From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
To: Florian Westphal <fw@strlen.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH nf] netfilter: restore default behavior for nf_conntrack_events
Date: Wed, 5 Jun 2024 11:09:31 +0200 [thread overview]
Message-ID: <c527582b-05dd-45bf-a9b1-2499b01280ee@6wind.com> (raw)
In-Reply-To: <ZmAn7VcLHsdAI8Xg@strlen.de>
Le 05/06/2024 à 10:55, Florian Westphal a écrit :
> Nicolas Dichtel <nicolas.dichtel@6wind.com> wrote:
>> Since the below commit, there are regressions for legacy setups:
>> 1/ conntracks are created while there are no listener
>> 2/ a listener starts and dumps all conntracks to get the current state
>> 3/ conntracks deleted before the listener has started are not advertised
>>
>> This is problematic in containers, where conntracks could be created early.
>> This sysctl is part of unsafe sysctl and could not be changed easily in
>> some environments.
>>
>> Let's switch back to the legacy behavior.
>
> :-(
>
> Would it be possible to resolve this for containers by setting
> the container default to 1 if init_net had it changed to 1 at netns
> creation time?
When we have access to the host, it is possible to allow the configuration of
this (unsafe) sysctl for the pod. But there are cases where we don't have access
to the host.
https://docs.openshift.com/container-platform/4.9/nodes/containers/nodes-containers-sysctls.html#nodes-containers-sysctls-unsafe_nodes-containers-using
Regards,
Nicolas
next prev parent reply other threads:[~2024-06-05 9:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-04 13:54 [PATCH nf] netfilter: restore default behavior for nf_conntrack_events Nicolas Dichtel
2024-06-05 8:55 ` Florian Westphal
2024-06-05 9:09 ` Nicolas Dichtel [this message]
2024-06-05 18:41 ` Pablo Neira Ayuso
2024-06-06 8:50 ` Nicolas Dichtel
2024-06-06 8:53 ` Florian Westphal
2024-06-06 13:07 ` Nicolas Dichtel
2024-06-26 11:41 ` Pablo Neira Ayuso
2024-07-03 7:37 ` Nicolas Dichtel
2024-07-15 14:19 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c527582b-05dd-45bf-a9b1-2499b01280ee@6wind.com \
--to=nicolas.dichtel@6wind.com \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox