From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Yoann Congal <yoann.congal@smile.fr>
Cc: netfilter@vger.kernel.org
Subject: Re: conntrackd: Trouble using multiple Accept addresses in kernel filter
Date: Mon, 24 Jun 2024 20:18:35 +0200 [thread overview]
Message-ID: <Znm4e0HWXFPomGqp@calendula> (raw)
In-Reply-To: <a0d8900a-4098-449a-8db9-adc49d8c63a6@smile.fr>
Hi,
There is a fix for this in git.netfilter.org/libnetfilter_conntrack at
git HEAD.
Could you check that this fixes the issue for you?
Thanks
On Mon, Jun 24, 2024 at 06:04:51PM +0200, Yoann Congal wrote:
> Hello,
>
> We are trying synchronise conntrack tables across multiple machines using conntrackd.
>
> We only want to synchronise conntrack for a limited set of IP addresses (for example: 10.132.159.60 and 10.132.159.62).
>
> I'm working on Debian stable packages :
> * conntrackd 1.4.7-1
> * libnetfilter-conntrack3 1.0.9-6
>
> Here is what I wrote in conntrackd.conf :
> Filter From Kernelspace {
> ...
> Address Accept {
> IPv4_address 10.132.159.60
> IPv4_address 10.132.159.62
> }
> ...
> }
>
> Except that does not work : After debugging, it appear that in this configuration the kernel does not send the conntrack element to conntrackd. If I understood correctly, this filter is read by conntrackd/libnetfilter-conntrack as "Accept CT that matches 10.132.159.60 AND 10.132.159.62" which won't happen.
>
> Switching this to Userspace filtering does work : CT are sent from the kernel to conntrackd and then synchronized across the other instances. This difference in user/kernel filtering sounds like a bug on one side.
> Userspace filtering is a bit heavy for the system, and we would really like to stay on kernel filtering.
>
> I've also tried to use one "Address Accept{}" bloc for each IPv4_address but that does not work either.
>
> Some random elements I've gathered while debugging this:
> * All the example I could find only used "Address Ignore {}" blocks so I guess the "Address Accept" option is not heavily used?
> * The code adding the IP to the filter is here : https://salsa.debian.org/pkg-netfilter-team/pkg-conntrack-tools/-/blob/master/src/read_config_yy.c#L3258
> nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV4, &filter_ipv4);
> Interestingly, the error messages some lines higher only mention the "ignore pool"
>
> My questions:
> * Has anyone pointers on how to setup this usecase (kernel filtering + accept on multiple IPs) ?
> * Is this a bug? (In that case, I'd push this to the bugzilla)
>
> Thanks in advance,
>
> Best regards,
> --
> Yoann Congal
> Smile ECS - Tech Expert
>
next prev parent reply other threads:[~2024-06-24 18:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-24 16:04 conntrackd: Trouble using multiple Accept addresses in kernel filter Yoann Congal
2024-06-24 18:18 ` Pablo Neira Ayuso [this message]
2024-06-28 14:08 ` Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Znm4e0HWXFPomGqp@calendula \
--to=pablo@netfilter.org \
--cc=netfilter@vger.kernel.org \
--cc=yoann.congal@smile.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox