Re: conntrackd + mark problems

[Pablo Neira Ayuso <pablo@netfilter.org>]

Igor Neves wrote:
> Pablo Neira Ayuso wrote:
>> Igor Neves wrote:
>>   
>>> Hi,
>>>
>>> First of all, i would like to thanks you, for your great your.
>>>
>>> I have setup two firewalls with conntrackd in Centos 5, and everything
>>> it's ok and working as it should. By the way I have used heartbeat as HA
>>> manager, for that I have to develop conntrackd init script, and one ocf
>>> script for heartbeat. There are any interest in adding them to tree?
>>>     
>>
>> If they are generic enough to help others to set up hearbeat +
>> conntrackd, I'll be fine with it. Please, send them to me so I can check
>> them and don't forget to add the corresponding credits.
>>   
> Yes, they are generic, but I found one bug last night, I will correct
> and test everything, and mail them back to you.

OK, thank you Igor.

>>> I just have found one problem, in this 2 firewalls I need to setup
>>> "Policy Routing" and "Policy Shaper", but our solutions are based on
>>> mark's.
>>>
>>> I noticed that when the the backup firewall takes over the service(go to
>>> primary), and the primary goes to state backup, the connmark connections
>>> move from one to the other without any problem but it does not take the
>>> mark with it, it always insert the rule in the new primary with "mark=0".
>>>
>>> Is this a configuration problem? A todo item? A bug?
>>>     
>>
>> Looking at the archives, conntrack-tools >= 0.9.5 and Linux kernel >=
>> 2.6.20 supports connmarking. Please, try to guess where the connmark is
>> getting lost:
>>   
> Maybe this is the problem, centos 5 still use 2.6.18 releases.
>> (in the primary) # conntrack -L                # shows kernel table
>>   
> # conntrack -L -d 10.0.0.72
> tcp      6 431979 ESTABLISHED src=192.168.1.1 dst=10.0.0.72 sport=38004
> dport=22 packets=11 bytes=1608 src=10.0.0.72 dst=10.0.0.55 sport=22
> dport=38004 packets=11 bytes=1987 [ASSURED] mark=12 use=1
> 
> As you can see, there is the mark there.
> 
>> (in the primary) # conntrackd -i               # shows userspace cache
>>   
> In the cache, I have the connection, but it does not say anything about
> mark's.
> 
> # conntrackd -i
> tcp      6 ESTABLISHED src=192.168.1.1 dst=10.0.0.72 sport=38005
> dport=22 packets=2 bytes=112 src=10.0.0.72 dst=10.0.0.55 sport=22
> dport=38005 packets=1 bytes=60 [ASSURED] [active since 2s]

You need to upgrade to a Linux kernel >= 2.6.19 to support connmarking.
The events do not include the connmark in earlier versions.

Alternatively, you may write your own patch to include connmark in event
messages, it should straight forward - diff nf_conntrack_netlink.c
2.6.18 and 2.6.19 - although I don't know if you're a programmer.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers