>> Hi Greg, >> >> I hope this message finds you well. I'm reaching out to report a regression issue linked >> to the commit dceb683ab87c(v5.15.158), which addresses the netfilter subsystem by skipping >> the conntrack input hook for promiscuous packets. >> >> [dceb683ab87c 2024-04-09 netfilter: br_netfilter: skip conntrack input hook for promiscuous packets.] >> >> Unfortunately, this update appears to be breaking Kubernetes hairpin tests, impacting the normal >> functionality expected in Kubernetes environments. >> >> Additionally, it's worth noting that this specific commit is associated with a security vulnerability, >> as detailed in the NVD: CVE-2024-27018. >> >> We have bisected the issue to the specific commit dceb683ab87c. By reverting this commit, >> we confirmed that the Kubernetes hairpin test issues are resolved. However, given that this commit >> addresses the security vulnerability CVE-2024-27018, directly reverting it is not a viable option. We’re >> in a tricky position and would greatly appreciate your advice on how we might approach this problem. >> >> Thank you for your attention to this matter. I look forward to your guidance on how we might proceed. > > Is this issue also in newer kernel versions (like 6.1.y, 6.6.y, and > Linus's tree)? If not, then we might have missed something. If so, > then please work with the netfilter developers to work this out. I have not tested 6.1.y or 6.6.y yet. Will do that and if the issue persists, will reach out to The netfilter folks. Thank you. Allen > > thanks, > > greg k-h
