Issue with iptables 1.8.4 and RHEL 8.6

Latest response

We have run into an issue after upgrading our systems from RHEL 8.5 to RHEl 8.6. Our machine is set up as a router between 2 sites. We have had to "loosen" the rp_filter ( change from 1 to 2) in the kernel parameters, as we need to provide asymmetric routing, and we also run iptables on this to restrict traffic.

This configuration has worked flawlessly, until we updated to RHEL 8.6.
What is strange, is I can always ping the device at the remote end, so ICMP traffic seems to be unaffected, however, when I try to SSH to the device, I see packets from the remote end, enter into our ingress interface, however I only see 1 packet exit the egress interface (i still see packets entering the ingress side). It appears that all other packets exiting are dropped (although I do not see anything in the logs to reflect them being dropped i.e. martians). I have flushed all iptables rules, and set everything to ACCEPT, but the issue still persists. I have found that if I completely stop the iptables service, the packets flow as they should and everything works.

Responses

Hi Brian Boettcher,

I personally have not seen/heard anything on this specifically. I recommend submitting a case with Red Hat so they can work it directly, and if needed, they can create a bug.

Regards,
RJ

Keep in mind iptables/nftables won't log traffic by default, you need to add a LOG target at points of interest.

You could try logging invalid traffic to see if conntrack is considering the traffic not part of an existing stream.

If you're starting/restarting the firewall in the middle of existing streams, you'll need net.netfilter.nf_conntrack_tcp_loose=1 set.

You could try setting conntrack to "be liberal" to allow more traffic in which matches existing flows.

There are about 80 changes in netfilter between 8.5 and 8.6 (you can see in the RPM changelog), though nothing jumps out as an obvious cause of this.