From: Florian Westphal <fw@strlen.de>
To: Yafang Shao <laoar.shao@gmail.com>
Cc: pablo@netfilter.org, kadlec@netfilter.org,
David Miller <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org
Subject: Re: [BUG REPORT] netfilter: DNS/SNAT Issue in Kubernetes Environment
Date: Wed, 28 May 2025 14:14:19 +0200 [thread overview]
Message-ID: <aDb-G3_W6Ep19Zjp@strlen.de> (raw)
In-Reply-To: <CALOAHbAeVhLAe3o3UL8UOJrCRbRP8mqYZy37CYNHYFa3zss6Zg@mail.gmail.com>
Yafang Shao <laoar.shao@gmail.com> wrote:
> > And I don't see how you can encounter a DNS reply before at least one
> > request has been committed to the table -- i.e., the conntrack being
> > confirmed here should not exist -- the packet should have been picked up
> > as a reply packet.
>
> We've been able to consistently reproduce this behavior. Would you
> have any recommended debugging approaches we could try?
Can you figure out why nf_ct_resolve_clash_harder() doesn't handle the
clash?
AFAIU reply tuple is identical while original isn't. It would be good
to confirm. If they were the same, I'd have expected
nf_ct_resolve_clash_harder() to merge the conntracks (nf_ct_can_merge()
branch in __nf_ct_resolve_clash).
Could you also dump/show the origin and reply tuples for the existing
entry and the clashing (new) entry?
next prev parent reply other threads:[~2025-05-28 12:15 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-28 9:03 [BUG REPORT] netfilter: DNS/SNAT Issue in Kubernetes Environment Yafang Shao
2025-05-28 11:22 ` Florian Westphal
2025-05-28 11:41 ` Yafang Shao
2025-05-28 12:14 ` Florian Westphal [this message]
2025-05-28 12:31 ` Yafang Shao
2025-05-28 12:43 ` Yafang Shao
2025-05-28 13:10 ` Florian Westphal
2025-05-28 13:20 ` Florian Westphal
2025-05-28 14:07 ` Yafang Shao
2025-05-28 21:48 ` Florian Westphal
2025-05-29 2:20 ` Yafang Shao
2025-05-28 23:43 ` Shaun Brady
2025-05-29 3:46 ` Yafang Shao
2025-05-30 0:45 ` Florian Westphal
2025-05-30 2:44 ` Yafang Shao
2025-05-30 3:37 ` Shaun Brady
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aDb-G3_W6Ep19Zjp@strlen.de \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=laoar.shao@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.