I see there was a patch applied. Is there any chance of getting this backported to the affected versions 5.19+, since it broke existing functionality? On Mon, Feb 20, 2023 at 6:43 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > On Thu, Feb 16, 2023 at 04:18:22PM +0100, Florian Westphal wrote: > > Bryce Kahle <bryce.kahle@xxxxxxxxxxxxx> wrote: > > > I have posted the reproducer at > > > https://github.com/brycekahle/netfilter-reproducer > > > > Thanks. Resolving this in a backwards compatible way is > > intrusive because at the time the ctnetlink subscription happens > > nsid isn't set yet. > > > > We'd need a new callback in netlink_kernel_cfg so that ctnetlink > > can be informed about activation of 'allnet' option on an existing > > socket. > > > > We'd also need a new flag in netfilter/core.c for that and not in > > ctnetlink because else we'd create an unwanted module dependency in > > nf_conntrack. > > > > I can think of 3 alternative solutions: > > 1. revert back to 'default 1'. > > I don't want to do that because for almost all conntrack use > > cases the extension allocation is unecessary. > > > > 2. Switch netns creation behaviour to enable the extensions if > > init_net has nf_conntrack_events=1. > > This would require user intervention, but probably fine. > > Downside is that this will be different from all the other > > settings. > > > > 3. Add a module param to conntrack to override the default > > setting. We already have such params for accounting and timestamps. > > > > I'd go with 3). Bryce, would that work for you? > > > > Pablo, whats your take on this? > > > > If you prefer I can work on the new netlink_kernel_cfg callback > > to see how intrusive it really is. > > > > Breakage scenario is: > > > > 1. Parent netns opens ctnetlink event sk > > 2. Parent netns sets ALL_NSID flag > > 3. No events from child netns, because no ctnetlink > > event sockets were created in this netns and thus > > conntrack objects get no event extension. > > > > Extending the existing bind callback doesn't work because > > ALL_NSID flag is set after event subscription. > > I would prefer netlink_kernel_cfg .setsockopt callback as you suggest.
