From: "Dirk H. Schulz" <dirk.schulz@kinzesberg.de>
To: netfilter@vger.kernel.org
Subject: conntrackd working, but netfilter not impressed
Date: Mon, 11 Aug 2008 12:50:46 +0200 [thread overview]
Message-ID: <BD9F23BEBBF883939AE367D6@Dirks-MacBook-Pro.local> (raw)
Hi folks,
I am in the process of setting up a redundant router/firewall cluster. That
means: 2 routers, connected to 2 upstream routers, using OSPFv2 for
routing. OS is Centos 5.2.
Both have also firewalls configured. Since using OSPF I cannot avoid
asynchronous routing perfectly, so I have installed conntrack-tools to
synchronize the connection tracking tables of the firewalls.
conntrackd seems to work fine - using "conntrackd -e" I can see entries
having been synchronized over from the other router - and vice versa.
But testing it practically it failes nonetheless. This is what I tested:
1. Ping from a server to the outside (internet).
2. I can see the ping packets leave via router2 and the answer come back in
via router1.
3. conntrackd -e on router1 shows exactly this connection, so it has been
replicated from router2 to router1
4. netfilter on router1 blocks the incoming packets as being new (I check
that via log prefixes)
That looks like conntrackd is sync'ing over the connection table entries,
but not writing them into the kernel's connection tracking table. I have
set "CacheWriteThrough" to "on" to achieve that. The logs do not show
anything at all (just the startup messages).
Googling for "active-active" setup of conntrackd show some hints on special
configuration this setup needs, but the documentation does not list any.
So I am stuck. Any help or hint is appreciated. Here is my setup:
> Sync {
> Mode FTFW {
> ResendBufferSize 262144
> CommitTimeout 180
> ACKWindowSize 20
> }
> Multicast {
> IPv4_address 225.0.0.50
> IPv4_address ROUTERLINKADDRESS
> Interface eth1
> Group 3780
> }
> Checksum on
> CacheWriteThrough On
> }
> General {
> HashSize 8192
> HashLimit 65535
> LogFile /var/log/conntrackd.log
> Syslog on
> LockFile /var/lock/conntrack.lock
> UNIX {
> Path /tmp/sync.sock
> Backlog 20
> }
> SocketBufferSize 262142
> SocketBufferSizeMaxGrown 655355
> }
> IgnoreTrafficFor {
> IPv4_address INTERROUTERINTERFACE
> IPv4_address EXTERNALINTERFACE
> IPv4_address INTERNALINTERFACE1
> IPv4_address INTERNALINTERFACE2
> IPv4_address INTERNALVIRTUALIP
> }
>
> IgnoreProtocol {
> IGMP
> VRRP
> }
Dirk
next reply other threads:[~2008-08-11 10:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-11 10:50 Dirk H. Schulz [this message]
[not found] ` <200808111322.58469.misch@multinet.de>
2008-08-11 12:23 ` conntrackd working, but netfilter not impressed Dirk H. Schulz
2008-08-12 11:40 ` Pablo Neira Ayuso
2008-08-12 20:20 ` Dirk H. Schulz
2008-08-13 15:51 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BD9F23BEBBF883939AE367D6@Dirks-MacBook-Pro.local \
--to=dirk.schulz@kinzesberg.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox