#1005402 Abuses netfilter conntrack notifier API

#1005402#5
Date:
2022-02-12 21:14:52 UTC
From:
To:
The set_notifier_cb() and unset_notifier_cb() functions are using a
notifier API that was intended only for internal use by the netfilter
conntrack implementation.

Please disable the natevents feature.  These events are aleady logged
through netlink and the conversion to NEL could be done in user-space.

Ben.

#1005402#10
Date:
2022-02-13 06:17:35 UTC
From:
To:
Hi Ben,

Ben Hutchings wrote:

This indeed sounds like something for upstream. Will forward it to
upstream once the remaining questions have been clarified.

Then again, this sounds more like a request to the Debian package
maintainer (i.e. me) as this is a configure option.

What would be the impact if I don't disable this feature? Can you
please elaborate?

My general approach here is to enable all features compile upstream
the admin might need. But at least the NAT events are still disabled
by default at runtime, even if they're compiled in.

I'm not sure if this really makes sense. ipt_NETFLOW so far does
nothing outside the kernel on purpose. Its fuctionality needs to be
highly performing, i.e. be able to handle many dozens if not hundreds
of Gbps of traffic. I'm not sure if putting any part of it outside the
kernel is really feasible.

But anyway, reimplementing that feature is clearly an upstream thing
again.
[…]

Why do you seem to have the version of Oldstable installed despite you
seem to be running Unstable? Or was that reportbug which has chosen
the wrong version? Or just a copy & paste error? Please clarify which
version you were actually looking at.

Or in other words: please make sure that 2.6-2 in Unstable still has
this issue. Because upstream usually only accepts feature requests for
the most recent upstream version (or — even better — against upstream
git HEAD).

		Regards, Axel

#1005402#17
Date:
2022-02-18 16:01:52 UTC
From:
To:
Control: found -1 2.6-2

Then the module will not report all the events that might be expected.

There is nothing inherently faster about doing things inside the
kernel, and in case the events are always being copied out to user-
space.  But I don't know how the performance of the upstream netlink
facility compares with ipt_NETFLOW.

Indeed.
[...]

I don't have it installed, and reportbug has picked the wrong version.
I actually looked at 2.6-2 (in a VM).

Ben.

#1005402#24
Date:
2022-02-18 22:23:00 UTC
From:
To:
Hi Ben,

Ben Hutchings wrote:

I see. That's indeed not what I'd expected so far.

Ok, thanks for the clarification!

		Regards, Axel

#1005402#31
Date:
2022-02-20 00:12:31 UTC
From:
To:
[...]

Sorry, I read your question wrongly before.

The impact if you *don't* disable the feature includes:

- If nf_conntrack_netlink is loaded after iptables-netflow, the kernel
  will log a WARNING and disable NAT event reporting through
  iptables-netflow
- If nf_conntrack_netlink is loaded before iptables-netflow and then
  removed, the kernel will disable NAT event reporting through
  iptables-netflow

Ben.