nf_conntrack_events auto mode invalidates NETLINK_LISTEN_ALL_NSID netlink socket option commit 90d1daa45849f272b701f29d6ca88b24743c7553 introduced a nf_conntrack_events=2 mode sysctl intended to avoid an allocation "as long as no event listener is active in the namespace". The netlink socket option NETLINK_LISTEN_ALL_NSID allows a socket to listen to events "from all network namespaces that have an nsid assigned into the network namespace where the socket has been opened". The effect of the above commit is that sockets in other network namespaces (including the root network namespace) with NETLINK_LISTEN_ALL_NSID, no longer receive events from any other network namespace. Once you create a netlink socket in the same network namespace as the event, then events from that network namespace flow to all netlink sockets in all namespaces. I attempted a workaround by setting nf_conntrack_events=1, but that only applies in the current namespace. I believe this workaround has no effect, because the default has been changed to 2 for all new namespaces. This affects kernels 5.19+. I have git bisected the kernel with a reproducer to identify the commit above. I can publish the reproducer on request. Thanks, Bryce Kahle Datadog
