conntrackd synchronisation at startup

conntrackd synchronisation at startup

[Christophe Painchaud]

Hello,

  I managed to create a cluster of 2 firewalls that share their  
conntrack tables ; but I've got a little problem/question:

  When I restart a node to simulate a failure, it won't request  
existing connections, it will only get news ones. I am forced to do a  
'conntrackd -n' to resync it all. I tried to start conntrackd with  
'conntrackd -d -n' or 'conntrackd -dn' . No success here. Is there a  
proper way to do this ? should I create a startup script that run -d  
command line, and then -n ?


Thank you in advance for your replies (and this great piece of software!)

Regards,

-- 
Christophe Painchaud
email: dash@ionblast.net
jabber: dash@im.ionblast.net


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Re: conntrackd synchronisation at startup

[Pablo Neira Ayuso]

Christophe Painchaud wrote:
> Hello,
> 
>  I managed to create a cluster of 2 firewalls that share their conntrack
> tables ; but I've got a little problem/question:
> 
>  When I restart a node to simulate a failure, it won't request existing
> connections, it will only get news ones. I am forced to do a 'conntrackd
> -n' to resync it all. I tried to start conntrackd with 'conntrackd -d
> -n' or 'conntrackd -dn' . No success here. Is there a proper way to do
> this ? should I create a startup script that run -d command line, and
> then -n ?

conntrackd does do this by itself, it needs the help of a failure
detector manager, eg. keepalived. You have to include the conntrackd -n
in your scripts when the node hits backup state. Have a look at the doc/
directory inside the conntrack-tools.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers