Symptoms
When the cpanel_dovecot_solr service is restarted, additional rules are added to the cpanel-dovecot-solr nftables firewall chain.
# nft list chain inet filter cpanel-dovecot-solr
table inet filter {
chain cpanel-dovecot-solr {
ip protocol tcp tcp sport { 7984, 8984 } meta skuid 960 counter packets 0 bytes 0 accept
ip protocol tcp tcp sport { 7984, 8984 } meta skuid 0 counter packets 0 bytes 0 accept
ip protocol tcp tcp sport { 7984, 8984 } counter packets 0 bytes 0 reject with icmp port-unreachable
ip protocol tcp tcp sport { 7984, 8984 } meta skuid 960 counter packets 0 bytes 0 accept
ip protocol tcp tcp sport { 7984, 8984 } meta skuid 0 counter packets 0 bytes 0 accept
ip protocol tcp tcp sport { 7984, 8984 } counter packets 0 bytes 0 reject with icmp port-unreachable
}
}
Cause
Upon startup, the rules are re-added, which can inflate the chain and potentially cause processing delays.
We've opened an internal case for our development team to investigate this further. For reference, the case number is CPANEL-47867. Follow this article to receive an email notification when a solution is published in the product.
Resolution
If the chain becomes inflated, it can be reset with the following:
# nft flush chain inet filter cpanel-dovecot-solr
# /scripts/restartsrv_cpanel_dovecot_solr restart
Comments
0 comments
Article is closed for comments.