On Wed, Jun 12, 2024 at 10:57:03AM -0700, Allen Pais wrote: > Hi Greg, > > I hope this message finds you well. I'm reaching out to report a regression issue linked > to the commit dceb683ab87c(v5.15.158), which addresses the netfilter subsystem by skipping > the conntrack input hook for promiscuous packets. > > [dceb683ab87c 2024-04-09 netfilter: br_netfilter: skip conntrack input hook for promiscuous packets.] > > Unfortunately, this update appears to be breaking Kubernetes hairpin tests, impacting the normal > functionality expected in Kubernetes environments. > > Additionally, it's worth noting that this specific commit is associated with a security vulnerability, > as detailed in the NVD: CVE-2024-27018. > > We have bisected the issue to the specific commit dceb683ab87c. By reverting this commit, > we confirmed that the Kubernetes hairpin test issues are resolved. However, given that this commit > addresses the security vulnerability CVE-2024-27018, directly reverting it is not a viable option. We’re > in a tricky position and would greatly appreciate your advice on how we might approach this problem. > > Thank you for your attention to this matter. I look forward to your guidance on how we might proceed. Is this issue also in newer kernel versions (like 6.1.y, 6.6.y, and Linus's tree)? If not, then we might have missed something. If so, then please work with the netfilter developers to work this out. thanks, greg k-h
