From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Marco <listaddr@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: conntrackd questions
Date: Tue, 19 Feb 2013 20:52:37 +0100 [thread overview]
Message-ID: <20130219195237.GA3208@localhost> (raw)
In-Reply-To: <CAHPDOiHUU+4qXB3iz6_6ZKOBRg8beBL_7SHC8c4zULw1vJ2CnA@mail.gmail.com>
Hi Marco,
On Tue, Feb 19, 2013 at 03:18:09PM +0100, Marco wrote:
> I'm setting up a virtual environment to test conntrackd in an
> active/backup configuration using FTFW. While it mostly works fine,
> I'm seeing some issues and I don't know whether they are expected or
> not.
> I'm using keepalived to handle the VIPs, and the provided
> primary-backup.sh script to manage conntrackd cache synchronization.
>
> This is my setup:
>
>
> external VIP: 10.0.0.200
> eth0 (.201) eth0 (.202)
> +-----+ +-----+
> | FW1 | | FW2 |
> +-----+ +-----+
> eth1 (.2) eth1 (.3)
> internal VIP: 192.168.1.1
>
>
> +--------+
> | client |
> +--------+
>
>
> Both firewalls are configured to perform SNAT --to-source 10.0.0.200
> for the traffic coming from the client.
>
> The client generates traffic continuously with this simple script:
>
> while true; do
> for i in www.site1.com www.site2.com www.site3.com www.site4.com
> www.site5.com www.site6.com; do
> wget -O/dev/null http://$i
> done
> done
>
> To do failover, I stop keepalived on FW1 so FW2 becomes active. To do
> failback, I restart it so FW1 is again the active.
>
> What happens is that sometimes (apparently randomly) the client's wget
> gets stuck after a failover or a failback, and does not even time out;
> I have to stop it with ctrl-c.
>
> Here are my configuration files:
>
> keepalived.conf on FW1:
>
> vrrp_sync_group G1 { # must be before vrrp_instance declaration
> group {
> E1
> I1
> }
> notify_master "/etc/conntrackd/primary-backup.sh primary"
> notify_backup "/etc/conntrackd/primary-backup.sh backup"
> notify_fault "/etc/conntrackd/primary-backup.sh fault"
> }
>
> vrrp_instance E1 {
> interface eth0
> state MASTER
> virtual_router_id 61
> priority 100
> advert_int 1
> authentication {
> auth_type PASS
> auth_pass papas_con_tomate
> }
> virtual_ipaddress {
> 10.0.0.200/24 dev eth0
> }
> }
>
> vrrp_instance I1 {
> interface eth1
> state MASTER
> virtual_router_id 62
> priority 100
> advert_int 1
> authentication {
> auth_type PASS
> auth_pass papas_con_tomate
> }
> virtual_ipaddress {
> 192.168.1.1/24 dev eth1
> }
> }
>
> On fw2, it's the same but with state BACKUP and priority 50.
>
> conntrackd.conf on FW1 (for simplicity, I'm not using a dedicated
> link for now):
>
> Sync {
> Mode FTFW {
> DisableExternalCache Off
> }
> Multicast {
> IPv4_address 225.0.0.50
> Group 3780
> IPv4_interface 192.168.1.2
> Interface eth1
> SndSocketBuffer 1249280
> RcvSocketBuffer 1249280
> Checksum on
> }
> }
> General {
> Nice -20
> HashSize 32768
> HashLimit 131072
> LogFile on
> Syslog on
> LockFile /var/lock/conntrack.lock
> UNIX {
> Path /var/run/conntrackd.ctl
> Backlog 20
> }
> NetlinkBufferSize 2097152
> NetlinkBufferSizeMaxGrowth 8388608
> Filter From Userspace {
> Protocol Accept {
> TCP
> UDP
> ICMP # This requires a Linux kernel >= 2.6.31
> }
> Address Ignore {
> IPv4_address 127.0.0.1 # loopback
> IPv4_address 10.0.0.202
> IPv4_address 10.0.0.200
> IPv4_address 192.168.1.2
> IPv4_address 192.168.1.1
> }
> }
> }
> on FW2:
>
> Sync {
> Mode FTFW {
> DisableExternalCache Off
> }
> Multicast {
> IPv4_address 225.0.0.50
> Group 3780
> IPv4_interface 192.168.1.3
> Interface eth1
> SndSocketBuffer 1249280
> RcvSocketBuffer 1249280
> Checksum on
> }
> }
> General {
> Nice -20
> HashSize 32768
> HashLimit 131072
> LogFile on
> Syslog on
> LockFile /var/lock/conntrack.lock
> UNIX {
> Path /var/run/conntrackd.ctl
> Backlog 20
> }
> NetlinkBufferSize 2097152
> NetlinkBufferSizeMaxGrowth 8388608
> Filter From Userspace {
> Protocol Accept {
> TCP
> UDP
> ICMP # This requires a Linux kernel >= 2.6.31
> }
> Address Ignore {
> IPv4_address 127.0.0.1 # loopback
> IPv4_address 10.0.0.203
> IPv4_address 10.0.0.200
> IPv4_address 192.168.1.3
> IPv4_address 192.168.1.1
> }
> }
> }
>
>
> Thanks in advance for any help.
There are several things that you can check to troubleshoot
conntrackd:
1) Log files: /var/log/conntrackd.log and /var/log/keepalived.log
2) See if entries are actually synchronized via `conntrackd -i' and
`conntrackd -e' and other statistics.
3) echo 255 > /proc/sys/net/netfilter/nf_conntrack_log_invalid, to
see if the connection tracking system is marking packets as invalid.
I also suggest you to read the official documentation:
http://conntrack-tools.netfilter.org/manual.html
Regards.
next prev parent reply other threads:[~2013-02-19 19:52 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-19 14:18 conntrackd questions Marco
2013-02-19 19:52 ` Pablo Neira Ayuso [this message]
2013-02-21 10:14 ` Marco
2013-02-21 12:23 ` Marco
2013-02-21 18:37 ` Pablo Neira Ayuso
2013-02-22 10:12 ` Marco
2013-02-25 15:45 ` Pablo Neira Ayuso
2013-03-06 10:54 ` Marco
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130219195237.GA3208@localhost \
--to=pablo@netfilter.org \
--cc=listaddr@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox