* Regression Impact from Commit dceb683ab87c on Kubernetes Hairpin Tests
@ 2024-06-12 17:57 Allen Pais
2024-06-12 18:49 ` Greg KH
0 siblings, 1 reply; 3+ messages in thread
From: Allen Pais @ 2024-06-12 17:57 UTC (permalink / raw)
To: Greg KH; +Cc: stable
Hi Greg,
I hope this message finds you well. I'm reaching out to report a regression issue linked
to the commit dceb683ab87c(v5.15.158), which addresses the netfilter subsystem by skipping
the conntrack input hook for promiscuous packets.
[dceb683ab87c 2024-04-09 netfilter: br_netfilter: skip conntrack input hook for promiscuous packets.]
Unfortunately, this update appears to be breaking Kubernetes hairpin tests, impacting the normal
functionality expected in Kubernetes environments.
Additionally, it's worth noting that this specific commit is associated with a security vulnerability,
as detailed in the NVD: CVE-2024-27018.
We have bisected the issue to the specific commit dceb683ab87c. By reverting this commit,
we confirmed that the Kubernetes hairpin test issues are resolved. However, given that this commit
addresses the security vulnerability CVE-2024-27018, directly reverting it is not a viable option. We’re
in a tricky position and would greatly appreciate your advice on how we might approach this problem.
Thank you for your attention to this matter. I look forward to your guidance on how we might proceed.
Best regards,
Allen
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Regression Impact from Commit dceb683ab87c on Kubernetes Hairpin Tests
2024-06-12 17:57 Regression Impact from Commit dceb683ab87c on Kubernetes Hairpin Tests Allen Pais
@ 2024-06-12 18:49 ` Greg KH
2024-06-13 17:56 ` Allen Pais
0 siblings, 1 reply; 3+ messages in thread
From: Greg KH @ 2024-06-12 18:49 UTC (permalink / raw)
To: Allen Pais; +Cc: stable
On Wed, Jun 12, 2024 at 10:57:03AM -0700, Allen Pais wrote:
> Hi Greg,
>
> I hope this message finds you well. I'm reaching out to report a regression issue linked
> to the commit dceb683ab87c(v5.15.158), which addresses the netfilter subsystem by skipping
> the conntrack input hook for promiscuous packets.
>
> [dceb683ab87c 2024-04-09 netfilter: br_netfilter: skip conntrack input hook for promiscuous packets.]
>
> Unfortunately, this update appears to be breaking Kubernetes hairpin tests, impacting the normal
> functionality expected in Kubernetes environments.
>
> Additionally, it's worth noting that this specific commit is associated with a security vulnerability,
> as detailed in the NVD: CVE-2024-27018.
>
> We have bisected the issue to the specific commit dceb683ab87c. By reverting this commit,
> we confirmed that the Kubernetes hairpin test issues are resolved. However, given that this commit
> addresses the security vulnerability CVE-2024-27018, directly reverting it is not a viable option. We’re
> in a tricky position and would greatly appreciate your advice on how we might approach this problem.
>
> Thank you for your attention to this matter. I look forward to your guidance on how we might proceed.
Is this issue also in newer kernel versions (like 6.1.y, 6.6.y, and
Linus's tree)? If not, then we might have missed something. If so,
then please work with the netfilter developers to work this out.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Regression Impact from Commit dceb683ab87c on Kubernetes Hairpin Tests
2024-06-12 18:49 ` Greg KH
@ 2024-06-13 17:56 ` Allen Pais
0 siblings, 0 replies; 3+ messages in thread
From: Allen Pais @ 2024-06-13 17:56 UTC (permalink / raw)
To: Greg KH; +Cc: stable
>> Hi Greg,
>>
>> I hope this message finds you well. I'm reaching out to report a regression issue linked
>> to the commit dceb683ab87c(v5.15.158), which addresses the netfilter subsystem by skipping
>> the conntrack input hook for promiscuous packets.
>>
>> [dceb683ab87c 2024-04-09 netfilter: br_netfilter: skip conntrack input hook for promiscuous packets.]
>>
>> Unfortunately, this update appears to be breaking Kubernetes hairpin tests, impacting the normal
>> functionality expected in Kubernetes environments.
>>
>> Additionally, it's worth noting that this specific commit is associated with a security vulnerability,
>> as detailed in the NVD: CVE-2024-27018.
>>
>> We have bisected the issue to the specific commit dceb683ab87c. By reverting this commit,
>> we confirmed that the Kubernetes hairpin test issues are resolved. However, given that this commit
>> addresses the security vulnerability CVE-2024-27018, directly reverting it is not a viable option. We’re
>> in a tricky position and would greatly appreciate your advice on how we might approach this problem.
>>
>> Thank you for your attention to this matter. I look forward to your guidance on how we might proceed.
>
> Is this issue also in newer kernel versions (like 6.1.y, 6.6.y, and
> Linus's tree)? If not, then we might have missed something. If so,
> then please work with the netfilter developers to work this out.
I have not tested 6.1.y or 6.6.y yet. Will do that and if the issue persists, will reach out to
The netfilter folks.
Thank you.
Allen
>
> thanks,
>
> greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-06-13 17:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-12 17:57 Regression Impact from Commit dceb683ab87c on Kubernetes Hairpin Tests Allen Pais
2024-06-12 18:49 ` Greg KH
2024-06-13 17:56 ` Allen Pais
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox