conntrackd will not accept connection records into kernel table from another machine

All of lore.kernel.org
 help / color / mirror / Atom feed

* conntrackd will not accept connection records into kernel table from another machine
@ 2017-03-06 17:15 gerald
  2017-03-09 20:32 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: gerald @ 2017-03-06 17:15 UTC (permalink / raw)
  To: netfilter

https://bugzilla.netfilter.org/show_bug.cgi?id=1123

OS localhost 4.9.8-1-ARCH #1 SMP PREEMPT Mon Feb 6 12:59:40 CET 2017 x86_64 GNU/Linux

conntrackd version 1.4.4
conntrackd gives an error for each remote connction it attempts to add to the local table:
[Thu Feb 16 17:56:27 2017] (pid=1312) [ERROR] inject-add2: Invalid argument
Thu Feb 16 17:56:27 2017 icmp     1 src=192.168.0.15 dst=67.36.196.10 type=8 code=0 id=5486 [UNREPLIED]
[Thu Feb 16 17:56:27 2017] (pid=1312) [ERROR] inject-upd1: Invalid argument
Thu Feb 16 17:56:27 2017 icmp     1 src=192.168.0.15 dst=67.36.196.10 type=8 code=0 id=5486



when
DisableExternalCache On

conntrackd WILL add to external table when the external cache is enabled
but errors with the cache is disabled

with the external cache disabled
entries DO NOT appear in conntrack -L
entries DO NOT appear in conntrackd -e
entries DO NOT appear in conntrackd -i
failures show in conntrackd -s


conntrackd.conf:
Sync {
    Mode FTFW {
        DisableExternalCache On
        CommitTimeout 1800
        PurgeTimeout 5
    }

    UDP {
        IPv4_address 192.168.0.31
        IPv4_Destination_Address 192.168.0.30
        Port 3780
        Interface ens8
        SndSocketBuffer 24985600
        RcvSocketBuffer 24985600
        Checksum on
    }
}

General {
    Nice -20
    HashSize 32768
    HashLimit 131072
    LogFile on
    Syslog on
    LockFile /var/lock/conntrack.lock
    UNIX {
        Path /var/run/conntrackd.ctl
        Backlog 20
    }
    NetlinkBufferSize 2097152
    NetlinkBufferSizeMaxGrowth 8388608
    Filter From Userspace {
        Protocol Accept {
            TCP
            UDP
            ICMP # This requires a Linux kernel >= 2.6.31
        }
        Address Ignore {
            IPv4_address 127.0.0.1 # loopback
            IPv4_address 192.168.0.30
            IPv4_address 192.168.0.31
        }
    }
}

conntrack -c
works and adds entries to the local table when executed

perhaps related to:
http://www.linuxquestions.org/questions/showthread.php?p=5547189#post5547189

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: conntrackd will not accept connection records into kernel table from another machine
  2017-03-06 17:15 conntrackd will not accept connection records into kernel table from another machine gerald
@ 2017-03-09 20:32 ` Pablo Neira Ayuso
  2017-03-10  9:59   ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2017-03-09 20:32 UTC (permalink / raw)
  To: gerald; +Cc: netfilter

On Mon, Mar 06, 2017 at 11:15:04AM -0600, gerald wrote:
> https://bugzilla.netfilter.org/show_bug.cgi?id=1123
> 
> OS localhost 4.9.8-1-ARCH #1 SMP PREEMPT Mon Feb 6 12:59:40 CET 2017 x86_64 GNU/Linux
> 
> conntrackd version 1.4.4
> conntrackd gives an error for each remote connction it attempts to add to the local table:
> [Thu Feb 16 17:56:27 2017] (pid=1312) [ERROR] inject-add2: Invalid argument
> Thu Feb 16 17:56:27 2017 icmp     1 src=192.168.0.15 dst=67.36.196.10 type=8 code=0 id=5486 [UNREPLIED]
> [Thu Feb 16 17:56:27 2017] (pid=1312) [ERROR] inject-upd1: Invalid argument
> Thu Feb 16 17:56:27 2017 icmp     1 src=192.168.0.15 dst=67.36.196.10 type=8 code=0 id=5486

I fail to reproduce this here with 4.10 and current
libnetfilter_conntrack and conntrack-tools git HEAD.

EINVAL means that the message we send to the kernel is malformed, that
looks like a normal ping.

> when
> DisableExternalCache On
> 
> conntrackd WILL add to external table when the external cache is enabled
> but errors with the cache is disabled
> 
> with the external cache disabled
> entries DO NOT appear in conntrack -L
> entries DO NOT appear in conntrackd -e
> entries DO NOT appear in conntrackd -i
> failures show in conntrackd -s
> 
> 
> conntrackd.conf:
> Sync {
>     Mode FTFW {
>         DisableExternalCache On

You cannot use FTFW with DisableExternalCache On. I'll make a patch to
warn on this to users. But this shouldn't be the cause of the problem.

>         CommitTimeout 1800

Could you comment out this option and retest?

>         PurgeTimeout 5
>     }
> 
>     UDP {
>         IPv4_address 192.168.0.31
>         IPv4_Destination_Address 192.168.0.30
>         Port 3780
>         Interface ens8
>         SndSocketBuffer 24985600
>         RcvSocketBuffer 24985600
>         Checksum on
>     }
> }
> 
> General {
>     Nice -20
>     HashSize 32768
>     HashLimit 131072
>     LogFile on
>     Syslog on
>     LockFile /var/lock/conntrack.lock
>     UNIX {
>         Path /var/run/conntrackd.ctl
>         Backlog 20
>     }
>     NetlinkBufferSize 2097152
>     NetlinkBufferSizeMaxGrowth 8388608
>     Filter From Userspace {
>         Protocol Accept {
>             TCP
>             UDP
>             ICMP # This requires a Linux kernel >= 2.6.31
>         }
>         Address Ignore {
>             IPv4_address 127.0.0.1 # loopback
>             IPv4_address 192.168.0.30
>             IPv4_address 192.168.0.31
>         }
>     }
> }
> 
> conntrack -c
> works and adds entries to the local table when executed
> 
> perhaps related to:
> http://www.linuxquestions.org/questions/showthread.php?p=5547189#post5547189
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: conntrackd will not accept connection records into kernel table from another machine
  2017-03-09 20:32 ` Pablo Neira Ayuso
@ 2017-03-10  9:59   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2017-03-10  9:59 UTC (permalink / raw)
  To: gerald; +Cc: netfilter

On Thu, Mar 09, 2017 at 09:32:47PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Mar 06, 2017 at 11:15:04AM -0600, gerald wrote:
> > https://bugzilla.netfilter.org/show_bug.cgi?id=1123
[...]
> > conntrackd.conf:
> > Sync {
> >     Mode FTFW {
> >         DisableExternalCache On
> 
> You cannot use FTFW with DisableExternalCache On. I'll make a patch to
> warn on this to users. But this shouldn't be the cause of the problem.

Forget this, FTFW and DisableExternalCache is OK.

> >         CommitTimeout 1800
> 
> Could you comment out this option and retest?

I managed to reproduce this here.

You cannot combine CommitTimeout with DisableExternalCache. If you set
CommitTimeout, then conntrack starts spitting EINVAL error messages.

Fixed here:

http://git.netfilter.org/conntrack-tools/commit/?id=39398cd3c1e488e099ea186ad1e5b725c2f09d1d

Thanks for reporting.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2017-03-10  9:59 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-06 17:15 conntrackd will not accept connection records into kernel table from another machine gerald
2017-03-09 20:32 ` Pablo Neira Ayuso
2017-03-10  9:59   ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.