conntrackd: Trouble using multiple Accept addresses in kernel filter

conntrackd: Trouble using multiple Accept addresses in kernel filter

[Yoann Congal]

Hello,

We are trying synchronise conntrack tables across multiple machines using conntrackd.

We only want to synchronise conntrack for a limited set of IP addresses (for example: 10.132.159.60 and 10.132.159.62).

I'm working on Debian stable packages : 
* conntrackd 1.4.7-1
* libnetfilter-conntrack3 1.0.9-6

Here is what I wrote in conntrackd.conf :
  Filter From Kernelspace {
    ...
    Address Accept {
      IPv4_address 10.132.159.60
      IPv4_address 10.132.159.62
    }
    ...
  }

Except that does not work : After debugging, it appear that in this configuration the kernel does not send the conntrack element to conntrackd. If I understood correctly, this filter is read by conntrackd/libnetfilter-conntrack as "Accept CT that matches  10.132.159.60 AND 10.132.159.62" which won't happen.

Switching this to Userspace filtering does work : CT are sent from the kernel to conntrackd and then synchronized across the other instances. This difference in user/kernel filtering sounds like a bug on one side.
Userspace filtering is a bit heavy for the system, and we would really like to stay on kernel filtering.

I've also tried to use one "Address Accept{}" bloc for each IPv4_address but that does not work either.

Some random elements I've gathered while debugging this:
* All the example I could find only used "Address Ignore {}" blocks so I guess the "Address Accept" option is not heavily used?
* The code adding the IP to the filter is here : https://salsa.debian.org/pkg-netfilter-team/pkg-conntrack-tools/-/blob/master/src/read_config_yy.c#L3258
  nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV4, &filter_ipv4);
  Interestingly, the error messages some lines higher only mention the "ignore pool"

My questions:
* Has anyone pointers on how to setup this usecase (kernel filtering + accept on multiple IPs) ?
* Is this a bug? (In that case, I'd push this to the bugzilla)

Thanks in advance,

Best regards,
-- 
Yoann Congal
Smile ECS - Tech Expert

Re: conntrackd: Trouble using multiple Accept addresses in kernel filter

[Pablo Neira Ayuso]

Hi,

There is a fix for this in git.netfilter.org/libnetfilter_conntrack at
git HEAD.

Could you check that this fixes the issue for you?

Thanks

On Mon, Jun 24, 2024 at 06:04:51PM +0200, Yoann Congal wrote:
> Hello,
> 
> We are trying synchronise conntrack tables across multiple machines using conntrackd.
> 
> We only want to synchronise conntrack for a limited set of IP addresses (for example: 10.132.159.60 and 10.132.159.62).
> 
> I'm working on Debian stable packages : 
> * conntrackd 1.4.7-1
> * libnetfilter-conntrack3 1.0.9-6
> 
> Here is what I wrote in conntrackd.conf :
>   Filter From Kernelspace {
>     ...
>     Address Accept {
>       IPv4_address 10.132.159.60
>       IPv4_address 10.132.159.62
>     }
>     ...
>   }
> 
> Except that does not work : After debugging, it appear that in this configuration the kernel does not send the conntrack element to conntrackd. If I understood correctly, this filter is read by conntrackd/libnetfilter-conntrack as "Accept CT that matches  10.132.159.60 AND 10.132.159.62" which won't happen.
> 
> Switching this to Userspace filtering does work : CT are sent from the kernel to conntrackd and then synchronized across the other instances. This difference in user/kernel filtering sounds like a bug on one side.
> Userspace filtering is a bit heavy for the system, and we would really like to stay on kernel filtering.
> 
> I've also tried to use one "Address Accept{}" bloc for each IPv4_address but that does not work either.
> 
> Some random elements I've gathered while debugging this:
> * All the example I could find only used "Address Ignore {}" blocks so I guess the "Address Accept" option is not heavily used?
> * The code adding the IP to the filter is here : https://salsa.debian.org/pkg-netfilter-team/pkg-conntrack-tools/-/blob/master/src/read_config_yy.c#L3258
>   nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV4, &filter_ipv4);
>   Interestingly, the error messages some lines higher only mention the "ignore pool"
> 
> My questions:
> * Has anyone pointers on how to setup this usecase (kernel filtering + accept on multiple IPs) ?
> * Is this a bug? (In that case, I'd push this to the bugzilla)
> 
> Thanks in advance,
> 
> Best regards,
> -- 
> Yoann Congal
> Smile ECS - Tech Expert
> 

Re: conntrackd: Trouble using multiple Accept addresses in kernel filter

[Yoann Congal]

Le 24/06/2024 à 20:18, Pablo Neira Ayuso a écrit :
> Hi,

Hello,

Thank you for your answer!
 
> There is a fix for this in git.netfilter.org/libnetfilter_conntrack at
> git HEAD.
> 
> Could you check that this fixes the issue for you?

Sorry, but no. I've tried master commit for both:
* conntrack-tools: 5b61acb (conntrackd: helpers/rpc: Don't add expectation table entry for portmap port, 2024-04-25)
* libnetfilter_conntrack: e0d9ff6 (conntrack: bsf: Do not return -1 on failure, 2024-04-26)

This filter config fragment allows CT to be synchronized using Userspace filtering but not Kernelspace filtering:
  Address Accept {
    IPv4_address 10.132.159.62
    IPv4_address 10.132.159.60
  }

What commit from libnetfilter_conntrack do you have in mind? (Maybe I can see if it's in my code path?)

Regards,

> 
> Thanks
> 
> On Mon, Jun 24, 2024 at 06:04:51PM +0200, Yoann Congal wrote:
>> Hello,
>>
>> We are trying synchronise conntrack tables across multiple machines using conntrackd.
>>
>> We only want to synchronise conntrack for a limited set of IP addresses (for example: 10.132.159.60 and 10.132.159.62).
>>
>> I'm working on Debian stable packages : 
>> * conntrackd 1.4.7-1
>> * libnetfilter-conntrack3 1.0.9-6
>>
>> Here is what I wrote in conntrackd.conf :
>>   Filter From Kernelspace {
>>     ...
>>     Address Accept {
>>       IPv4_address 10.132.159.60
>>       IPv4_address 10.132.159.62
>>     }
>>     ...
>>   }
>>
>> Except that does not work : After debugging, it appear that in this configuration the kernel does not send the conntrack element to conntrackd. If I understood correctly, this filter is read by conntrackd/libnetfilter-conntrack as "Accept CT that matches  10.132.159.60 AND 10.132.159.62" which won't happen.
>>
>> Switching this to Userspace filtering does work : CT are sent from the kernel to conntrackd and then synchronized across the other instances. This difference in user/kernel filtering sounds like a bug on one side.
>> Userspace filtering is a bit heavy for the system, and we would really like to stay on kernel filtering.
>>
>> I've also tried to use one "Address Accept{}" bloc for each IPv4_address but that does not work either.
>>
>> Some random elements I've gathered while debugging this:
>> * All the example I could find only used "Address Ignore {}" blocks so I guess the "Address Accept" option is not heavily used?
>> * The code adding the IP to the filter is here : https://salsa.debian.org/pkg-netfilter-team/pkg-conntrack-tools/-/blob/master/src/read_config_yy.c#L3258
>>   nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV4, &filter_ipv4);
>>   Interestingly, the error messages some lines higher only mention the "ignore pool"
>>
>> My questions:
>> * Has anyone pointers on how to setup this usecase (kernel filtering + accept on multiple IPs) ?
>> * Is this a bug? (In that case, I'd push this to the bugzilla)
-- 
Yoann Congal
Smile ECS - Tech Expert