Le 24/06/2024 à 20:18, Pablo Neira Ayuso a écrit :
> Hi,
Hello,
Thank you for your answer!
> There is a fix for this in git.netfilter.org/libnetfilter_conntrack at
> git HEAD.
>
> Could you check that this fixes the issue for you?
Sorry, but no. I've tried master commit for both:
* conntrack-tools: 5b61acb (conntrackd: helpers/rpc: Don't add expectation table entry for portmap port, 2024-04-25)
* libnetfilter_conntrack: e0d9ff6 (conntrack: bsf: Do not return -1 on failure, 2024-04-26)
This filter config fragment allows CT to be synchronized using Userspace filtering but not Kernelspace filtering:
Address Accept {
IPv4_address 10.132.159.62
IPv4_address 10.132.159.60
}
What commit from libnetfilter_conntrack do you have in mind? (Maybe I can see if it's in my code path?)
Regards,
>
> Thanks
>
> On Mon, Jun 24, 2024 at 06:04:51PM +0200, Yoann Congal wrote:
>> Hello,
>>
>> We are trying synchronise conntrack tables across multiple machines using conntrackd.
>>
>> We only want to synchronise conntrack for a limited set of IP addresses (for example: 10.132.159.60 and 10.132.159.62).
>>
>> I'm working on Debian stable packages :
>> * conntrackd 1.4.7-1
>> * libnetfilter-conntrack3 1.0.9-6
>>
>> Here is what I wrote in conntrackd.conf :
>> Filter From Kernelspace {
>> ...
>> Address Accept {
>> IPv4_address 10.132.159.60
>> IPv4_address 10.132.159.62
>> }
>> ...
>> }
>>
>> Except that does not work : After debugging, it appear that in this configuration the kernel does not send the conntrack element to conntrackd. If I understood correctly, this filter is read by conntrackd/libnetfilter-conntrack as "Accept CT that matches 10.132.159.60 AND 10.132.159.62" which won't happen.
>>
>> Switching this to Userspace filtering does work : CT are sent from the kernel to conntrackd and then synchronized across the other instances. This difference in user/kernel filtering sounds like a bug on one side.
>> Userspace filtering is a bit heavy for the system, and we would really like to stay on kernel filtering.
>>
>> I've also tried to use one "Address Accept{}" bloc for each IPv4_address but that does not work either.
>>
>> Some random elements I've gathered while debugging this:
>> * All the example I could find only used "Address Ignore {}" blocks so I guess the "Address Accept" option is not heavily used?
>> * The code adding the IP to the filter is here : https://salsa.debian.org/pkg-netfilter-team/pkg-conntrack-tools/-/blob/master/src/read_config_yy.c#L3258
>> nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV4, &filter_ipv4);
>> Interestingly, the error messages some lines higher only mention the "ignore pool"
>>
>> My questions:
>> * Has anyone pointers on how to setup this usecase (kernel filtering + accept on multiple IPs) ?
>> * Is this a bug? (In that case, I'd push this to the bugzilla)
--
Yoann Congal
Smile ECS - Tech Expert
