* conntrackd external cache does not contain NAT information
@ 2009-08-21 9:16 Egon Burgener
2009-08-21 14:28 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Egon Burgener @ 2009-08-21 9:16 UTC (permalink / raw)
To: netfilter
Hi
I am building a firewall with
kernel 2.6.29.6
iptables 2.4.4
conntrack-tools 0.9.13 (FTFW mode)
heartbeat version 1
conntrack synchronisation works fine except NAT traffic. If I do
conntrackd -i on the active node I see the NAT information in it:
tcp 6 ESTABLISHED src=192.168.12.20 dst=12.129.147.65 sport=2403
dport=80 src=12.129.147.65 dst=84.73.54.61 sport=80 dport=2403
[ASSURED] [active since 48s]
On the standby node I am missing the NAT information (conntrackd -e):
tcp 6 ESTABLISHED src=192.168.12.20 dst=12.129.147.65 sport=2403
dport=80 [ASSURED] [active since 91s]
Has anybody a hint?
Thx
Egon
--
-----------------------------------------------------------------------------------------
addr://Kasinostrasse 30, CH-5001 Aarau fon://++41 62 823 9355
http://www.terreactive.com fax://++41 62
823 9356
------------------------------------------------------------------------------------------
Wir sichern Ihren Erfolg. terreActive AG
------------------------------------------------------------------------------------------
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: conntrackd external cache does not contain NAT information
2009-08-21 9:16 conntrackd external cache does not contain NAT information Egon Burgener
@ 2009-08-21 14:28 ` Pablo Neira Ayuso
2009-08-25 11:39 ` Egon Burgener
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2009-08-21 14:28 UTC (permalink / raw)
To: Egon Burgener; +Cc: netfilter
Hi,
Egon Burgener wrote:
> Hi
>
> I am building a firewall with
> kernel 2.6.29.6
> iptables 2.4.4
> conntrack-tools 0.9.13 (FTFW mode)
> heartbeat version 1
>
> conntrack synchronisation works fine except NAT traffic. If I do
> conntrackd -i on the active node I see the NAT information in it:
>
> tcp 6 ESTABLISHED src=192.168.12.20 dst=12.129.147.65 sport=2403
> dport=80 src=12.129.147.65 dst=84.73.54.61 sport=80 dport=2403 [ASSURED]
> [active since 48s]
>
> On the standby node I am missing the NAT information (conntrackd -e):
>
> tcp 6 ESTABLISHED src=192.168.12.20 dst=12.129.147.65 sport=2403
> dport=80 [ASSURED] [active since 91s]
>
> Has anybody a hint?
The NAT information is there but not listed when you do `conntrackd -e'
but it's built during the commit phase that occurs when your HA manager
calls `conntrackd -c' (see the primary-backup.sh script).
You can verify this by invoking `conntrack -L' to see the result of the
commit. You should see the NAT information at that stage.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: conntrackd external cache does not contain NAT information
2009-08-21 14:28 ` Pablo Neira Ayuso
@ 2009-08-25 11:39 ` Egon Burgener
0 siblings, 0 replies; 3+ messages in thread
From: Egon Burgener @ 2009-08-25 11:39 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
Hi Pablo
Yes, you are right. The NAT information is not displayed with
conntrackd -e but is there and gets pushed into the conntrack table
with conntrackd -c.
Therefore, my NAT sync problem is somewhere else. I have to debug
further.
Thanks for your assistance
Egon
On Aug 21, 2009, at 4:28 PM, Pablo Neira Ayuso wrote:
> Hi,
>
> Egon Burgener wrote:
>> Hi
>>
>> I am building a firewall with
>> kernel 2.6.29.6
>> iptables 2.4.4
>> conntrack-tools 0.9.13 (FTFW mode)
>> heartbeat version 1
>>
>> conntrack synchronisation works fine except NAT traffic. If I do
>> conntrackd -i on the active node I see the NAT information in it:
>>
>> tcp 6 ESTABLISHED src=192.168.12.20 dst=12.129.147.65 sport=2403
>> dport=80 src=12.129.147.65 dst=84.73.54.61 sport=80 dport=2403
>> [ASSURED]
>> [active since 48s]
>>
>> On the standby node I am missing the NAT information (conntrackd -e):
>>
>> tcp 6 ESTABLISHED src=192.168.12.20 dst=12.129.147.65 sport=2403
>> dport=80 [ASSURED] [active since 91s]
>>
>> Has anybody a hint?
>
> The NAT information is there but not listed when you do `conntrackd -
> e'
> but it's built during the commit phase that occurs when your HA
> manager
> calls `conntrackd -c' (see the primary-backup.sh script).
>
> You can verify this by invoking `conntrack -L' to see the result of
> the
> commit. You should see the NAT information at that stage.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter"
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
-----------------------------------------------------------------------------------------
addr://Kasinostrasse 30, CH-5001 Aarau fon://++41 62 823 9355
http://www.terreactive.com fax://++41 62
823 9356
------------------------------------------------------------------------------------------
Wir sichern Ihren Erfolg. terreActive AG
------------------------------------------------------------------------------------------
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-08-25 11:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-21 9:16 conntrackd external cache does not contain NAT information Egon Burgener
2009-08-21 14:28 ` Pablo Neira Ayuso
2009-08-25 11:39 ` Egon Burgener
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.