On 10/4/21 9:07 PM, Matt Mercer wrote:
Hi Pablo,
We tested a very silly patch to internal_cache_ct_event_del() that
skips the CTD_ORIGIN_INJECT check:
Hi Matt,
wanted to chime in to confirm that I've been experiencing the same issue you're
describing.
There were only 2 differences in our setup compared to yours:
* both internal & external caches were disabled
* using TCP as transport method
I had problems debugging the setup, because the firewall was a live system,
receiving 6Gbps of traffic. Obtaining a clear pattern was difficult.
I couldn't replicate the problem when replicating the setup on a system with
more "manageable" traffic. So I only observed the bug when conntrackd was under
high load (which probably means: under "real world" traffic patterns).
Eventually lost my time budget to work on this (and interest) and moved on...
So, just wanted to confirm that this bug exists, thanks for the report!
We should probably track something on https://bugzilla.netfilter.org/ for the
time being.
