Linux ip6_tables xt_percpu_counter_free (err 0)

Question

Today I wanted install a new server instance with ansible and our existent playbooks. The base system is a Debian 9.4.

The firewall role failed, but I do not think that it is an ansible or role problem.

Perhaps there is just a small thing missing.

Introducing myself:

$ uname -a
Linux ... 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux

First I checked the status of the firewall:

$ systemctl status firewall
● firewall.service - Firewall
   Loaded: loaded (/etc/systemd/system/firewall.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2018-05-16 15:59:55 CEST; 42min ago
  Process: 3758 ExecStart=/etc/firewall.bash (code=exited, status=3)
 Main PID: 3758 (code=exited, status=3)
      CPU: 43ms

May 16 15:59:55 ... firewall.bash[3758]: modprobe: ERROR: could not insert 'ip6_tables': Unknown symbol in module, or unknown 
May 16 15:59:55 ... firewall.bash[3758]: ip6tables v1.6.0: can't initialize ip6tables table `filter': Table does not exist (do
May 16 15:59:55 ... firewall.bash[3758]: Perhaps ip6tables or your kernel needs to be upgraded.
May 16 15:59:55 ... firewall.bash[3758]: modprobe: ERROR: could not insert 'ip6_tables': Unknown symbol in module, or unknown 
May 16 15:59:55 ... firewall.bash[3758]: ip6tables v1.6.0: can't initialize ip6tables table `filter': Table does not exist (do
May 16 15:59:55 ... firewall.bash[3758]: Perhaps ip6tables or your kernel needs to be upgraded.
May 16 15:59:55 ... systemd[1]: firewall.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
May 16 15:59:55 ... systemd[1]: Failed to start Firewall.
May 16 15:59:55 ... systemd[1]: firewall.service: Unit entered failed state.
May 16 15:59:55 ... systemd[1]: firewall.service: Failed with result 'exit-code'.

After that, I looked up the loaded kernel modules:

$ lsmod | grep filter
br_netfilter           24576  0
bridge                135168  1 br_netfilter
iptable_filter         16384  1
ip_tables              24576  3 iptable_mangle,iptable_filter,iptable_nat
x_tables               36864  10 xt_comment,xt_LOG,iptable_mangle,ip_tables,iptable_filter,xt_tcpudp,ipt_MASQUERADE,xt_limit,xt_addrtype,xt_conntrack

So, no ip6_tables module, as it is loaded on our other servers. Next I tried to load the module:

$ modprobe ip6_tables (or modprobe ip6table_filter)
modprobe: ERROR: could not insert 'ip6_tables': Unknown symbol in module, or unknown parameter (see dmesg)

And now the relevant dmesg output:

$ dmesg
...
[ 9606.265051] ip6_tables: Unknown symbol xt_percpu_counter_free (err 0)
[ 9606.265850] ip6_tables: Unknown symbol xt_percpu_counter_alloc (err 0)
...

Under /lib/modules/$(uname -r)/ I found both IPv6 modules.

./kernel/net/ipv6/netfilter/ip6_tables.ko
./kernel/net/ipv6/netfilter/ip6table_filter.ko

If you search for it (ip6_tables: Unknown symbol xt_percpu_counter_free (err 0)), you will not find much. A pastebin (https://pastebin.com/mu9HX2xq) with the output of the dmesg but no further information.

Any ideas?

Answer 1

So I went to: https://packages.debian.org/linux-image-4.9.0-6-amd64

I downloaded the latest file from this page:

https://packages.debian.org/stretch/linux-image-4.9.0-6-amd64

called:

linux-image-4.9.0-6-amd64_4.9.88-1+deb9u1_amd64.deb

And installed it:

dpkg -i linux-image-4.9.0-6-amd64_4.9.88-1+deb9u1_amd64.deb

Rebooted and it worked, the problem went away.

So I guess in a slightly newer version it was fixed.