From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Yoann Congal <yoann.congal@smile.fr>
Cc: netfilter@vger.kernel.org
Subject: Re: conntrackd: Trouble using multiple Accept addresses in kernel filter
Date: Mon, 24 Jun 2024 20:18:35 +0200 [thread overview]
Message-ID: <Znm4e0HWXFPomGqp@calendula> (raw)
In-Reply-To: <a0d8900a-4098-449a-8db9-adc49d8c63a6@smile.fr>
Hi,
There is a fix for this in git.netfilter.org/libnetfilter_conntrack at
git HEAD.
Could you check that this fixes the issue for you?
Thanks
On Mon, Jun 24, 2024 at 06:04:51PM +0200, Yoann Congal wrote:
> Hello,
>
> We are trying synchronise conntrack tables across multiple machines using conntrackd.
>
> We only want to synchronise conntrack for a limited set of IP addresses (for example: 10.132.159.60 and 10.132.159.62).
>
> I'm working on Debian stable packages :
> * conntrackd 1.4.7-1
> * libnetfilter-conntrack3 1.0.9-6
>
> Here is what I wrote in conntrackd.conf :
> Filter From Kernelspace {
> ...
> Address Accept {
> IPv4_address 10.132.159.60
> IPv4_address 10.132.159.62
> }
> ...
> }
>
> Except that does not work : After debugging, it appear that in this configuration the kernel does not send the conntrack element to conntrackd. If I understood correctly, this filter is read by conntrackd/libnetfilter-conntrack as "Accept CT that matches 10.132.159.60 AND 10.132.159.62" which won't happen.
>
> Switching this to Userspace filtering does work : CT are sent from the kernel to conntrackd and then synchronized across the other instances. This difference in user/kernel filtering sounds like a bug on one side.
> Userspace filtering is a bit heavy for the system, and we would really like to stay on kernel filtering.
>
> I've also tried to use one "Address Accept{}" bloc for each IPv4_address but that does not work either.
>
> Some random elements I've gathered while debugging this:
> * All the example I could find only used "Address Ignore {}" blocks so I guess the "Address Accept" option is not heavily used?
> * The code adding the IP to the filter is here : https://salsa.debian.org/pkg-netfilter-team/pkg-conntrack-tools/-/blob/master/src/read_config_yy.c#L3258
> nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV4, &filter_ipv4);
> Interestingly, the error messages some lines higher only mention the "ignore pool"
>
> My questions:
> * Has anyone pointers on how to setup this usecase (kernel filtering + accept on multiple IPs) ?
> * Is this a bug? (In that case, I'd push this to the bugzilla)
>
> Thanks in advance,
>
> Best regards,
> --
> Yoann Congal
> Smile ECS - Tech Expert
>
next prev parent reply other threads:[~2024-06-24 18:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-24 16:04 conntrackd: Trouble using multiple Accept addresses in kernel filter Yoann Congal
2024-06-24 18:18 ` Pablo Neira Ayuso [this message]
2024-06-28 14:08 ` Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Znm4e0HWXFPomGqp@calendula \
--to=pablo@netfilter.org \
--cc=netfilter@vger.kernel.org \
--cc=yoann.congal@smile.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.