Symptoms
When the cpanel_dovecot_solr service is restarted, additional rules are added to the cpanel-dovecot-solr nftables firewall chain.
# nft list chain inet filter cpanel-dovecot-solr
table inet filter {
chain cpanel-dovecot-solr {
ip protocol tcp tcp sport { 7984, 8984 } meta skuid 960 counter packets 0 bytes 0 accept
ip protocol tcp tcp sport { 7984, 8984 } meta skuid 0 counter packets 0 bytes 0 accept
ip protocol tcp tcp sport { 7984, 8984 } counter packets 0 bytes 0 reject with icmp port-unreachable
ip protocol tcp tcp sport { 7984, 8984 } meta skuid 960 counter packets 0 bytes 0 accept
ip protocol tcp tcp sport { 7984, 8984 } meta skuid 0 counter packets 0 bytes 0 accept
ip protocol tcp tcp sport { 7984, 8984 } counter packets 0 bytes 0 reject with icmp port-unreachable
}
}
Description
Upon startup, the rules are re-added which can cause the chain to inflate, potentially causing processing delays.
We've opened an internal case for our development team to investigate this further. For reference, the case number is CPANEL-47867. Follow this article to receive an email notification when a solution is published in the product.
Workaround
If the chain becomes inflated, it can be reset with the following:
nft flush chain inet filter cpanel-dovecot-solr
/scripts/restartsrv_cpanel_dovecot_solr restart
Comments
0 comments
Article is closed for comments.