Hi Greg,
I hope this message finds you well. I'm reaching out to report a regression issue linked to the commit dceb683ab87c(v5.15.158), which addresses the netfilter subsystem by skipping the conntrack input hook for promiscuous packets.
[dceb683ab87c 2024-04-09 netfilter: br_netfilter: skip conntrack input hook for promiscuous packets.]
Unfortunately, this update appears to be breaking Kubernetes hairpin tests, impacting the normal functionality expected in Kubernetes environments.
Additionally, it's worth noting that this specific commit is associated with a security vulnerability, as detailed in the NVD: CVE-2024-27018.
We have bisected the issue to the specific commit dceb683ab87c. By reverting this commit, we confirmed that the Kubernetes hairpin test issues are resolved. However, given that this commit addresses the security vulnerability CVE-2024-27018, directly reverting it is not a viable option. We’re in a tricky position and would greatly appreciate your advice on how we might approach this problem.
Thank you for your attention to this matter. I look forward to your guidance on how we might proceed.
Best regards,
Allen
On Wed, Jun 12, 2024 at 10:57:03AM -0700, Allen Pais wrote:
Hi Greg,
I hope this message finds you well. I'm reaching out to report a regression issue linked to the commit dceb683ab87c(v5.15.158), which addresses the netfilter subsystem by skipping the conntrack input hook for promiscuous packets.
[dceb683ab87c 2024-04-09 netfilter: br_netfilter: skip conntrack input hook for promiscuous packets.]
Unfortunately, this update appears to be breaking Kubernetes hairpin tests, impacting the normal functionality expected in Kubernetes environments.
Additionally, it's worth noting that this specific commit is associated with a security vulnerability, as detailed in the NVD: CVE-2024-27018.
We have bisected the issue to the specific commit dceb683ab87c. By reverting this commit, we confirmed that the Kubernetes hairpin test issues are resolved. However, given that this commit addresses the security vulnerability CVE-2024-27018, directly reverting it is not a viable option. We’re in a tricky position and would greatly appreciate your advice on how we might approach this problem.
Thank you for your attention to this matter. I look forward to your guidance on how we might proceed.
Is this issue also in newer kernel versions (like 6.1.y, 6.6.y, and Linus's tree)? If not, then we might have missed something. If so, then please work with the netfilter developers to work this out.
thanks,
greg k-h
Hi Greg,
I hope this message finds you well. I'm reaching out to report a regression issue linked to the commit dceb683ab87c(v5.15.158), which addresses the netfilter subsystem by skipping the conntrack input hook for promiscuous packets.
[dceb683ab87c 2024-04-09 netfilter: br_netfilter: skip conntrack input hook for promiscuous packets.]
Unfortunately, this update appears to be breaking Kubernetes hairpin tests, impacting the normal functionality expected in Kubernetes environments.
Additionally, it's worth noting that this specific commit is associated with a security vulnerability, as detailed in the NVD: CVE-2024-27018.
We have bisected the issue to the specific commit dceb683ab87c. By reverting this commit, we confirmed that the Kubernetes hairpin test issues are resolved. However, given that this commit addresses the security vulnerability CVE-2024-27018, directly reverting it is not a viable option. We’re in a tricky position and would greatly appreciate your advice on how we might approach this problem.
Thank you for your attention to this matter. I look forward to your guidance on how we might proceed.
Is this issue also in newer kernel versions (like 6.1.y, 6.6.y, and Linus's tree)? If not, then we might have missed something. If so, then please work with the netfilter developers to work this out.
I have not tested 6.1.y or 6.6.y yet. Will do that and if the issue persists, will reach out to The netfilter folks.
Thank you.
Allen
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org
-
Allen Pais -
Greg KH