[pkg-netfilter-team] Bug#1050418: Conntrackd in Bookworm reverts byte order in src address sent by conntrackd in Bullseye
Pavel Matěja
pavel at verotel.cz
Thu Aug 24 11:55:30 BST 2023
Package: conntrackd
Version: 1:1.4.7-1+b2
Conntrackd package on Bullseye is 1:1.4.6-2.
I'm upgrading our servers from Bullseye to Bookworm. Some of them act as load balancers and they are using conntrackd to synchronize TCP connection states
using FTFW sync mode.
I've noticed when I have primary server running Bullseye (conntrack v1.4.6) and secondary Bookworm (conntrack v1.4.7) I get
bullseye:~$ sudo conntrack -L
..
tcp 6 430554 ESTABLISHED src=x.y.49.137 dst=x.y.48.169 sport=35570 dport=636 src=10.170.0.153 dst=x.y.49.137 sport=636 dport=35570 [ASSURED] mark=0 use=1
..
bookworm:~$ sudo conntrack -L
..
tcp 6 431388 ESTABLISHED src=x.y.49.137 dst=x.y.48.169 sport=35570 dport=636 src=153.0.170.10 dst=x.y.49.137 sport=636 dport=35570 [ASSURED] mark=0 use=1
..
Notice order of the 'src' address bytes.
When failover occures all TCP connections via secondary balancer are broken as packets source addresses don't match those in conntrack table anymore.
Downgrade of conntrack and conntrackd packages on Bookworm server solved this problem.
I was unable to create 1.4.7 package for Bullseye.
I'm not sure which version is considered to be acting correctly.
Core of this problem might be related to
https://git.netfilter.org/conntrack-tools/commit/?id=b55717d46ae3b7c3769192a66e565bc7c2d833a1
but I'm not familiar with conntrackd source code.
I'm sorry I had to mask the public ip.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20230824/1f87bb15/attachment.htm>
More information about the pkg-netfilter-team
mailing list