From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4DF2618F2DB for ; Wed, 5 Jun 2024 09:09:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717578575; cv=none; b=RivAPTpBYEInNysPk0Ew2l5ImS53bmH5eaYYMDF1RtUqKNO9bQ0H1G0W11xOEUllKbIMSKGx/3QmV4bI5KY9U+zNA5zvgEDj7vG2aDEmrIyl/wBEYuO93a69vMjs6MvRVvwuFMjcRYNmIiiLpWe8fT3UmoUj/w6lsXLSXOikJ7M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717578575; c=relaxed/simple; bh=H/xOWZ5L4n5xAiHYw2Q4KfjoBz5ywAXTZXlV5booVn0=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=leGuhfJ2N98p61DUKWS1kh1sL21ujCVz4qhZ4gb5Kgcilu1mhcglvJs3Gmww+xHr0fuK26ppRspK6KLI3aR3p2XDghFIStKqRC/3WDPnsD1y6VQuiJpCaUaPkjyNo1ObbMXbSDrJf1siIDkbSeZkc1k1dLxXJkUMdaA6EycyXZw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=6wind.com; spf=pass smtp.mailfrom=6wind.com; dkim=pass (2048-bit key) header.d=6wind.com header.i=@6wind.com header.b=OKi2oKjX; arc=none smtp.client-ip=209.85.221.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=6wind.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=6wind.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=6wind.com header.i=@6wind.com header.b="OKi2oKjX" Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-35e573c0334so361380f8f.1 for ; Wed, 05 Jun 2024 02:09:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6wind.com; s=google; t=1717578572; x=1718183372; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:organization:content-language :from:references:cc:to:subject:reply-to:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=+UmpGA+ZeMi4kfohJdgrNuGbikeEYkKaVXbYI+HeV3g=; b=OKi2oKjXLSiCEhQQMwK0i7lhWxpjwASPfPZgW7c4YOqDsBzmmYXOG7z/j9M5DMloir 9iYZRfgkWdh3umQWcUCD9K1R1cu8Si56viYGGqueGGsrYf71OfOOa01ZSb661WZohyZE omGrhlLyufgkwA0SP0zK0t3SP7YFP4ACq67ZMvSOln3xoV1YqCw9TDGh4CZKbSrboACR +AsTJBx8i+4WidyJxyqTEAPNBNEadkV5bDXMYrEvE99EkqYru+JcBtxOlmKaDw+07kxG VyFlHmWVpoDWOXoqv9G8CMiRzacPPX+46HhPIQBx/vi6p1CayiQhCoajpVbHo9g+UOnw 8tkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717578572; x=1718183372; h=content-transfer-encoding:in-reply-to:organization:content-language :from:references:cc:to:subject:reply-to:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+UmpGA+ZeMi4kfohJdgrNuGbikeEYkKaVXbYI+HeV3g=; b=hJDiJwpTHNUjHcfr0XfPWMl5p0JeuAA7G+vliC+yqgBeMnCeOnST4uEGgjeg2eFLey 5OyUsNduOMP8qJEsjwQeyhfzQR6msnUs4XXu1QsoQ7VDH6+dK30hO/dRayd3+6FcA67J 6kSLHhQgQR2/1MUKLMUGlxbdQKEudb8unb7Z3Leb67ARsvvqssMaKjdIK0qpbD1JzjLN 8BX7cKpRxo6TIjfhwhuyNe0aOmXpkE07URGgybgQs9EE8t3FnjkfXO1ddhxgxZAMKmkr uf0z3BgihEAFurN76001Fg4UYkORqGh3mRyZ47Og29SUoN+vkEPaspbokINRqDlzAn3U iWpw== X-Forwarded-Encrypted: i=1; AJvYcCXX6/RdG1cBGZRrfnFpNbnxIDLDB6MtOldGCZ3AZW/DnJY55MsIrp3Wp0u/Qat9UQQAIFv55kWrTY7kvOCADm9St+ko+/18 X-Gm-Message-State: AOJu0Yw8qyN6kdzBT+sM9NQkDaWXybBK0sm07m8H9t+7/+pNZQTV7Qzj xVqWRx6c0aa6R2ZaEYd1u+meaIXBbE9O9ZzyIEbWtgtRhjrQZnfMMVUesz+N9mk= X-Google-Smtp-Source: AGHT+IGigeZlMKJ5xlsed0h4vjvUJM8+w/gb50iEjVMBFpz47EWxxpTlL+2yqiHfs06YqiZSo8wp3w== X-Received: by 2002:a5d:460e:0:b0:354:dfd4:4f62 with SMTP id ffacd0b85a97d-35e8395b176mr1559128f8f.5.1717578572641; Wed, 05 Jun 2024 02:09:32 -0700 (PDT) Received: from ?IPV6:2a01:e0a:b41:c160:a705:b9f1:ebc:16a5? ([2a01:e0a:b41:c160:a705:b9f1:ebc:16a5]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-35dd04ca434sm13841259f8f.30.2024.06.05.02.09.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 05 Jun 2024 02:09:31 -0700 (PDT) Message-ID: Date: Wed, 5 Jun 2024 11:09:31 +0200 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Reply-To: nicolas.dichtel@6wind.com Subject: Re: [PATCH nf] netfilter: restore default behavior for nf_conntrack_events To: Florian Westphal Cc: Pablo Neira Ayuso , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, stable@vger.kernel.org References: <20240604135438.2613064-1-nicolas.dichtel@6wind.com> From: Nicolas Dichtel Content-Language: en-US Organization: 6WIND In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Le 05/06/2024 à 10:55, Florian Westphal a écrit : > Nicolas Dichtel wrote: >> Since the below commit, there are regressions for legacy setups: >> 1/ conntracks are created while there are no listener >> 2/ a listener starts and dumps all conntracks to get the current state >> 3/ conntracks deleted before the listener has started are not advertised >> >> This is problematic in containers, where conntracks could be created early. >> This sysctl is part of unsafe sysctl and could not be changed easily in >> some environments. >> >> Let's switch back to the legacy behavior. > > :-( > > Would it be possible to resolve this for containers by setting > the container default to 1 if init_net had it changed to 1 at netns > creation time? When we have access to the host, it is possible to allow the configuration of this (unsafe) sysctl for the pod. But there are cases where we don't have access to the host. https://docs.openshift.com/container-platform/4.9/nodes/containers/nodes-containers-sysctls.html#nodes-containers-sysctls-unsafe_nodes-containers-using Regards, Nicolas