Hello,
We are trying synchronise conntrack tables across multiple machines using conntrackd.
We only want to synchronise conntrack for a limited set of IP addresses (for example: 10.132.159.60 and 10.132.159.62).
I'm working on Debian stable packages :
* conntrackd 1.4.7-1
* libnetfilter-conntrack3 1.0.9-6
Here is what I wrote in conntrackd.conf :
Filter From Kernelspace {
...
Address Accept {
IPv4_address 10.132.159.60
IPv4_address 10.132.159.62
}
...
}
Except that does not work : After debugging, it appear that in this configuration the kernel does not send the conntrack element to conntrackd. If I understood correctly, this filter is read by conntrackd/libnetfilter-conntrack as "Accept CT that matches 10.132.159.60 AND 10.132.159.62" which won't happen.
Switching this to Userspace filtering does work : CT are sent from the kernel to conntrackd and then synchronized across the other instances. This difference in user/kernel filtering sounds like a bug on one side.
Userspace filtering is a bit heavy for the system, and we would really like to stay on kernel filtering.
I've also tried to use one "Address Accept{}" bloc for each IPv4_address but that does not work either.
Some random elements I've gathered while debugging this:
* All the example I could find only used "Address Ignore {}" blocks so I guess the "Address Accept" option is not heavily used?
* The code adding the IP to the filter is here : https://salsa.debian.org/pkg-netfilter-team/pkg-conntrack-tools/-/blob/master/src/read_config_yy.c#L3258
nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV4, &filter_ipv4);
Interestingly, the error messages some lines higher only mention the "ignore pool"
My questions:
* Has anyone pointers on how to setup this usecase (kernel filtering + accept on multiple IPs) ?
* Is this a bug? (In that case, I'd push this to the bugzilla)
Thanks in advance,
Best regards,
--
Yoann Congal
Smile ECS - Tech Expert
