[pkg-netfilter-team] Bug#1050418: Conntrackd in Bookworm reverts byte order in src address sent by conntrackd in Bullseye
Jeremy Sowden
jeremy at azazel.net
Thu Aug 24 21:51:06 BST 2023
Control: tags -1 + patch
On 2023-08-24, at 20:33:13 +0100, Jeremy Sowden wrote:
> On 2023-08-24, at 12:55:30 +0200, Pavel Matěja wrote:
> > I'm upgrading our servers from Bullseye to Bookworm. Some of them
> > act as load balancers and they are using conntrackd to synchronize
> > TCP connection states using FTFW sync mode. I've noticed when I
> > have primary server running Bullseye (conntrack v1.4.6) and
> > secondary Bookworm (conntrack v1.4.7) I get
> >
> > bullseye:~$ sudo conntrack -L
> > ..
> > tcp 6 430554 ESTABLISHED src=x.y.49.137 dst=x.y.48.169
> > sport=35570 dport=636 src=10.170.0.153 dst=x.y.49.137
> > sport=636 dport=35570 [ASSURED] mark=0 use=1
> > ..
> >
> > bookworm:~$ sudo conntrack -L
> > ..
> > tcp 6 431388 ESTABLISHED src=x.y.49.137 dst=x.y.48.169
> > sport=35570 dport=636 src=153.0.170.10 dst=x.y.49.137
> > sport=636 dport=35570 [ASSURED] mark=0 use=1
> > ..
> >
> > Notice order of the 'src' address bytes.
> > When failover occures all TCP connections via secondary balancer are
> > broken as packets source addresses don't match those in conntrack
> > table anymore.
> >
> > [...]
> >
> > Core of this problem might be related to
> > https://git.netfilter.org/conntrack-tools/commit/?id=b55717d46ae3b7c3769192a66e565bc7c2d833a1
> > but I'm not familiar with conntrackd source code.
>
> I believe you are correct in identifying b55717d46ae3 ("conntrackd:
> fix endianness bug in IPv4 and IPv6 address").
>
> [...]
>
> I believe the upstream switch to NBO is correct, but I'm afraid that
> we in Debian didn't spot this consequence. I'll see about getting a
> notice added to the package documentation.
Something like this patch.
J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-d-NEWS-add-notice-about-1.4.6-1.4.7-little-endian-im.patch
Type: text/x-diff
Size: 1316 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20230824/b9d3bf5a/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20230824/b9d3bf5a/attachment.sig>
More information about the pkg-netfilter-team
mailing list