From: Kerin Millar <kerframil@gmail.com>
To: netfilter@vger.kernel.org
Subject: Re: Conntrackd entries timing out
Date: Sun, 04 Mar 2012 05:03:20 +0000 [thread overview]
Message-ID: <jiut2p$t3m$1@dough.gmane.org> (raw)
In-Reply-To: <4ECE7F12.6080004@opendium.com>
On 24/11/2011 17:29, Steve Hill wrote:
>
> I'm configuring conntrackd to support an active/active pair of
> firewalls. I would like to keep them as synchronised as possible so am
> setting it up with FTFW mode and "DisableExternalCache On".
>
> I'm monitoring the connection tracker records on both hosts with
> "conntrack -L".
>
> If I send a single ping to something from firewall A, I correctly see
> the conntrack entry appear for that on both firewalls. Since the I only
> sent 1 ping, I see the timer on both ticking down from 30 seconds, after
> which the entry disappears from both firewalls - this bit seems fine.
>
> The problem I'm having is if I start a continuous ping from firewall A,
> sending 1 packet per second, I again see the conntrack entry appear on
> both firewalls as expected. However, whilst firewall A shows the timer
> sat at 30 seconds since it is regularly being reset by each packet,
> firewall B's connection again ticks down and is then removed. So now,
> the conntrack tables are unsynchronised - firewall A is still seeing the
> pings and keeps the conntrack entry alive whilst firewall B has removed
> the entry.
>
> If I turn the external cache on and monitor it with "conntrackd -e", it
> appears to behave correctly - the entry stays in the external cache so
> long as it it in firewall A's conntrack table.
>
> The only way I've found of keeping these machines correctly synchronised
> with the external cache disabled is to run "conntrackd -n" every few
> seconds on both hosts to force a resynchronisation, which does appear to
> reset the timers correctly.
>
> So I'm hoping someone is able to answer these questions:
> 1. Is this a bug or is there something I'm missing about the way it is
> expected to work?
> 2. Is running "conntrackd -n" on both machines every few seconds a safe
> and feasible workaround, or am I asking for trouble?
You could use conntrack -E -p icmp to monitor the propagated events in
both cases. That is, with and without the external cache active. In my
case, I use the external cache and the lifecycle of the ICMP state is as
thus:-
[NEW] src=x.x.x.x dst=8.8.8.8 type=8 code=0 id=9243 [UNREPLIED]
dst=196.34.134.87 type=0 code=0 id=9243
[UPDATE] src=x.x.x.x dst=8.8.8.8 type=8 code=0 id=9243
src=8.8.8.8 dst=x.x.x.x type=0 code=0 id=9243
Eventually, after terminating ping ...
[DESTROY] src=x.x.x.x dst=8.8.8.8 type=8 code=0 id=9243 src=8.8.8.8
dst=x.x.x.x type=0 code=0 id=9243
Observing the behaviour where the cache is not active might help shed
some light on the situation.
Cheers,
--Kerin
prev parent reply other threads:[~2012-03-04 5:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-24 17:29 Conntrackd entries timing out Steve Hill
2012-03-04 5:03 ` Kerin Millar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='jiut2p$t3m$1@dough.gmane.org' \
--to=kerframil@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.