netfilter buglog - Apr 2016 - [Bug 1062] New: Kernel IPv6 event filtering not working

https://bugzilla.netfilter.org/show_bug.cgi?id=1062

            Bug ID: 1062
           Summary: Kernel IPv6 event filtering not working
           Product: conntrack-tools
           Version: unspecified
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: conntrack-daemon
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: arturo.borrero.glez at gmail.com

IPv6 kernel filtering seems broken in conntrackd 1.4.3 with Linux kernel 4.4.

The test is simple:
 * configure a two node conntrackd cluster to sync connections
 * configure IPv6 kernelspace filtering
 * launch `conntrack -E' to see conntrack events in both nodes
 * launch some IPv6 matching traffic, and see it syncing to the other node
 * switch the config to userspace filtering
 * launch some IPv6 matching traffic, the sync don't happen this time.

This is an example configuration in one of my nodes:

==== 8< ===Sync {
        Mode NOTRACK {
                DisableInternalCache on
                DisableExternalCache on
        }

        TCP {
                IPv4_address 10.0.0.201
                IPv4_Destination_Address 10.0.0.202
                Port 3780
                Interface eth0
                Checksum on
                SndSocketBuffer 12492800
                RcvSocketBuffer 12492800
        }
        Options {
                ExpectationSync On
        }
}
General {
        Nice -20
        Scheduler {
                Type FIFO
                Priority 99
        }

        Syslog on
        LockFile /var/lock/conntrackd.lock
        UNIX {
                Path /var/run/conntrackd.sock
                Backlog 20
        }

        NetlinkBufferSize 8000000
        NetlinkBufferSizeMaxGrowth 80000000

        Filter From Kernelspace {
                Address Ignore {
                        IPv4_address 127.0.0.1
                        IPv4_address 10.0.0.200
                        IPv4_address 10.0.0.201
                        IPv4_address 10.0.0.202
                        IPv6_address ::1
                        IPv6_address fe00::200
                        IPv6_address fe00::201
                        IPv6_address fe00::202
                }
        }

        EventIterationLimit 10
}
==== 8< ===
You can switch to userspace filtering by replacing the 'Kernelspace'
keyword and restarting the daemon:

==== 8< ===        Filter From Userspace {
                Address Ignore {
                        IPv4_address 127.0.0.1
                        IPv4_address 10.0.0.200
                        IPv4_address 10.0.0.201
                        IPv4_address 10.0.0.202
                        IPv6_address ::1
                        IPv6_address fe00::200
                        IPv6_address fe00::201
                        IPv6_address fe00::202
                }
        }
==== 8< ===
Debian bug #690676 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690676

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160414/b4dcc3cd/attachment.html>