernel on my other machine running 42.1 this evening and report back if the same problem exists also there. -- You are receiving this mail because: You are on the CC list for the bug.