- Package:
- src:iptables-netflow
- Source:
- iptables-netflow
- Submitter:
- Ben Hutchings
- Date:
- 2022-02-20 00:15:03 UTC
- Severity:
- important
- Tags:
The set_notifier_cb() and unset_notifier_cb() functions are using a notifier API that was intended only for internal use by the netfilter conntrack implementation. Please disable the natevents feature. These events are aleady logged through netlink and the conversion to NEL could be done in user-space. Ben.
Hi Ben, Ben Hutchings wrote: This indeed sounds like something for upstream. Will forward it to upstream once the remaining questions have been clarified. Then again, this sounds more like a request to the Debian package maintainer (i.e. me) as this is a configure option. What would be the impact if I don't disable this feature? Can you please elaborate? My general approach here is to enable all features compile upstream the admin might need. But at least the NAT events are still disabled by default at runtime, even if they're compiled in. I'm not sure if this really makes sense. ipt_NETFLOW so far does nothing outside the kernel on purpose. Its fuctionality needs to be highly performing, i.e. be able to handle many dozens if not hundreds of Gbps of traffic. I'm not sure if putting any part of it outside the kernel is really feasible. But anyway, reimplementing that feature is clearly an upstream thing again. […] Why do you seem to have the version of Oldstable installed despite you seem to be running Unstable? Or was that reportbug which has chosen the wrong version? Or just a copy & paste error? Please clarify which version you were actually looking at. Or in other words: please make sure that 2.6-2 in Unstable still has this issue. Because upstream usually only accepts feature requests for the most recent upstream version (or — even better — against upstream git HEAD). Regards, Axel
Control: found -1 2.6-2 Then the module will not report all the events that might be expected. There is nothing inherently faster about doing things inside the kernel, and in case the events are always being copied out to user- space. But I don't know how the performance of the upstream netlink facility compares with ipt_NETFLOW. Indeed. [...] I don't have it installed, and reportbug has picked the wrong version. I actually looked at 2.6-2 (in a VM). Ben.
Hi Ben, Ben Hutchings wrote: I see. That's indeed not what I'd expected so far. Ok, thanks for the clarification! Regards, Axel
[...] Sorry, I read your question wrongly before. The impact if you *don't* disable the feature includes: - If nf_conntrack_netlink is loaded after iptables-netflow, the kernel will log a WARNING and disable NAT event reporting through iptables-netflow - If nf_conntrack_netlink is loaded before iptables-netflow and then removed, the kernel will disable NAT event reporting through iptables-netflow Ben.