1<?xml version="1.0" encoding="UTF-8"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The conntrack-tools user manual</title><link rel="stylesheet" type="text/css" href="docbook.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="book" title="The conntrack-tools user manual"><div class="titlepage"><div><div><h1 class="title"><a id="conntrack-tools-how-to"></a>The conntrack-tools user manual</h1></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Pablo</span> <span class="surname">Neira Ayuso</span></h3><div class="affiliation"><div class="address"><p><br /> 4������������<code class="email"><<a class="email" href="mailto:pablo@netfilter.org">pablo@netfilter.org</a>></code><br /> 5����������</p></div></div></div></div></div><div><p class="releaseinfo"> 6 This document details how to install and configure the 7 <a class="ulink" href="http://conntrack-tools.netfilter.org" target="_top">conntrack-tools</a> 8 >= 1.4.0. This document will evolve in the future to cover new features 9 and changes.</p></div><div><p class="copyright">Copyright �� 2008-2012 Pablo Neira Ayuso</p></div><div><div class="legalnotice" title="Legal Notice"><a id="idp1019616"></a><p> 10 Permission is granted to copy, distribute and/or modify this document 11 under the terms of the GNU Free Documentation License, Version 1.2 12 or any later version published by the Free Software Foundation; 13 with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. 14 A copy of the license is included in the section entitled "GNU 15 Free Documentation License". 16 </p></div></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="chapter"><a href="#introduction">1. Introduction</a></span></dt><dt><span class="chapter"><a href="#what">2. What are the conntrack-tools?</a></span></dt><dt><span class="chapter"><a href="#requirements">3. Requirements</a></span></dt><dt><span class="chapter"><a href="#Installation">4. Installation</a></span></dt><dt><span class="chapter"><a href="#conntrack">5. Using conntrack: the command line interface</a></span></dt><dt><span class="chapter"><a href="#settingup">6. Setting up conntrackd: the daemon</a></span></dt><dd><dl><dt><span class="sect1"><a href="#sync">State table synchronization</a></span></dt><dd><dl><dt><span class="sect2"><a href="#sync-requirements">Requirements</a></span></dt><dt><span class="sect2"><a href="#sync-configure">Configuring the daemon</a></span></dt><dt><span class="sect2"><a href="#sync-pb">Active-Backup setup</a></span></dt><dt><span class="sect2"><a href="#sync-aa">Active-Active setup</a></span></dt><dt><span class="sect2"><a href="#sync-launch">Launching conntrackd</a></span></dt><dt><span class="sect2"><a href="#sync-options">Other configuration options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#helpers">User-space helpers</a></span></dt><dt><span class="sect1"><a href="#sync-trouble">Troubleshooting</a></span></dt></dl></dd></dl></div><div class="chapter" title="Chapter��1.��Introduction"><div class="titlepage"><div><div><h2 class="title"><a id="introduction"></a>Chapter��1.��Introduction</h2></div></div></div><p>This document should be a kick-off point to install and configure the 17 <a class="ulink" href="http://conntrack-tools.netfilter.org" target="_top">conntrack-tools</a>. 18 If you find any error or imprecision in this document, please send an email 19 to the author, it will be appreciated.</p><p>In this document, the author assumes that the reader is familiar with firewalling concepts and iptables in general. If this is not your case, I suggest you to read the iptables documentation before going ahead. Moreover, the reader must also understand the difference between <span class="emphasis"><em>stateful</em></span> and <span class="emphasis"><em>stateless</em></span> firewalls. If this is not your case, I strongly suggest you to read the article <a class="ulink" href="http://people.netfilter.org/pablo/docs/login.pdf" target="_top">Netfilter's Connection Tracking System</a> published in <span class="emphasis"><em>:login; the USENIX magazine</em></span>. That document contains a general description that should help to clarify the concepts.</p><p>If you do not fulfill the previous requirements, this documentation is likely to be a source of frustration. Probably, you wonder why I'm insisting on these prerequisites too much, the fact is that if your iptables rule-set is <span class="emphasis"><em>stateless</em></span>, it is very likely that the <span class="emphasis"><em>conntrack-tools</em></span> will not be of any help for you. You have been warned!</p></div><div class="chapter" title="Chapter��2.��What are the conntrack-tools?"><div class="titlepage"><div><div><h2 class="title"><a id="what"></a>Chapter��2.��What are the conntrack-tools?</h2></div></div></div><p>The conntrack-tools are a set of free software tools for GNU/Linux that allow system administrators interact, from user-space, with the in-kernel <a class="ulink" href="http://people.netfilter.org/pablo/docs/login.pdf" target="_top">Connection Tracking System</a>, which is the module that enables stateful packet inspection for iptables. Probably, you did not hear about this module so far. However, if any of the rules of your rule-set use the <span class="emphasis"><em>state</em></span> or <span class="emphasis"><em>ctstate</em></span> iptables matches, you are indeed using it. 20 21 </p><p>The <a class="ulink" href="http://conntrack-tools.netfilter.org" target="_top">conntrack-tools</a> package contains two programs:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>conntrack</em></span> is command line interface conntrack provides a more flexible interface to the connnection tracking system than /proc/net/ip_conntrack. With conntrack, you can show, delete and update the existing state entries; and you can also listen to flow events.</p></li><li class="listitem"><p><span class="emphasis"><em>conntrackd</em></span> is the user-space connection tracking daemon. This daemon can be used to deploy fault-tolerant GNU/Linux firewalls but you can also use it to collect flow-based statistics of the firewall use.</p></li></ul></div><p>Although the name of both tools is very similar - and you can blame me for that, I'm not a marketing guy - they are used for very different tasks.</p></div><div class="chapter" title="Chapter��3.��Requirements"><div class="titlepage"><div><div><h2 class="title"><a id="requirements"></a>Chapter��3.��Requirements</h2></div></div></div><p>You have to install the following software in order to get the <span class="emphasis"><em>conntrack-tools</em></span> working. Make sure that you have installed them correctly before going ahead:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><a class="ulink" href="http://www.kernel.org" target="_top">Linux kernel</a> version >= 2.6.18 that, at least, has support for:</p><div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem"><p>Connection Tracking System.</p><div class="itemizedlist"><ul class="itemizedlist" type="square"><li class="listitem"><p>CONFIG_NF_CONNTRACK=m</p></li><li class="listitem"><p>CONFIG_NF_CONNTRACK_IPV4=m</p></li><li class="listitem"><p>CONFIG_NF_CONNTRACK_IPV6=m (if your setup supports IPv6)</p></li></ul></div></li><li class="listitem"><p>nfnetlink: the generic messaging interface for Netfilter.</p><div class="itemizedlist"><ul class="itemizedlist" type="square"><li class="listitem"><p>CONFIG_NETFILTER_NETLINK=m</p></li></ul></div></li><li class="listitem"><p>nf_conntrack_netlink: the messaging interface for the Connection Tracking System.</p><div class="itemizedlist"><ul class="itemizedlist" type="square"><li class="listitem"><p>CONFIG_NF_CT_NETLINK=m</p></li></ul></div></li><li class="listitem"><p>connection tracking event notification API: the flow-based event notification interface.</p><div class="itemizedlist"><ul class="itemizedlist" type="square"><li class="listitem"><p>CONFIG_NF_CONNTRACK_EVENTS=y</p></li></ul></div></li></ul></div><div class="note" title="Verifying kernel support" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Verifying kernel support"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">Verifying kernel support</th></tr><tr><td align="left" valign="top"><p> 22 Make sure you have loaded <span class="emphasis"><em>nf_conntrack</em></span>, <span class="emphasis"><em>nf_conntrack_ipv4</em></span> (if your setup also supports IPv6, <span class="emphasis"><em>nf_conntrack_ipv6</em></span>) and <span class="emphasis"><em>nf_conntrack_netlink</em></span>. 23 </p></td></tr></table></div></li><li class="listitem"><p>libnfnetlink: the netfilter netlink library use the official release available in <a class="ulink" href="http://www.netfilter.org" target="_top">netfilter.org</a></p></li><li class="listitem"><p>libnetfilter_conntrack: the netfilter netlink library use the official release available in <a class="ulink" href="http://www.netfilter.org" target="_top">netfilter.org</a></p></li></ul></div></div><div class="chapter" title="Chapter��4.��Installation"><div class="titlepage"><div><div><h2 class="title"><a id="Installation"></a>Chapter��4.��Installation</h2></div></div></div><p>To compile and install the <span class="emphasis"><em>conntrack-tools</em></span> run the following commands:</p><pre class="programlisting"> 24 (non-root)$ tar xvjf conntrack-tools-x.x.x.tar.bz2 25 (non-root)$ cd conntrack-tools-x.x.x 26 (non-root)$ ./configure --prefix=/usr 27 (non-root)$ make 28 (root) # make install</pre><div class="note" title="Fedora Users" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Fedora Users"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">Fedora Users</th></tr><tr><td align="left" valign="top"><p>If you are installing the libraries in /usr/local/, do not forget to do the following things:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>PKG_CONFIG_PATH=/usr/local/lib/pkgconfig; export PKG_CONFIG_PATH</p></li><li class="listitem"><p>Add `/usr/local/lib' to your /etc/ld.so.conf file and run `ldconfig'</p></li></ul></div><p>Check `ldd' for trouble-shooting, read <a class="ulink" href="http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html" target="_top">this</a> for more information on how libraries work.</p></td></tr></table></div><div class="note" title="Verifying kernel support" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Verifying kernel support"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">Verifying kernel support</th></tr><tr><td align="left" valign="top"><p>To check that the modules are enabled in the kernel, run <span class="emphasis"><em>`conntrack -E'</em></span> and generate traffic, you should see flow events reporting new connections and updates. 29 </p></td></tr></table></div></div><div class="chapter" title="Chapter��5.��Using conntrack: the command line interface"><div class="titlepage"><div><div><h2 class="title"><a id="conntrack"></a>Chapter��5.��Using conntrack: the command line interface</h2></div></div></div><p>The <span class="emphasis"><em>/proc/net/ip_conntrack</em></span> interface is very limited as it only allows you to display the existing flows, their state and other information:</p><pre class="programlisting"> 30 # cat /proc/net/ip_conntrack 31 tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1 32 tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 secmark=0 use=1 33 </pre><p>The command line tool <span class="emphasis"><em>conntrack</em></span> can be used to display the same information:</p><pre class="programlisting"> 34 # conntrack -L 35 tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1 36 tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 secmark=0 use=1 37conntrack v0.9.7 (conntrack-tools): 2 flow entries have been shown. 38 </pre><p>You can natively filter the output without using <span class="emphasis"><em>grep</em></span>:</p><pre class="programlisting"> 39 # conntrack -L -p tcp --dport 34856 40 tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1 41conntrack v0.9.7 (conntrack-tools): 1 flow entries have been shown. 42 </pre><p>Update the mark based on a selection, this allows you to change the mark of an entry without using the CONNMARK target:</p><pre class="programlisting"> 43 # conntrack -U -p tcp --dport 3486 --mark 10 44 tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=1 secmark=0 use=1 45conntrack v0.9.7 (conntrack-tools): 1 flow entries has been updated. 46 </pre><p>Delete one entry, this can be used to block traffic if:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>You have a stateful rule-set that blocks traffic in INVALID state.</p></li><li class="listitem"><p>You have set <span class="emphasis"><em>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose</em></span> or <span class="emphasis"><em>/proc/sys/net/netfilter/nf_conntrack_tcp_loose</em></span>, depending on your kernel version, to zero.</p></li></ul></div><pre class="programlisting"> 47 # conntrack -D -p tcp --dport 3486 48 tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=1 secmark=0 use=1 49conntrack v0.9.7 (conntrack-tools): 1 flow entries has been deleted. 50 </pre><p>Display the connection tracking events:</p><pre class="programlisting"> 51 # conntrack -E 52 [NEW] udp 17 30 src=192.168.2.100 dst=192.168.2.1 sport=57767 dport=53 [UNREPLIED] src=192.168.2.1 dst=192.168.2.100 sport=53 dport=57767 53 [UPDATE] udp 17 29 src=192.168.2.100 dst=192.168.2.1 sport=57767 dport=53 src=192.168.2.1 dst=192.168.2.100 sport=53 dport=57767 54 [NEW] tcp 6 120 SYN_SENT src=192.168.2.100 dst=66.102.9.104 sport=33379 dport=80 [UNREPLIED] src=66.102.9.104 dst=192.168.2.100 sport=80 dport=33379 55 [UPDATE] tcp 6 60 SYN_RECV src=192.168.2.100 dst=66.102.9.104 sport=33379 dport=80 src=66.102.9.104 dst=192.168.2.100 sport=80 dport=33379 56 [UPDATE] tcp 6 432000 ESTABLISHED src=192.168.2.100 dst=66.102.9.104 sport=33379 dport=80 src=66.102.9.104 dst=192.168.2.100 sport=80 dport=33379 [ASSURED] 57</pre><p>You can also display the existing flows in XML format, filter the output based on the NAT handling applied, etc.</p></div><div class="chapter" title="Chapter��6.��Setting up conntrackd: the daemon"><div class="titlepage"><div><div><h2 class="title"><a id="settingup"></a>Chapter��6.��Setting up conntrackd: the daemon</h2></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="sect1"><a href="#sync">State table synchronization</a></span></dt><dd><dl><dt><span class="sect2"><a href="#sync-requirements">Requirements</a></span></dt><dt><span class="sect2"><a href="#sync-configure">Configuring the daemon</a></span></dt><dt><span class="sect2"><a href="#sync-pb">Active-Backup setup</a></span></dt><dt><span class="sect2"><a href="#sync-aa">Active-Active setup</a></span></dt><dt><span class="sect2"><a href="#sync-launch">Launching conntrackd</a></span></dt><dt><span class="sect2"><a href="#sync-options">Other configuration options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#helpers">User-space helpers</a></span></dt><dt><span class="sect1"><a href="#sync-trouble">Troubleshooting</a></span></dt></dl></div><p>The daemon <span class="emphasis"><em>conntrackd</em></span> supports two working modes:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>State table synchronization</em></span>: the daemon can be used to synchronize the connection tracking state table between several firewall replicas. This can be used to deploy fault-tolerant stateful firewalls. This is the main feature of the daemon.</p></li><li class="listitem"><p><span class="emphasis"><em>Flow-based statistics collection</em></span>: the daemon can be used to collect flow-based statistics. This feature is similar to what <a class="ulink" href="http://www.netfilter.org/projects/ulogd/" target="_top">ulogd-2.x</a> provides.</p></li></ul></div><div class="sect1" title="State table synchronization"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="sync"></a>State table synchronization</h2></div></div></div><div class="sect2" title="Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="sync-requirements"></a>Requirements</h3></div></div></div><p>In order to get <span class="emphasis"><em>conntrackd</em></span> working in synchronization mode, you have to fulfill the following requirements:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>A <span class="emphasis"><em>high availability manager</em></span> like <a class="ulink" href="http://www.keepalived.org" target="_top">keepalived</a> that manages the virtual IPs of the 58 firewall cluster, detects errors, and decide when to migrate the virtual IPs 59 from one firewall replica to another. Without it, <span class="emphasis"><em>conntrackd</em></span> will not work appropriately.</p><p>The state synchronization setup requires a working installation of <a class="ulink" href="http://www.keepalived.org" target="_top">keepalived</a>, preferibly a recent version. Check if your distribution comes with a recent packaged version. Otherwise, you may compile it from the sources. 60 </p><p> 61 There is a very simple example file in the <span class="emphasis"><em>conntrackd</em></span> 62 sources to setup a simple HA cluster with keepalived (see the file 63 keepalived.conf under the doc/sync/ directory). This file can be used to 64 set up a simple VRRP cluster composed of two machines that hold the virtual 65 IPs 192.168.0.100 on eth0 and 192.168.1.100 on eth1.</p><p>If you are not familiar with <span class="emphasis"><em>keepalived</em></span>, please 66 read the official documentation available at the keepalived website 67 (<a class="ulink" href="http://www.keepalived.org" target="_top">http://www.keepalived.org</a>).</p><p>If you use a different high availability manager, make sure it works correctly before going ahead.</p></li><li class="listitem"><p>A dedicated link. The dedicated link between the firewalls is used 68 to transmit and receive the state information. The use of a dedicated link 69 is mandatory for security reasons as someone may pick the state information 70 that is transfered between the firewalls.</p></li><li class="listitem"><p>A well-formed stateful rule-set. Otherwise you are likely to experience 71 problems during the fail-over. An example of a well-formed stateful iptables 72 rule-set is available in the <a class="ulink" href="http://conntrack-tools.netfilter.org/testcase.html" target="_top">conntrack-tools website</a>.</p></li><li class="listitem"><p>If your Linux kernel is < 2.6.22, you have to disable TCP window 73 tracking: 74 </p><pre class="programlisting"> 75 # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal 76 </pre><p> 77 </p></li></ol></div></div><div class="sect2" title="Configuring the daemon"><div class="titlepage"><div><div><h3 class="title"><a id="sync-configure"></a>Configuring the daemon</h3></div></div></div><p>The daemon <span class="emphasis"><em>conntrackd</em></span> in synchronization mode 78 supports up to three replication approaches:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>notrack</em></span>: this approach is the most simple as 79 it is based on a best effort replication protocol, ie. unreliable 80 protocol. This protocol sends and receives the state information 81 without performing any specific checking. 82 </p></li><li class="listitem"><p><span class="emphasis"><em>ft-fw</em></span>: this approach is based on a reliable 83 protocol that performs message tracking. Thus, the protocol can recover 84 from message loss, re-ordering and corruption.</p></li><li class="listitem"><p><span class="emphasis"><em>alarm</em></span>: this approach is spamming. It is based 85 on a alarm-based protocol that periodically re-sends the flow state to 86 the backup firewall replicas. This protocol consumes a lot of bandwidth 87 but it resolves synchronization problems fast.</p></li></ul></div><p>The three existing approaches are soft real-time asynchronous 88 replication protocols that are aimed to have negligible impact in terms 89 of latency and bandwidth throughput in the stateful firewall filtering.</p><p>To configure <span class="emphasis"><em>conntrackd</em></span> in any of the existing 90 synchronization modes, you have to copy the example configuration file to 91 the directory /etc/conntrackd/ on every firewall replica. Note that 92 <span class="emphasis"><em>_type_</em></span> is the synchronization type selected.</p><pre class="programlisting"> 93 (conntrack-tools-x.x.x)# cp doc/_type_/conntrackd.conf /etc/conntrackd/conntrackd.conf 94</pre><p> 95 Do not forget to edit the files before going ahead. There are several 96 parameters that you have to tune to adapt the example configuration file 97 to your setup. 98</p><div class="note" title="Configuration file location" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Configuration file location"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">Configuration file location</th></tr><tr><td align="left" valign="top"><p>If you don't want to put the config file under /etc/conntrackd/, just tell conntrackd where to find it passing the option -C.</p></td></tr></table></div></div><div class="sect2" title="Active-Backup setup"><div class="titlepage"><div><div><h3 class="title"><a id="sync-pb"></a>Active-Backup setup</h3></div></div></div><div class="note" title="Stateful firewall architectures" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Stateful firewall architectures"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">Stateful firewall architectures</th></tr><tr><td align="left" valign="top"><p>A good reading to extend the information about firewall architectures is <a class="ulink" href="http://1984.lsi.us.es/~pablo/docs/intcomp09.pdf" target="_top">Demystifying cluster-based fault-tolerant firewalls</a> published in IEEE Internet Computing magazine. 99 </p></td></tr></table></div><p>In the Active-Backup setup, one of the stateful firewall replicas 100 filters traffic and the other acts as backup. If you use this approach, 101 you have to copy the script <span class="emphasis"><em>primary-backup.sh</em></span> to: 102 </p><pre class="programlisting"> 103 (conntrack-tools-x.x.x)# cp doc/sync/primary-backup.sh /etc/conntrackd/ 104</pre><p>The HA manager invokes this script when a transition happens, ie. If 105 a stateful firewall replica:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>becomes active to recover the filtering.</p></li><li class="listitem"><p>becomes backup.</p></li><li class="listitem"><p>hits failure (this is available if the HA manager has a failure state, which is true for <a class="ulink" href="http://www.keepalived.org" target="_top">keepalived</a>.</p></li></ul></div><p>The script is simple, and it contains the different actions that 106 <span class="emphasis"><em>conntrackd</em></span> performs to recover the filtering or 107 purge obsolete entries from the state table, among others. The script is 108 commented, you can have a look at it if you need further information.</p></div><div class="sect2" title="Active-Active setup"><div class="titlepage"><div><div><h3 class="title"><a id="sync-aa"></a>Active-Active setup</h3></div></div></div><p>The Active-Active setup consists of having more than one stateful 109 firewall replicas actively filtering traffic. Thus, we reduce the resource 110 waste that implies to have a backup firewall which does nothing.</p><p>We can classify the type of Active-Active setups in several 111 families:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>Symmetric path routing</em></span>: The stateful firewall 112 replicas share the workload in terms of flows, ie. the packets that are 113 part of a flow are always filtered by the same firewall.</p></li><li class="listitem"><p><span class="emphasis"><em>Asymmetric multi-path routing</em></span>: The packets that 114 are part of a flow can be filtered by whatever stateful firewall in the 115 cluster. Thus, every flow-states have to be propagated to all the firewalls 116 in the cluster as we do not know which one would be the next to filter a 117 packet. This setup goes against the design of stateful firewalls as we 118 define the filtering policy based on flows, not in packets anymore. 119 </p></li></ul></div><p>As for 0.9.8, the design of <span class="emphasis"><em>conntrackd</em></span> allows you 120 to deploy an symmetric Active-Active setup based on a static approach. 121 For example, assume that you have two virtual IPs, vIP1 and vIP2, and two 122 firewall replicas, FW1 and FW2. You can give the virtual vIP1 to the 123 firewall FW1 and the vIP2 to the FW2. 124 </p><p>Unfortunately, you will have to wait for the support for the 125 Active-Active setup based on dynamic approach, ie. a workload sharing setup 126 without directors that allow the stateful firewall share the filtering.</p><p>On the other hand, the asymmetric scenario may work if your setup 127 fulfills several strong assumptions. However, in the opinion of the author 128 of this work, the asymmetric setup goes against the design of stateful 129 firewalls and <span class="emphasis"><em>conntrackd</em></span>. Therefore, you have two 130 choices here: you can deploy an Active-Backup setup or go back to your 131 old stateless rule-set (in that case, the conntrack-tools will not be 132 of any help anymore, of course).</p></div><div class="sect2" title="Launching conntrackd"><div class="titlepage"><div><div><h3 class="title"><a id="sync-launch"></a>Launching conntrackd</h3></div></div></div><p> 133 Once you have configured <span class="emphasis"><em>conntrackd</em></span>, you can run in 134 <span class="emphasis"><em>console mode</em></span> which is an interactive mode, in that case 135 type 'conntrackd' as root.</p><pre class="programlisting">(root)# conntrackd</pre><p>If you want to run <span class="emphasis"><em>conntrackd</em></span> in <span class="emphasis"><em>daemon 136 mode</em></span>, then type:</p><pre class="programlisting">(root)# conntrackd -d</pre><p>You can verify that conntrackd is running by checking the log messages 137 via <span class="emphasis"><em>ps</em></span>. Moreover, if <span class="emphasis"><em>conntrackd</em></span> is 138 running fine, you can dump the current status of the daemon:</p><pre class="programlisting"> 139 # conntrackd -s 140 cache internal: 141 current active connections: 4 142 connections created: 4 failed: 0 143 connections updated: 0 failed: 0 144 connections destroyed: 0 failed: 0 145 146 cache external: 147 current active connections: 0 148 connections created: 0 failed: 0 149 connections updated: 0 failed: 0 150 connections destroyed: 0 failed: 0 151 152 traffic processed: 153 0 Bytes 0 Pckts 154 155 multicast traffic: 156 352 Bytes sent 0 Bytes recv 157 22 Pckts sent 0 Pckts recv 158 0 Error send 0 Error recv 159 160 multicast sequence tracking: 161 0 Pckts mfrm 0 Pckts lost 162 </pre><p>This command displays the number of entries in the internal and 163 external cache:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>The internal cache contains the states that this firewall replica is filtering, ie. this is a cache of the kernel state table. 164 </p></li><li class="listitem"><p>The external cache contains the states that the other firewall replica is filtering. 165 </p></li></ul></div><p>You can dump the internal cache with the following command:</p><pre class="programlisting"> 166 # conntrackd -i 167 tcp 6 ESTABLISHED src=192.168.2.100 dst=139.174.175.20 sport=58491 dport=993 src=139.174.175.20 dst=192.168.2.100 sport=993 dport=58491 [ASSURED] mark=0 secmark=0 [active since 536s] 168 tcp 6 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=38211 dport=993 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=38211 [ASSURED] mark=0 secmark=0 [active since 536s] 169 tcp 6 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=38209 dport=993 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=38209 [ASSURED] mark=0 secmark=0 [active since 536s] 170 tcp 6 TIME_WAIT src=192.168.2.100 dst=74.125.45.166 sport=42593 dport=80 src=74.125.45.166 dst=192.168.2.100 sport=80 dport=42593 [ASSURED] [active since 165s] 171 tcp 6 ESTABLISHED src=192.168.2.100 dst=139.174.175.20 sport=37962 dport=993 src=139.174.175.20 dst=192.168.2.100 sport=993 dport=37962 [ASSURED] mark=0 secmark=0 [active since 536s] 172 </pre><p>You can dump the external cache with the following command:</p><pre class="programlisting"># conntrackd -e</pre><p>If the replication works fine, <span class="emphasis"><em>conntrackd -s</em></span> 173 displays the active's internal cache should display the same number of 174 entries than the backup's external cache and vice-versa.</p><p>To verify that the recovery works fine, if you trigger a fail-over, 175 the log files should display the following information:</p><pre class="programlisting"> 176 [Thu Sep 18 18:03:02 2008] (pid=9759) [notice] committing external cache 177 [Thu Sep 18 18:03:02 2008] (pid=9759) [notice] Committed 1545 new entries</pre><p>This means that the state entries have been injected into the kernel correctly.</p></div><div class="sect2" title="Other configuration options"><div class="titlepage"><div><div><h3 class="title"><a id="sync-options"></a>Other configuration options</h3></div></div></div><p>The daemon allows several configuration options that you may want to 178 enable. This section contains some information about them.</p><div class="sect3" title="Disabling external cache"><div class="titlepage"><div><div><h4 class="title"><a id="sync-disable-external"></a>Disabling external cache</h4></div></div></div><p>It is possible to disable the external cache. Thus, 179 <span class="emphasis"><em>conntrackd</em></span> directly injects the flow-states into the 180 in-kernel Connection Tracking System of the backup firewall. You can do it 181 by enabling the <span class="emphasis"><em>DisableExternalCache</em></span> option in the 182 <span class="emphasis"><em>conntrackd.conf</em></span> configuration file: 183 </p><pre class="programlisting"> 184Sync { 185 Mode FTFW { 186 [...] 187 DisableExternalCache Off 188 } 189} 190 </pre><p>You can also use this option with the NOTRACK and ALARM modes. This 191 increases CPU consumption in the backup firewall but now you do not need 192 to commit the flow-states during the master failures since they are already 193 in the in-kernel Connection Tracking table. Moreover, you save memory in 194 the backup firewall since you do not need to store the foreign flow-states 195 anymore. 196 </p></div><div class="sect3" title="Disabling internal cache"><div class="titlepage"><div><div><h4 class="title"><a id="sync-disable-internal"></a>Disabling internal cache</h4></div></div></div><p>You can also disable the internal cache by means of the 197 <span class="emphasis"><em>DisableInternalCache</em></span> option in the 198 <span class="emphasis"><em>conntrackd.conf</em></span> configuration file: 199 </p><pre class="programlisting"> 200Sync { 201 Mode NOTRACK { 202 [...] 203 DisableInternalCache Off 204 } 205} 206 </pre><p>However, this option is only available for the NOTRACK mode. This 207 mode provides unreliable flow-state synchronization between firewalls. 208 Thus, if flow-states are lost during the synchronization, the protocol 209 provides no way to recover them.</p></div><div class="sect3" title="Using UDP, TCP or multicast for flow-state synchronization"><div class="titlepage"><div><div><h4 class="title"><a id="sync-transport-protocol"></a>Using UDP, TCP or multicast for flow-state synchronization</h4></div></div></div><p>You can use up to three different transport layer protocols to 210 synchronize flow-state changes between the firewalls: UDP, TCP and 211 Multicast. UDP and multicast are unreliable but together with the FT-FW 212 mode provide partial reliable flow-state synchronization. 213 </p><p>The preferred choice is FT-FW over UDP, or multicast alternatively. 214 TCP introduces latency in the flow-state synchronization due to the 215 congestion control. Under flow-state message are lost, the FIFO delivery 216 becomes also a problem since the backup firewall quickly gets out of 217 sync. For that reason, its use is discouraged. Note that using TCP only 218 makes sense with the NOTRACK mode. 219 </p></div><div class="sect3" title="Redundant dedicated links"><div class="titlepage"><div><div><h4 class="title"><a id="sync-redundant-link"></a>Redundant dedicated links</h4></div></div></div><p>You can set redundant dedicated links without using bonding, you have 220 to configure as many redundant links as you want in the configuration file. 221 In case of failure of the master dedicated link, conntrackd failovers to one 222 of the backups. An example of this configuration is the following: 223 </p><pre class="programlisting"> 224Sync { 225 Mode FTFW { 226 [...] 227 } 228 # default master dedicated link 229 UDP Default { 230 IPv4_address 192.168.2.1 231 IPv4_Destination_Address 192.168.2.2 232 Port 3780 233 Interface eth3 234 SndSocketBuffer 24985600 235 RcvSocketBuffer 24985600 236 Checksum on 237 } 238 # backup dedicated link 239 UDP { 240 IPv4_address 192.168.1.3 241 IPv4_Destination_Address 192.168.1.4 242 Port 3780 243 Interface eth2 244 SndSocketBuffer 24985600 245 RcvSocketBuffer 24985600 246 Checksum on 247 } 248 [...] 249} 250 </pre></div><div class="sect3" title="Filtering Connection tracking events with iptables"><div class="titlepage"><div><div><h4 class="title"><a id="sync-iptables-filtering"></a>Filtering Connection tracking events with iptables</h4></div></div></div><p>Since Linux kernel >= 2.6.34, iptables provides the 251 <span class="emphasis"><em>CT</em></span> iptables target that allows to reduce the 252 amount of Connection Tracking events that are delivered to user-space. 253 However, you will have to use a Linux kernel >= 2.6.38 to profit 254 from this feature, since several aspects of the event filtering were 255 broken.</p><p>The following example shows how to only generate the 256 <span class="emphasis"><em>assured</em></span> and <span class="emphasis"><em>destroy</em></span> 257 events:</p><pre class="programlisting"> 258 # iptables -I PREROUTING -t raw -j CT --ctevents assured,destroy 259 </pre><div class="note" title="Assured flows" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Assured flows"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">Assured flows</th></tr><tr><td align="left" valign="top"><p>One flow is assured if the firewall has seen traffic for it in 260 both directions.</p></td></tr></table></div><p>Reducing the amount of events generated helps to reduce CPU 261 consumption in the active firewall.</p></div><div class="sect3" title="Synchronization of expectations"><div class="titlepage"><div><div><h4 class="title"><a id="sync-expect"></a>Synchronization of expectations</h4></div></div></div><div class="note" title="Check your Linux kernel version first" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Check your Linux kernel version first"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">Check your Linux kernel version first</th></tr><tr><td align="left" valign="top"><p> 262 The synchronization of expectations require a Linux kernel >= 3.5 263 to work appropriately. 264 </p></td></tr></table></div><p>The connection tracking system provides helpers that allows you to 265 filter multi-flow application protocols like FTP, H.323 and SIP among many 266 others. These protocols usually split the control and data traffic in 267 different flows. Moreover, the control flow usually announces layer 3 and 268 4 information to let the other peer know where the data flows will be 269 open. This sort of protocols require that the firewall inspects the 270 content of the packet, otherwise filtering by layer 3 and 4 selectors 271 like addresses and ports become a real nightmare. Netfilter already 272 provides the so-called <span class="emphasis"><em>helpers</em></span> that track this 273 protocol aspects to allow deploying appropriate filtering. These 274 helpers create <span class="emphasis"><em>expectation</em></span> entries that 275 represent expected traffic that will arrive to the firewall according 276 to the inspected packets.</p><p>In case that you have enabled tracking of these protocols, you 277 may want to enable the state-synchronization of expectation as well. 278 Thus, established flows for this specific protocols will not suffer 279 any disruption.</p><p>To enable the expectation support in the configuration file, you 280 have to use the following option:</p><pre class="programlisting"> 281Sync { 282 ... 283 Options { 284 ExpectationSync { 285 ftp 286 sip 287 ras # for H.323 288 q.931 # for H.323 289 h.245 # for H.323 290 } 291 } 292}</pre><p>The example above enables the synchronization of the expectations 293 for the FTP, SIP and H.323 helpers.</p><p>In my testbed, there are two firewalls in a primary-backup 294 configuration running keepalived. They use a couple of floating cluster 295 IP address (192.168.0.100 and 192.168.1.100) that are used by the client. 296 These firewalls protect one FTP server (192.168.1.2) that will be accessed 297 by one client.</p><p>In ASCII art, it looks like this:</p><pre class="programlisting"> 298 192.168.0.100 192.168.1.100 299 eth1 eth2 300 fw-1 301 / \ FTP 302 client ------ ------ server 303 192.168.0.2 \ / 192.168.1.2 304 fw-2 305 </pre><p>This is the rule-set for the firewalls:</p><pre class="programlisting"> 306 -A FORWARD -m state --state RELATED -j ACCEPT 307 -A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT 308 -A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT 309 -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT 310 -A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: "</pre><p>Before going ahead, make sure <span class="emphasis"><em>nf_conntrack_ftp</em></span> is 311 loaded.</p><p>The following steps detail how to check that the expectation support 312 works fine with FTP traffic:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Switch to the client. Start one FTP control connection to one 313 server that is protected by the firewalls, enter passive mode:</p><pre class="programlisting"> 314 (term-1) user@client$ nc 192.168.1.2 21 315 220 dummy FTP server 316 USER anonymous 317 331 Please specify the password. 318 PASS nothing 319 230 Login successful. 320 PASV 321 227 Entering Passive Mode (192,168,1,2,163,11).</pre><p>This means that port 163*256+11=41739 will be used for the data 322 traffic. I suggest you to read <a class="ulink" href="http://www.freefire.org/articles/ftpexample.php" target="_top">djb's FTP protocol description</a> in case that you 323 don't understand how this calculation is done.</p></li><li class="listitem"><p> Switch to fw-1 (primary) to check that the expectation is in the 324 internal cache.</p><pre class="programlisting"> 325 root@fw1# conntrackd -i exp 326 proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 helper=ftp [active since 5s] 327 </pre></li><li class="listitem"><p> Switch to fw-2 (backup) to check that the expectation has been 328 successfully replicated.</p><pre class="programlisting"> 329 root@fw2# conntrackd -e exp 330 proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s] 331 </pre></li><li class="listitem"><p>Make the primary firewall fw-1 fail. Now fw-2 becomes primary.</p></li><li class="listitem"><p>Switch to fw-2 (primary) to commit the external cache into the 332 kernel. The logs should display that the commit was successful:</p><pre class="programlisting"> 333 root@fw2# tail -100f /var/log/conntrackd.log 334 [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations 335 [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries 336 [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds</pre></li><li class="listitem"><p> Switch to the client. Open a new terminal and connect to the port that 337 has been announced by the server:</p><pre class="programlisting"> 338 (term-2) user@client$ nc -vvv 192.168.1.2 41739 339 (UNKNOWN) [192.168.1.2] 41739 (?) open</pre></li><li class="listitem"><p>Switch to term-1 and ask for the file listing:</p><pre class="programlisting"> 340 [...] 341 227 Entering Passive Mode (192,168,1,2,163,11). 342 LIST</pre></li><li class="listitem"><p>Switch to term-2, it should display the listing. That means 343 everything has worked fine.</p></li></ol></div><p>You may want to try disabling the expectation support and 344 repeating the steps to check that <span class="emphasis"><em>it does not work</em></span> 345 without the state-synchronization.</p></div></div></div><div class="sect1" title="User-space helpers"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="helpers"></a>User-space helpers</h2></div></div></div><div class="note" title="Check your Linux kernel version first" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Check your Linux kernel version first"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">Check your Linux kernel version first</th></tr><tr><td align="left" valign="top"><p> 346 The user-space helper infrastructure requires a Linux kernel >= 3.6 347 to work appropriately. 348 </p></td></tr></table></div><p>Connection tracking helpers allows you to filter multi-flow protocols 349that usually separate control and data traffic into different flows. 350These protocols usually violate network layering by including layer 3/4 351details, eg. IP address and TCP/UDP ports, in their application protocol 352(which resides in layer 7). This is problematic for gateways since they 353operate at packet-level, ie. layers 3/4, and therefore they miss this 354important information to filter these protocols appropriately.</p><p>Helpers inspect packet content (at layer 7) and create the so-called 355expectations. These expectations are added to one internal table 356that resides in the gateway. For each new packet arriving to the 357gateway, the gateway first looks up for matching expectations. If 358there is any, then this flow is accepted since it's been expected. 359Note this lookup only occurs for the first packet that is part of one 360newly established flow, not for all packets.</p><p>Since 1.4.0, conntrackd provides the infrastructure to develop 361helpers in user-space. The main features of the user-space infrastructure 362for helpers are:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Rapid connection tracking helper development, as developing code 363in user-space is usually faster.</p></li><li class="listitem"><p>Reliability: A buggy helper does not crash the kernel. If the helper 364fails, ie. the conntrackd crashes, Moreover, we can monitor the helper process 365and restart it in case of problems.</p></li><li class="listitem"><p>Security: Avoid complex string matching and mangling in 366kernel-space running in privileged mode. Going further, we can even think 367about running user-space helper as a non-root process.</p></li><li class="listitem"><p>It allows the development of very specific helpers for 368proprietary protocols that are not standard. This is the case of the SQL*net 369helper. Implementing this in kernel-space may be problematic, since 370this may not be accepted for ainline inclusion in the Linux kernel. 371As an alternative, we can still distribute this support as separate 372patches. However, my personal experience is that, given that the 373kernel API/ABI is not stable, changes in the interface lead to the 374breakage of the patch. This highly increase the overhead in the 375maintainance.</p></li></ul></div><p>Currently, the infrastructure supports the following user-space helpers: 376</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Oracle*TNS, to support its special <span class="emphasis"><em>Redirect</em></span> message.</p></li><li class="listitem"><p>NFSv3, mind that version 4 does not require this helper.</p></li><li class="listitem"><p>FTP (this helper is also available in kernel-space).</p></li></ul></div><p>The following steps describe how to enable the RPC portmapper helper for NFSv3 (this is similar for other helpers):</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Register user-space helper: 377 378</p><pre class="programlisting"> 379nfct helper add rpc inet udp 380nfct helper add rpc inet tcp 381</pre><p> 382 383This registers the portmapper helper for both UDP and TCP (NFSv3 traffic goes both over TCP and UDP). 384</p></li><li class="listitem"><p>Add iptables rule using the CT target: 385 386</p><pre class="programlisting"> 387# iptables -I OUTPUT -t raw -p udp --dport 111 -j CT --helper rpc 388# iptables -I OUTPUT -t raw -p tcp --dport 111 -j CT --helper rpc 389</pre><p> 390 391With this, packets matching port TCP/UDP/111 are passed to user-space for 392inspection. If there is no instance of conntrackd configured to support 393user-space helpers, no inspection happens and packets are not sent to 394user-space.</p></li><li class="listitem"><p>Add configuration to conntrackd.conf: 395 396</p><pre class="programlisting"> 397Helper { 398 Type rpc inet udp { 399 QueueNum 1 400 QueueLen 10240 401 Policy rpc { 402 ExpectMax 1 403 ExpectTimeout 300 404 } 405 } 406 Type rpc inet tcp { 407 QueueNum 2 408 QueueLen 10240 409 Policy rpc { 410 ExpectMax 1 411 ExpectTimeout 300 412 } 413 } 414} 415</pre><p> 416 417This configures conntrackd to use NFQUEUE queue numbers 1 and 2 to send traffic 418for inspection to user-space</p><div class="note" title="If you have some custom libnetfilter_queue application" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: If you have some custom libnetfilter_queue application"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">If you have some custom libnetfilter_queue application</th></tr><tr><td align="left" valign="top"><p> 419 Make sure your queue numbers do not collide with those used in your 420 conntrackd.conf file. 421 </p></td></tr></table></div></li></ol></div><p>Now you can test this (assuming you have some working NFSv3 setup) with: 422 423</p><pre class="programlisting"> 424mount -t nfs -onfsvers=3 mynfs.server.info:/srv/cvs /mnt/ 425</pre><p> 426 427</p><p>You should see new expectations being added via: 428 429</p><pre class="programlisting"> 430# conntrack -E expect 431 [NEW] 300 proto=17 src=1.2.3.4 dst=1.2.3.4 sport=0 dport=54834 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=1.2.3.4 master-dst=1.2.3.4 sport=58190 dport=111 PERMANENT class=0 helper=rpc 432 [NEW] 300 proto=6 src=1.2.3.4 dst=1.2.3.4 sport=0 dport=2049 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=1.2.3.4 master-dst=1.2.3.4 sport=55450 dport=111 PERMANENT class=0 helper=rpc 433 [NEW] 300 proto=17 src=1.2.3.4 dst=1.2.3.4 sport=0 dport=58031 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=1.2.3.4 master-dst=1.2.3.4 sport=56309 dport=111 PERMANENT class=0 helper=rpc 434</pre><p> 435</p></div><div class="sect1" title="Troubleshooting"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="sync-trouble"></a>Troubleshooting</h2></div></div></div><p>Problems with <span class="emphasis"><em>conntrackd</em></span>? The following list 436 of questions should help for troubleshooting:</p><div class="qandaset" title="Frequently Asked Questions"><a id="idp5407120"></a><dl><dt>1. <a href="#idp5407376"> 437 I see packets lost in conntrackd -s 438 </a></dt><dt>2. <a href="#idp5410960"> 439 The log messages report that the maximum netlink socket buffer has been reached. 440 </a></dt><dt>3. <a href="#idp5414032"> 441 I see can't open multicast server in the log messages 442 </a></dt><dt>4. <a href="#idp5416720"> 443 Can I use wackamole, heartattack or any other HA manager? 444 </a></dt><dt>5. <a href="#idp5419408"> 445 Does conntrackd support TCP flow-recovery with window tracking enabled? 446 </a></dt><dt>6. <a href="#idp5421808"> 447 Does conntrackd support the H.323 and SIP connection tracking helpers? 448 </a></dt><dt>7. <a href="#idp5423920"> 449 Is there any way to set up a more verbose mode in the log message for debugging? 450 </a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%" /><col /><tbody><tr class="question" title="1."><td align="left" valign="top"><a id="idp5407376"></a><a id="idp5407632"></a><p><strong>1.</strong></p></td><td align="left" valign="top"><p> 451 I see <span class="emphasis"><em>packets lost</em></span> in <span class="emphasis"><em>conntrackd -s</em></span> 452 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> 453 You can rise the value of <span class="emphasis"><em>McastRcvSocketBuffer</em></span> and <span class="emphasis"><em>McastRcvSocketBuffer</em></span>, if the problem is due to buffer overruns in the multicast sender or the receiver, the problem should disapear. 454 </p></td></tr><tr class="question" title="2."><td align="left" valign="top"><a id="idp5410960"></a><a id="idp5411216"></a><p><strong>2.</strong></p></td><td align="left" valign="top"><p> 455 The log messages report that the <span class="emphasis"><em>maximum netlink socket buffer has been reached</em></span>. 456 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> 457 You can increase the values of <span class="emphasis"><em>SocketBufferSize</em></span> and <span class="emphasis"><em>SocketBufferSizeMaxGrown</em></span>. 458 </p></td></tr><tr class="question" title="3."><td align="left" valign="top"><a id="idp5414032"></a><a id="idp5414288"></a><p><strong>3.</strong></p></td><td align="left" valign="top"><p> 459 I see <span class="emphasis"><em>can't open multicast server</em></span> in the log messages 460 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> 461 Make sure that the <span class="emphasis"><em>IPv4_interface</em></span> clause has the IP of the dedicated link. 462 </p></td></tr><tr class="question" title="4."><td align="left" valign="top"><a id="idp5416720"></a><a id="idp5416976"></a><p><strong>4.</strong></p></td><td align="left" valign="top"><p> 463 Can I use <a class="ulink" href="http://www.backhand.org/wackamole/" target="_top">wackamole</a>, heartattack or any other HA manager? 464 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> 465 Absolutely, you can. But before reporting issues, make sure that your HA manager is not the source of the problems. 466 </p></td></tr><tr class="question" title="5."><td align="left" valign="top"><a id="idp5419408"></a><a id="idp5419664"></a><p><strong>5.</strong></p></td><td align="left" valign="top"><p> 467 Does conntrackd support TCP flow-recovery with window tracking enabled? 468 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> 469 Yes, but you require a Linux kernel >= 2.6.36 and the conntrack-tools >= 0.9.15. To enable it, check the TCPWindowTracking clause in the example configuration files. 470 </p></td></tr><tr class="question" title="6."><td align="left" valign="top"><a id="idp5421808"></a><a id="idp5422064"></a><p><strong>6.</strong></p></td><td align="left" valign="top"><p> 471 Does conntrackd support the H.323 and SIP connection tracking helpers? 472 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> 473 Yes, conntrackd includes expectation support since version 1.2.0. 474 </p></td></tr><tr class="question" title="7."><td align="left" valign="top"><a id="idp5423920"></a><a id="idp5424176"></a><p><strong>7.</strong></p></td><td align="left" valign="top"><p> 475 Is there any way to set up a more verbose mode in the log message for debugging? 476 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> 477 No, but conntrackd provides lots of information that you can look up in 478 runtime via -s option.</p><p>You can check network statistics to find anomalies:</p><pre class="programlisting"> 479# conntrackd -s network 480 network statistics: 481 recv: 482 Malformed messages: 0 483 Wrong protocol version: 0 484 Malformed header: 0 485 Malformed payload: 0 486 Bad message type: 0 487 Truncated message: 0 488 Bad message size: 0 489 send: 490 Malformed messages: 0 491 492sequence tracking statistics: 493 recv: 494 Packets lost: 42726 495 Packets before: 0 496 497UDP traffic (active device=eth3): 498 564232 Bytes sent 1979844 Bytes recv 499 2844 Pckts sent 8029 Pckts recv 500 0 Error send 0 Error recv 501 </pre><p>You can check cache statistics:</p><pre class="programlisting"> 502# conntrackd -s cache 503cache:internal active objects: 0 504 active/total entries: 0/ 0 505 creation OK/failed: 11068/ 0 506 no memory available: 0 507 no space left in cache: 0 508 update OK/failed: 4128/ 0 509 entry not found: 0 510 deletion created/failed: 11068/ 0 511 entry not found: 0 512 513cache:external active objects: 0 514 active/total entries: 0/ 0 515 creation OK/failed: 10521/ 0 516 no memory available: 0 517 no space left in cache: 0 518 update OK/failed: 8832/ 0 519 entry not found: 0 520 deletion created/failed: 10521/ 0 521 entry not found: 0 522 </pre><p>You can check runtime miscelaneous statistics:</p><pre class="programlisting"> 523# conntrackd -s runtime 524daemon uptime: 14 min 525 526netlink stats: 527 events received: 24736 528 events filtered: 0 529 events unknown type: 0 530 catch event failed: 0 531 dump unknown type: 0 532 netlink overrun: 0 533 flush kernel table: 1 534 resync with kernel table: 0 535 current buffer size (in bytes): 8000000 536 537runtime stats: 538 child process failed: 0 539 child process segfault: 0 540 child process termsig: 0 541 select failed: 0 542 wait failed: 0 543 local read failed: 0 544 local unknown request: 0 545 </pre><p>You can check dedicated link statistics:</p><pre class="programlisting"> 546# conntrackd -s link 547UDP traffic device=eth3 status=RUNNING role=ACTIVE: 548 566848 Bytes sent 1982612 Bytes recv 549 3018 Pckts sent 8203 Pckts recv 550 0 Error send 0 Error recv 551 </pre><p>You can check network queue statistics:</p><pre class="programlisting"> 552# conntrackd -s queue 553allocated queue nodes: 1 554 555queue txqueue: 556current elements: 0 557maximum elements: 2147483647 558not enough space errors: 0 559 560queue errorq: 561current elements: 0 562maximum elements: 128 563not enough space errors: 0 564 565queue rsqueue: 566current elements: 1 567maximum elements: 131072 568not enough space errors: 0 569 </pre></td></tr></tbody></table></div></div></div></div></body></html> 570