bugzilla-daemon at netfilter.org
2016-Apr-14 09:19 UTC
[Bug 1062] New: Kernel IPv6 event filtering not working
https://bugzilla.netfilter.org/show_bug.cgi?id=1062 Bug ID: 1062 Summary: Kernel IPv6 event filtering not working Product: conntrack-tools Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: conntrack-daemon Assignee: netfilter-buglog at lists.netfilter.org Reporter: arturo.borrero.glez at gmail.com IPv6 kernel filtering seems broken in conntrackd 1.4.3 with Linux kernel 4.4. The test is simple: * configure a two node conntrackd cluster to sync connections * configure IPv6 kernelspace filtering * launch `conntrack -E' to see conntrack events in both nodes * launch some IPv6 matching traffic, and see it syncing to the other node * switch the config to userspace filtering * launch some IPv6 matching traffic, the sync don't happen this time. This is an example configuration in one of my nodes: ==== 8< ===Sync { Mode NOTRACK { DisableInternalCache on DisableExternalCache on } TCP { IPv4_address 10.0.0.201 IPv4_Destination_Address 10.0.0.202 Port 3780 Interface eth0 Checksum on SndSocketBuffer 12492800 RcvSocketBuffer 12492800 } Options { ExpectationSync On } } General { Nice -20 Scheduler { Type FIFO Priority 99 } Syslog on LockFile /var/lock/conntrackd.lock UNIX { Path /var/run/conntrackd.sock Backlog 20 } NetlinkBufferSize 8000000 NetlinkBufferSizeMaxGrowth 80000000 Filter From Kernelspace { Address Ignore { IPv4_address 127.0.0.1 IPv4_address 10.0.0.200 IPv4_address 10.0.0.201 IPv4_address 10.0.0.202 IPv6_address ::1 IPv6_address fe00::200 IPv6_address fe00::201 IPv6_address fe00::202 } } EventIterationLimit 10 } ==== 8< === You can switch to userspace filtering by replacing the 'Kernelspace' keyword and restarting the daemon: ==== 8< === Filter From Userspace { Address Ignore { IPv4_address 127.0.0.1 IPv4_address 10.0.0.200 IPv4_address 10.0.0.201 IPv4_address 10.0.0.202 IPv6_address ::1 IPv6_address fe00::200 IPv6_address fe00::201 IPv6_address fe00::202 } } ==== 8< === Debian bug #690676 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690676 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160414/b4dcc3cd/attachment.html>
Reasonably Related Threads
- [Bug 1445] New: conntrackd: segfaults when not disabling internal cache
- [Bug 895] New: Add a 'ipv6_address' set into a ipv4 table and vice versa
- Conntrackd - fail at startup.
- [PATCH] display ipv6 address in networking details page, also fix ipv6 netmask configurations.
- [PATCH] display ipv6 address in networking details page, also fix ipv6 netmask configurations