Re: Second failover failure with conntrackd - INVALID packets

[Pablo Neira Ayuso <pablo@netfilter.org>]

Yoann Juet wrote:
>> That's another known problem of 0.9.6. Probably, you don't see EINVAL
>> but a message like "N entries can't be committed". I suggest you to
>> upgrade to latest. I'm about to release 0.9.10, using current would
>>make my life easier to provide you support.
> 
> Well, I installed conntrack-tools 0.9.9 and libnetfilter_conntrack
> 0.0.99 on the cluster. No more "delayed packet" message or another
> warning or error message. Unfortunately, I get the same result when the
> second failover is triggered. Packets are denied due to INVALID state.

When the entries are created or updated, the flag
IP_CT_TCP_FLAG_BE_LIBERAL is set so that the window checking are
skipped, you should not get those "ACK/SEQ is under/over window". I
don't have an answer for the problem that you're reporting at this
moment. I know that there are some bugs in the ctnetlink code of 2.6.26
that were fixed in the subsequent kernel releases, but I did not know
any that affected the internal TCP flags set/unset. As these stuff is
under development, I suggest you to use the latest Linux kernel, please
let me know if the problem persists.

> PS: the new configuration subblock "Filter from Kernelspace" in
> conntrackd.conf is not parsed correctly. I get an error message:
> 
> "Error parsing config file: line (190), symbol 'from': syntax error"
> 
> I have to delete it to make starting conntrackd.

Filter From Kernelspace {
         Protocol Accept {
                TCP
         }
         Address Ignore {
                IPv4_address 127.0.0.1 # loopback
         }
}

It works here fine. Error reporting in the parsing is not very precise
yet, probably the problem is not in Filter but before (something is
missing and the parser gets confused). Could you post your config file
to reproduce it? You can send it to me in private if you want.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers