From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Simone Zaffalon <zaffa@zaffa.it>
Cc: netfilter@vger.kernel.org
Subject: Re: conntrackd: failover problems
Date: Thu, 06 Jan 2011 04:16:38 +0100 [thread overview]
Message-ID: <4D253416.7030004@netfilter.org> (raw)
In-Reply-To: <AANLkTik9OORTJp2qfVV4S42m7KGVGG+xBDB7c=T2sH0J@mail.gmail.com>
On 04/01/11 11:06, Simone Zaffalon wrote:
> Hi Pablo.
> I managed to do some more testing, and maybe i found my problem.
> With conntrack running, i took for granted that every tcp connection
> would be tracked and resumed.
> So, as i said in my first email, i didn't set up any iptables rules
> (except one for snat).
>
> With this configuration conntrackd does'nt work. Then i tried some
> iptables rules like the ones in
> http://conntrack-tools.netfilter.org/testcase.html
> and things started working.
> Please, to be crystal clear on that, can you confirm that when you say in manual
>
> "
> ...
> 3) A well-formed stateful rule-set. Otherwise you are likely to
> experience problems during the fail-over. An example of a well-formed
> stateful iptables rule-set is available in the conntrack-tools
> website.
> ...
> "
>
> you mean : "To ensure that conntrackd work correctly you must have a
> set of iptables rules with state tracking enabled" ?
> If so that's great, i found my problem.
Yes. Otherwise you trigger the following problem that can be reproduced
it if you don't use a well-formed stateful rule-set, with the following
steps:
1) you create the tcp connection between two peers A -> B, given the
following configuration A -> FW -> B. We assume NAT enabled, as in your
case.
2) you trigger the failover
3) the flow entries were not committed yet but B sends a reply packet.
The firewall receives it and it finds no flow information to undo the
NAT handling, thus it considers that it's a packet for itself and it
passes it to its local stack. This results in a tcp rst that the
firewall delivers to B.
If you have the appropriate rule-set, the firewall drops invalid
requests. Thus, if B sends a packet to the firewall and the flow
information is not present yet, then it drops the packet. B will resend
and the firewall will find the flow information to undo the NAT.
prev parent reply other threads:[~2011-01-06 3:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-27 14:50 conntrackd: failover problems Simone Zaffalon
2010-12-28 16:59 ` Pablo Neira Ayuso
2010-12-29 11:40 ` Simone Zaffalon
2010-12-29 14:46 ` Pablo Neira Ayuso
2010-12-29 15:10 ` limiting not working for individual IPs J Webster
2011-01-04 10:06 ` conntrackd: failover problems Simone Zaffalon
2011-01-06 3:16 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D253416.7030004@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter@vger.kernel.org \
--cc=zaffa@zaffa.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox