* conntrackd user-space helpers for multicast/broadcast
@ 2025-11-08 6:32 Joel Low
2025-11-09 18:20 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Joel Low @ 2025-11-08 6:32 UTC (permalink / raw)
To: netfilter@vger.kernel.org
Hello there!
I've been trying to configure a conntrackd user-space helper for multicast/broadcast SNMP (using the slp helper, relying on the same principle) and SSDP (using the ssdp helper). I was briefly able to get it working last year, but after the changes made by 7d8dc1c [1] it seems like the associated multicast packets are not being reliably queued to conntrackd. I do occasionally see a packet or two making it through (both conntrackd and to its final destination) but I cannot reliably pin it down nor explain why. I am aware that I am forcing an unrouteable SNMP packet to be routed (they are sent to 255.255.255.255 -- but I have placed my compute devices in a separate subnet/vlan from my IOT devices, 1024/1026) -- but should this work?
What I have done to debug this so far while running a kernel containing [1] is to trace the route of a packet through this set of chains (I'm trying to keep it minimal; my apologies if this doesn't reproduce cleanly - I'm running this on OpenWrt).
```
table inet fw4 {
ct helper ssdp {
type "ssdp" protocol udp
l3proto inet
}
ct helper broadcast {
type "slp" protocol udp
l3proto ip
}
chain helper_svc {
type filter hook prerouting priority filter; policy accept;
ip daddr 239.255.255.249 udp dport 161 counter ct helper set "broadcast"
ip daddr 239.255.255.250 udp dport 1900 counter ct helper set "ssdp"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
ip daddr 255.255.255.255 udp dport != { 67, 68, 547 } iifname "br-lan.1024" ip ttl set 2 ip daddr set 239.255.255.249 counter meta nftrace set 1
ip daddr 239.255.255.250 iifname "br-lan.1024" ip ttl set 2 counter meta nftrace set 1
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
ip daddr 239.255.255.249 oifname "br-lan.1027" ip daddr set 255.255.255.255 counter
ip daddr 239.255.255.249 oifname "br-lan.1026" ip daddr set 192.168.20.255 counter
}
}
```
(I've tried with both overriding the ether daddr and not, it does not seem to make a difference.)
With that set of chains, I've run `nft monitor` while observing the output of conntrackd that I've hacked to print messages when it receives a packet on an nfqueue.
This is a packet that doesn't get sent to conntrackd:
```
trace id f347290f inet fw4 raw_prerouting packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
trace id f347290f inet fw4 raw_prerouting rule ip daddr 239.255.255.250 iifname "br-lan.1024" ip ttl set 2 counter packets 703 bytes 250905 meta nftrace set 1 (verdict continue)
trace id f347290f inet fw4 raw_prerouting verdict continue
trace id f347290f inet fw4 raw_prerouting policy accept
trace id f347290f inet fw4 mangle_prerouting packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
trace id f347290f inet fw4 mangle_prerouting verdict continue
trace id f347290f inet fw4 mangle_prerouting policy accept
trace id f347290f inet fw4 dstnat packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
trace id f347290f inet fw4 dstnat verdict continue
trace id f347290f inet fw4 dstnat policy accept
trace id f347290f inet fw4 prerouting packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
trace id f347290f inet fw4 prerouting rule iifname "br-lan.1024" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" (verdict jump helper_lan)
trace id f347290f inet fw4 helper_lan verdict continue
trace id f347290f inet fw4 prerouting verdict continue
trace id f347290f inet fw4 prerouting policy accept
trace id f347290f inet fw4 helper_svc packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
trace id f347290f inet fw4 helper_svc rule ip daddr 239.255.255.250 udp dport 1900 counter packets 837 bytes 337357 ct helper set "ssdp" comment "!svc: DLNA" (verdict continue)
trace id f347290f inet fw4 helper_svc verdict continue
trace id f347290f inet fw4 helper_svc policy accept
trace id 557a86d6 inet fw4 mangle_forward packet: iif "br-lan.1024" oif "br-lan.1026" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
trace id 557a86d6 inet fw4 mangle_forward verdict continue
trace id 557a86d6 inet fw4 mangle_forward policy accept
trace id 557a86d6 inet fw4 forward packet: iif "br-lan.1024" oif "br-lan.1026" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
trace id 557a86d6 inet fw4 forward rule iifname "br-lan.1024" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" (verdict jump forward_lan)
trace id 557a86d6 inet fw4 forward_lan rule counter packets 891 bytes 279481 jump accept_to_lan comment "!fw4: Intra-LAN interface traffic" (verdict jump accept_to_lan)
trace id 557a86d6 inet fw4 accept_to_lan verdict continue
trace id 557a86d6 inet fw4 forward_lan rule ip daddr 239.255.255.250 udp dport 1900 counter packets 703 bytes 250905 jump accept_to_iot (verdict jump accept_to_iot)
trace id 557a86d6 inet fw4 accept_to_iot rule oifname "br-lan.1026" counter packets 1630 bytes 376326 accept comment "!fw4: accept iot IPv4/IPv6 traffic" (verdict accept)
trace id a2926568 inet fw4 mangle_postrouting packet: oif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
trace id a2926568 inet fw4 mangle_postrouting verdict continue
trace id a2926568 inet fw4 mangle_postrouting policy accept
trace id a2926568 inet fw4 srcnat packet: oif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
trace id a2926568 inet fw4 srcnat rule oifname "br-lan.1026" jump srcnat_iot comment "!fw4: Handle iot IPv4/IPv6 srcnat traffic" (verdict jump srcnat_iot)
trace id a2926568 inet fw4 srcnat_iot verdict continue
trace id a2926568 inet fw4 srcnat verdict continue
trace id a2926568 inet fw4 srcnat policy accept
trace id 557a86d6 inet fw4 mangle_postrouting packet: oif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
trace id 557a86d6 inet fw4 mangle_postrouting verdict continue
trace id 557a86d6 inet fw4 mangle_postrouting policy accept
trace id f347290f inet fw4 mangle_input packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
trace id f347290f inet fw4 mangle_input verdict continue
trace id f347290f inet fw4 mangle_input policy accept
trace id f347290f inet fw4 input packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
trace id f347290f inet fw4 input rule iifname "br-lan.1024" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" (verdict jump input_lan)
trace id f347290f inet fw4 input_lan rule jump reject_from_lan (verdict jump reject_from_lan)
trace id f347290f inet fw4 reject_from_lan rule iifname "br-lan.1024" counter packets 898 bytes 280311 jump handle_reject comment "!fw4: reject lan IPv4/IPv6 traffic" (verdict jump handle_reject)
trace id f347290f inet fw4 handle_reject rule reject comment "!fw4: Reject any other traffic" (verdict drop)
```
This is a packet that does get picked up by conntrackd and gets routed:
```
trace id 030d8487 inet fw4 raw_prerouting packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id 030d8487 inet fw4 raw_prerouting rule ip daddr 239.255.255.250 iifname "br-lan.1024" ip ttl set 2 counter packets 403 bytes 144885 meta nftrace set 1 (verdict continue)
trace id 030d8487 inet fw4 raw_prerouting verdict continue
trace id 030d8487 inet fw4 raw_prerouting policy accept
trace id 030d8487 inet fw4 mangle_prerouting packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id 030d8487 inet fw4 mangle_prerouting verdict continue
trace id 030d8487 inet fw4 mangle_prerouting policy accept
trace id 030d8487 inet fw4 prerouting packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id 030d8487 inet fw4 prerouting rule iifname "br-lan.1024" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" (verdict jump helper_lan)
trace id 030d8487 inet fw4 helper_lan verdict continue
trace id 030d8487 inet fw4 prerouting verdict continue
trace id 030d8487 inet fw4 prerouting policy accept
trace id 030d8487 inet fw4 helper_svc packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id 030d8487 inet fw4 helper_svc rule ip daddr 239.255.255.250 udp dport 1900 counter packets 471 bytes 190003 ct helper set "ssdp" comment "!svc: DLNA" (verdict continue)
trace id 030d8487 inet fw4 helper_svc verdict continue
trace id 030d8487 inet fw4 helper_svc policy accept
trace id af150fc3 inet fw4 mangle_forward packet: iif "br-lan.1024" oif "br-lan.1026" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id af150fc3 inet fw4 mangle_forward verdict continue
trace id af150fc3 inet fw4 mangle_forward policy accept
trace id af150fc3 inet fw4 forward packet: iif "br-lan.1024" oif "br-lan.1026" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id af150fc3 inet fw4 forward rule iifname "br-lan.1024" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" (verdict jump forward_lan)
trace id af150fc3 inet fw4 forward_lan rule counter packets 513 bytes 161605 jump accept_to_lan comment "!fw4: Intra-LAN interface traffic" (verdict jump accept_to_lan)
trace id af150fc3 inet fw4 accept_to_lan verdict continue
trace id af150fc3 inet fw4 forward_lan rule ip daddr 239.255.255.250 udp dport 1900 counter packets 403 bytes 144885 jump accept_to_iot (verdict jump accept_to_iot)
trace id af150fc3 inet fw4 accept_to_iot rule oifname "br-lan.1026" counter packets 909 bytes 208517 accept comment "!fw4: accept iot IPv4/IPv6 traffic" (verdict accept)
trace id dfde2134 inet fw4 mangle_postrouting packet: oif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id dfde2134 inet fw4 mangle_postrouting verdict continue
trace id dfde2134 inet fw4 mangle_postrouting policy accept
trace id af150fc3 inet fw4 mangle_postrouting packet: oif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id af150fc3 inet fw4 mangle_postrouting verdict continue
trace id af150fc3 inet fw4 mangle_postrouting policy accept
trace id 030d8487 inet fw4 mangle_input packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id 030d8487 inet fw4 mangle_input verdict continue
trace id 030d8487 inet fw4 mangle_input policy accept
trace id 030d8487 inet fw4 input packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id 030d8487 inet fw4 input rule iifname "br-lan.1024" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" (verdict jump input_lan)
trace id 030d8487 inet fw4 input_lan rule jump reject_from_lan (verdict jump reject_from_lan)
trace id 030d8487 inet fw4 reject_from_lan rule iifname "br-lan.1024" counter packets 515 bytes 162031 jump handle_reject comment "!fw4: reject lan IPv4/IPv6 traffic" (verdict jump handle_reject)
trace id 030d8487 inet fw4 handle_reject rule reject comment "!fw4: Reject any other traffic" (verdict drop)
trace id c46a944a inet fw4 raw_prerouting packet: iif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id c46a944a inet fw4 raw_prerouting verdict continue
trace id c46a944a inet fw4 raw_prerouting policy accept
trace id c46a944a inet fw4 mangle_prerouting packet: iif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id c46a944a inet fw4 mangle_prerouting verdict continue
trace id c46a944a inet fw4 mangle_prerouting policy accept
trace id c46a944a inet fw4 prerouting packet: iif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id c46a944a inet fw4 prerouting rule iifname "br-lan.1026" jump helper_iot comment "!fw4: Handle iot IPv4/IPv6 helper assignment" (verdict jump helper_iot)
trace id c46a944a inet fw4 helper_iot verdict continue
trace id c46a944a inet fw4 prerouting verdict continue
trace id c46a944a inet fw4 prerouting policy accept
trace id c46a944a inet fw4 helper_svc packet: iif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id c46a944a inet fw4 helper_svc rule ip daddr 239.255.255.250 udp dport 1900 counter packets 471 bytes 190003 ct helper set "ssdp" comment "!svc: DLNA" (verdict continue)
trace id c46a944a inet fw4 helper_svc verdict continue
trace id c46a944a inet fw4 helper_svc policy accept
trace id c46a944a inet fw4 mangle_input packet: iif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id c46a944a inet fw4 mangle_input verdict continue
trace id c46a944a inet fw4 mangle_input policy accept
trace id c46a944a inet fw4 input packet: iif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
trace id c46a944a inet fw4 input rule iifname "br-lan.1026" jump input_iot comment "!fw4: Handle iot IPv4/IPv6 input traffic" (verdict jump input_iot)
trace id c46a944a inet fw4 input_iot rule jump reject_from_iot (verdict jump reject_from_iot)
trace id c46a944a inet fw4 reject_from_iot rule iifname "br-lan.1026" counter packets 68 bytes 45253 jump handle_reject comment "!fw4: reject iot IPv4/IPv6 traffic" (verdict jump handle_reject)
trace id c46a944a inet fw4 handle_reject rule reject comment "!fw4: Reject any other traffic" (verdict drop)
```
Running a kernel without [1] restores the proper queueing to conntrackd and routing.
Am I doing something wrong here? My understanding of [1] is that it only will process the last reference to a multicast packet. Does that mean that the only way to implement such a helper is by implementing a kernel helper? Is there an alternative approach I should be considering? I saw that the initial author who implemented the slp helper in kernel mode was asked to reimplement it as a user-space helper [2] so I'm not sure what the current recommendation is.
Regards,
Joel
[1]: netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
[2]: connection tracking helper for SLP https://lkml.org/lkml/2013/5/7/830
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: conntrackd user-space helpers for multicast/broadcast
2025-11-08 6:32 conntrackd user-space helpers for multicast/broadcast Joel Low
@ 2025-11-09 18:20 ` Pablo Neira Ayuso
2025-11-09 23:46 ` Joel Low
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2025-11-09 18:20 UTC (permalink / raw)
To: Joel Low; +Cc: netfilter@vger.kernel.org
Hi,
Are you using the br_netfilter module in your setup?
On Sat, Nov 08, 2025 at 06:32:18AM +0000, Joel Low wrote:
> Hello there!
>
> I've been trying to configure a conntrackd user-space helper for multicast/broadcast SNMP (using the slp helper, relying on the same principle) and SSDP (using the ssdp helper). I was briefly able to get it working last year, but after the changes made by 7d8dc1c [1] it seems like the associated multicast packets are not being reliably queued to conntrackd. I do occasionally see a packet or two making it through (both conntrackd and to its final destination) but I cannot reliably pin it down nor explain why. I am aware that I am forcing an unrouteable SNMP packet to be routed (they are sent to 255.255.255.255 -- but I have placed my compute devices in a separate subnet/vlan from my IOT devices, 1024/1026) -- but should this work?
>
> What I have done to debug this so far while running a kernel containing [1] is to trace the route of a packet through this set of chains (I'm trying to keep it minimal; my apologies if this doesn't reproduce cleanly - I'm running this on OpenWrt).
>
> ```
> table inet fw4 {
> ct helper ssdp {
> type "ssdp" protocol udp
> l3proto inet
> }
>
> ct helper broadcast {
> type "slp" protocol udp
> l3proto ip
> }
>
> chain helper_svc {
> type filter hook prerouting priority filter; policy accept;
> ip daddr 239.255.255.249 udp dport 161 counter ct helper set "broadcast"
> ip daddr 239.255.255.250 udp dport 1900 counter ct helper set "ssdp"
> }
>
> chain raw_prerouting {
> type filter hook prerouting priority raw; policy accept;
> ip daddr 255.255.255.255 udp dport != { 67, 68, 547 } iifname "br-lan.1024" ip ttl set 2 ip daddr set 239.255.255.249 counter meta nftrace set 1
> ip daddr 239.255.255.250 iifname "br-lan.1024" ip ttl set 2 counter meta nftrace set 1
> }
>
> chain mangle_postrouting {
> type filter hook postrouting priority mangle; policy accept;
> ip daddr 239.255.255.249 oifname "br-lan.1027" ip daddr set 255.255.255.255 counter
> ip daddr 239.255.255.249 oifname "br-lan.1026" ip daddr set 192.168.20.255 counter
> }
> }
> ```
>
> (I've tried with both overriding the ether daddr and not, it does not seem to make a difference.)
>
> With that set of chains, I've run `nft monitor` while observing the output of conntrackd that I've hacked to print messages when it receives a packet on an nfqueue.
>
> This is a packet that doesn't get sent to conntrackd:
>
> ```
> trace id f347290f inet fw4 raw_prerouting packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
> trace id f347290f inet fw4 raw_prerouting rule ip daddr 239.255.255.250 iifname "br-lan.1024" ip ttl set 2 counter packets 703 bytes 250905 meta nftrace set 1 (verdict continue)
> trace id f347290f inet fw4 raw_prerouting verdict continue
> trace id f347290f inet fw4 raw_prerouting policy accept
> trace id f347290f inet fw4 mangle_prerouting packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
> trace id f347290f inet fw4 mangle_prerouting verdict continue
> trace id f347290f inet fw4 mangle_prerouting policy accept
> trace id f347290f inet fw4 dstnat packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
> trace id f347290f inet fw4 dstnat verdict continue
> trace id f347290f inet fw4 dstnat policy accept
> trace id f347290f inet fw4 prerouting packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
> trace id f347290f inet fw4 prerouting rule iifname "br-lan.1024" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" (verdict jump helper_lan)
> trace id f347290f inet fw4 helper_lan verdict continue
> trace id f347290f inet fw4 prerouting verdict continue
> trace id f347290f inet fw4 prerouting policy accept
> trace id f347290f inet fw4 helper_svc packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
> trace id f347290f inet fw4 helper_svc rule ip daddr 239.255.255.250 udp dport 1900 counter packets 837 bytes 337357 ct helper set "ssdp" comment "!svc: DLNA" (verdict continue)
> trace id f347290f inet fw4 helper_svc verdict continue
> trace id f347290f inet fw4 helper_svc policy accept
> trace id 557a86d6 inet fw4 mangle_forward packet: iif "br-lan.1024" oif "br-lan.1026" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
> trace id 557a86d6 inet fw4 mangle_forward verdict continue
> trace id 557a86d6 inet fw4 mangle_forward policy accept
> trace id 557a86d6 inet fw4 forward packet: iif "br-lan.1024" oif "br-lan.1026" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
> trace id 557a86d6 inet fw4 forward rule iifname "br-lan.1024" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" (verdict jump forward_lan)
> trace id 557a86d6 inet fw4 forward_lan rule counter packets 891 bytes 279481 jump accept_to_lan comment "!fw4: Intra-LAN interface traffic" (verdict jump accept_to_lan)
> trace id 557a86d6 inet fw4 accept_to_lan verdict continue
> trace id 557a86d6 inet fw4 forward_lan rule ip daddr 239.255.255.250 udp dport 1900 counter packets 703 bytes 250905 jump accept_to_iot (verdict jump accept_to_iot)
> trace id 557a86d6 inet fw4 accept_to_iot rule oifname "br-lan.1026" counter packets 1630 bytes 376326 accept comment "!fw4: accept iot IPv4/IPv6 traffic" (verdict accept)
> trace id a2926568 inet fw4 mangle_postrouting packet: oif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
> trace id a2926568 inet fw4 mangle_postrouting verdict continue
> trace id a2926568 inet fw4 mangle_postrouting policy accept
> trace id a2926568 inet fw4 srcnat packet: oif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
> trace id a2926568 inet fw4 srcnat rule oifname "br-lan.1026" jump srcnat_iot comment "!fw4: Handle iot IPv4/IPv6 srcnat traffic" (verdict jump srcnat_iot)
> trace id a2926568 inet fw4 srcnat_iot verdict continue
> trace id a2926568 inet fw4 srcnat verdict continue
> trace id a2926568 inet fw4 srcnat policy accept
> trace id 557a86d6 inet fw4 mangle_postrouting packet: oif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
> trace id 557a86d6 inet fw4 mangle_postrouting verdict continue
> trace id 557a86d6 inet fw4 mangle_postrouting policy accept
> trace id f347290f inet fw4 mangle_input packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
> trace id f347290f inet fw4 mangle_input verdict continue
> trace id f347290f inet fw4 mangle_input policy accept
> trace id f347290f inet fw4 input packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34662 ip protocol udp ip length 387 udp sport 1900 udp dport 1900 udp length 367 udp checksum 13152
> trace id f347290f inet fw4 input rule iifname "br-lan.1024" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" (verdict jump input_lan)
> trace id f347290f inet fw4 input_lan rule jump reject_from_lan (verdict jump reject_from_lan)
> trace id f347290f inet fw4 reject_from_lan rule iifname "br-lan.1024" counter packets 898 bytes 280311 jump handle_reject comment "!fw4: reject lan IPv4/IPv6 traffic" (verdict jump handle_reject)
> trace id f347290f inet fw4 handle_reject rule reject comment "!fw4: Reject any other traffic" (verdict drop)
> ```
>
> This is a packet that does get picked up by conntrackd and gets routed:
>
> ```
> trace id 030d8487 inet fw4 raw_prerouting packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id 030d8487 inet fw4 raw_prerouting rule ip daddr 239.255.255.250 iifname "br-lan.1024" ip ttl set 2 counter packets 403 bytes 144885 meta nftrace set 1 (verdict continue)
> trace id 030d8487 inet fw4 raw_prerouting verdict continue
> trace id 030d8487 inet fw4 raw_prerouting policy accept
> trace id 030d8487 inet fw4 mangle_prerouting packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id 030d8487 inet fw4 mangle_prerouting verdict continue
> trace id 030d8487 inet fw4 mangle_prerouting policy accept
> trace id 030d8487 inet fw4 prerouting packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id 030d8487 inet fw4 prerouting rule iifname "br-lan.1024" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" (verdict jump helper_lan)
> trace id 030d8487 inet fw4 helper_lan verdict continue
> trace id 030d8487 inet fw4 prerouting verdict continue
> trace id 030d8487 inet fw4 prerouting policy accept
> trace id 030d8487 inet fw4 helper_svc packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id 030d8487 inet fw4 helper_svc rule ip daddr 239.255.255.250 udp dport 1900 counter packets 471 bytes 190003 ct helper set "ssdp" comment "!svc: DLNA" (verdict continue)
> trace id 030d8487 inet fw4 helper_svc verdict continue
> trace id 030d8487 inet fw4 helper_svc policy accept
> trace id af150fc3 inet fw4 mangle_forward packet: iif "br-lan.1024" oif "br-lan.1026" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id af150fc3 inet fw4 mangle_forward verdict continue
> trace id af150fc3 inet fw4 mangle_forward policy accept
> trace id af150fc3 inet fw4 forward packet: iif "br-lan.1024" oif "br-lan.1026" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id af150fc3 inet fw4 forward rule iifname "br-lan.1024" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" (verdict jump forward_lan)
> trace id af150fc3 inet fw4 forward_lan rule counter packets 513 bytes 161605 jump accept_to_lan comment "!fw4: Intra-LAN interface traffic" (verdict jump accept_to_lan)
> trace id af150fc3 inet fw4 accept_to_lan verdict continue
> trace id af150fc3 inet fw4 forward_lan rule ip daddr 239.255.255.250 udp dport 1900 counter packets 403 bytes 144885 jump accept_to_iot (verdict jump accept_to_iot)
> trace id af150fc3 inet fw4 accept_to_iot rule oifname "br-lan.1026" counter packets 909 bytes 208517 accept comment "!fw4: accept iot IPv4/IPv6 traffic" (verdict accept)
> trace id dfde2134 inet fw4 mangle_postrouting packet: oif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id dfde2134 inet fw4 mangle_postrouting verdict continue
> trace id dfde2134 inet fw4 mangle_postrouting policy accept
> trace id af150fc3 inet fw4 mangle_postrouting packet: oif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id af150fc3 inet fw4 mangle_postrouting verdict continue
> trace id af150fc3 inet fw4 mangle_postrouting policy accept
> trace id 030d8487 inet fw4 mangle_input packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id 030d8487 inet fw4 mangle_input verdict continue
> trace id 030d8487 inet fw4 mangle_input policy accept
> trace id 030d8487 inet fw4 input packet: iif "br-lan.1024" ether saddr aa:bb:cc:dd:ee:ff ether daddr bb:cc:dd:ee:ff:00 ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 2 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id 030d8487 inet fw4 input rule iifname "br-lan.1024" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" (verdict jump input_lan)
> trace id 030d8487 inet fw4 input_lan rule jump reject_from_lan (verdict jump reject_from_lan)
> trace id 030d8487 inet fw4 reject_from_lan rule iifname "br-lan.1024" counter packets 515 bytes 162031 jump handle_reject comment "!fw4: reject lan IPv4/IPv6 traffic" (verdict jump handle_reject)
> trace id 030d8487 inet fw4 handle_reject rule reject comment "!fw4: Reject any other traffic" (verdict drop)
> trace id c46a944a inet fw4 raw_prerouting packet: iif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id c46a944a inet fw4 raw_prerouting verdict continue
> trace id c46a944a inet fw4 raw_prerouting policy accept
> trace id c46a944a inet fw4 mangle_prerouting packet: iif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id c46a944a inet fw4 mangle_prerouting verdict continue
> trace id c46a944a inet fw4 mangle_prerouting policy accept
> trace id c46a944a inet fw4 prerouting packet: iif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id c46a944a inet fw4 prerouting rule iifname "br-lan.1026" jump helper_iot comment "!fw4: Handle iot IPv4/IPv6 helper assignment" (verdict jump helper_iot)
> trace id c46a944a inet fw4 helper_iot verdict continue
> trace id c46a944a inet fw4 prerouting verdict continue
> trace id c46a944a inet fw4 prerouting policy accept
> trace id c46a944a inet fw4 helper_svc packet: iif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id c46a944a inet fw4 helper_svc rule ip daddr 239.255.255.250 udp dport 1900 counter packets 471 bytes 190003 ct helper set "ssdp" comment "!svc: DLNA" (verdict continue)
> trace id c46a944a inet fw4 helper_svc verdict continue
> trace id c46a944a inet fw4 helper_svc policy accept
> trace id c46a944a inet fw4 mangle_input packet: iif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id c46a944a inet fw4 mangle_input verdict continue
> trace id c46a944a inet fw4 mangle_input policy accept
> trace id c46a944a inet fw4 input packet: iif "br-lan.1026" ip saddr 192.168.xx.zzz ip daddr 239.255.255.250 ip dscp cs0 ip ecn not-ect ip ttl 1 ip id 34371 ip protocol udp ip length 186 udp sport 52100 udp dport 1900 udp length 166 udp checksum 16095
> trace id c46a944a inet fw4 input rule iifname "br-lan.1026" jump input_iot comment "!fw4: Handle iot IPv4/IPv6 input traffic" (verdict jump input_iot)
> trace id c46a944a inet fw4 input_iot rule jump reject_from_iot (verdict jump reject_from_iot)
> trace id c46a944a inet fw4 reject_from_iot rule iifname "br-lan.1026" counter packets 68 bytes 45253 jump handle_reject comment "!fw4: reject iot IPv4/IPv6 traffic" (verdict jump handle_reject)
> trace id c46a944a inet fw4 handle_reject rule reject comment "!fw4: Reject any other traffic" (verdict drop)
> ```
>
> Running a kernel without [1] restores the proper queueing to conntrackd and routing.
>
> Am I doing something wrong here? My understanding of [1] is that it only will process the last reference to a multicast packet. Does that mean that the only way to implement such a helper is by implementing a kernel helper? Is there an alternative approach I should be considering? I saw that the initial author who implemented the slp helper in kernel mode was asked to reimplement it as a user-space helper [2] so I'm not sure what the current recommendation is.
>
> Regards,
> Joel
>
> [1]: netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
> [2]: connection tracking helper for SLP https://lkml.org/lkml/2013/5/7/830
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: conntrackd user-space helpers for multicast/broadcast
2025-11-09 18:20 ` Pablo Neira Ayuso
@ 2025-11-09 23:46 ` Joel Low
2025-11-12 9:44 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Joel Low @ 2025-11-09 23:46 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter@vger.kernel.org
Hi Pablo,
> -----Original Message-----
> From: Pablo Neira Ayuso <pablo@netfilter.org>
> Sent: Monday, 10 November 2025 2:21 am
> To: Joel Low <joel@joelsplace.sg>
> Cc: netfilter@vger.kernel.org
> Subject: Re: conntrackd user-space helpers for multicast/broadcast
>
> Hi,
>
> Are you using the br_netfilter module in your setup?
I don't think so; `lsmod | grep br_` returns nothing on that host.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: conntrackd user-space helpers for multicast/broadcast
2025-11-09 23:46 ` Joel Low
@ 2025-11-12 9:44 ` Pablo Neira Ayuso
2025-11-12 15:02 ` Joel Low
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2025-11-12 9:44 UTC (permalink / raw)
To: Joel Low; +Cc: netfilter@vger.kernel.org
On Sun, Nov 09, 2025 at 11:46:00PM +0000, Joel Low wrote:
> Hi Pablo,
>
> > -----Original Message-----
> > From: Pablo Neira Ayuso <pablo@netfilter.org>
> > Sent: Monday, 10 November 2025 2:21 am
> > To: Joel Low <joel@joelsplace.sg>
> > Cc: netfilter@vger.kernel.org
> > Subject: Re: conntrackd user-space helpers for multicast/broadcast
> >
> > Hi,
> >
> > Are you using the br_netfilter module in your setup?
>
> I don't think so; `lsmod | grep br_` returns nothing on that host.
And no built-in CONFIG_BRIDGE_NETFILTER=y?
It should be possible to fix this by dropping the conntrack in the
queue path, then nfqnl_ct_parse() performs a ct lookup from the
reinject path.
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: conntrackd user-space helpers for multicast/broadcast
2025-11-12 9:44 ` Pablo Neira Ayuso
@ 2025-11-12 15:02 ` Joel Low
0 siblings, 0 replies; 5+ messages in thread
From: Joel Low @ 2025-11-12 15:02 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter@vger.kernel.org
> -----Original Message-----
> From: Pablo Neira Ayuso <pablo@netfilter.org>
> Sent: Wednesday, 12 November 2025 5:45 pm
> To: Joel Low <joel@joelsplace.sg>
> Cc: netfilter@vger.kernel.org
> Subject: Re: conntrackd user-space helpers for multicast/broadcast
>
> On Sun, Nov 09, 2025 at 11:46:00PM +0000, Joel Low wrote:
> > Hi Pablo,
> >
> > > -----Original Message-----
> > > From: Pablo Neira Ayuso <pablo@netfilter.org>
> > > Sent: Monday, 10 November 2025 2:21 am
> > > To: Joel Low <joel@joelsplace.sg>
> > > Cc: netfilter@vger.kernel.org
> > > Subject: Re: conntrackd user-space helpers for multicast/broadcast
> > >
> > > Hi,
> > >
> > > Are you using the br_netfilter module in your setup?
> >
> > I don't think so; `lsmod | grep br_` returns nothing on that host.
>
> And no built-in CONFIG_BRIDGE_NETFILTER=y?
>
> It should be possible to fix this by dropping the conntrack in the queue path,
> then nfqnl_ct_parse() performs a ct lookup from the reinject path.
From what I can tell, CONFIG_BRIDGE_NETFILTER=m, and the module is not loaded in my setup.
My apologies that I can't completely understand what you're suggesting I do; I've been trying to feel my way around the codebase to best isolate the problem. Is there some documentation or code you can point me to reference or as a starting point please? My best guess of your suggestion is to mark the flow as `notrack`, but subsequently reinject the multicast packet? My attempts with notrack seem to suggest that the entire helper assignment and processing is completely bypassed and thus I'm pretty sure I'm misunderstanding your suggestion.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-11-12 15:02 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-08 6:32 conntrackd user-space helpers for multicast/broadcast Joel Low
2025-11-09 18:20 ` Pablo Neira Ayuso
2025-11-09 23:46 ` Joel Low
2025-11-12 9:44 ` Pablo Neira Ayuso
2025-11-12 15:02 ` Joel Low
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox