DisableExternalCache on conntrackd 0.9.14 not syncing to kernel

DisableExternalCache on conntrackd 0.9.14 not syncing to kernel

[Tyler J. Wagner]

[-- Attachment #1: Type: text/plain, Size: 1619 bytes --]

Hi all,

I've configured two routers, in active-backup mode, but where both can
route to all endpoints at all times. Under some circumstances, traffic
can enter at the backup. So I'm trying to provide either a full
active-active asymmetric solution, or at least active-active symmetric,
where the backup has the active's sessions in the kernel table at all times.

Two questions:

1. "Mode FTFW { DisableExternalCache Off }" does not appear to work as
advertised. The backup router continues to show connections in "cache
external", and these connections are not synced to the local kernel. Can
you tell me why?

2. Does anyone have advice on the best way practice to configure
conntrackd for complete active/active asymmetric routing? I want to
avoid flushing sessions at failover, and just have them sync state full
time.

Details:

conntrackd is 0.9.14-2ubuntu1 on Ubuntu 10.04 lucid. This is the package
Ubuntu provides for 11.04 natty, backported to lucid. The package is
unchanged from the Ubuntu sources. All else is stock lucid.

Both routers are configured as in the attached file (with the exception
of IPv4_interface).

Regards,
Tyler

-- 
"A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders, give
orders, cooperate, act alone, solve equations, analyze a new problem,
pitch manure, program a computer, cook a tasty meal, fight efficiently,
die gallantly. Specialization is for insects."
   -- Lazarus Long, "Time Enough for Love", by Robert A. Heinlein


[-- Attachment #2: conntrackd.conf --]
[-- Type: text/plain, Size: 2057 bytes --]

#
# General settings
#
General {
	#
	# Number of buckets in the caches: hash table
	#
	HashSize 1307648

	#
	# Maximum number of conntracks: 
	# it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
	#
	HashLimit 2614630

	#
	# Logfile: on (/var/log/conntrackd.log), off, or a filename
	# Default: off
	#
	#LogFile on

	#
	# Syslog: on, off or a facility name (daemon (default) or local0..7)
	# Default: off
	#
	Syslog on

	#
	# Lockfile
	# 
	LockFile /var/lock/conntrackd.lock

	#
	# Unix socket configuration
	#
	UNIX {
		Path /var/run/conntrackd.sock
		Backlog 20
	}

	#
	# Netlink socket buffer size
	#
	SocketBufferSize 262142

	#
	# Increase the socket buffer up to maximun if required
	#
	SocketBufferSizeMaxGrown 655355

	#
	# Event filtering: This clause allows you to filter certain traffic,
	# There are currently three filter-sets: Protocol, Address and
	# State. The filter is attached to an action that can be: Accept or
	# Ignore. Thus, you can define the event filtering policy of the
	# filter-sets in positive or negative logic depending on your needs.
	#
	Filter {
		#
		# Accept only certain protocols: You may want to log the
		# state of flows depending on their layer 4 protocol.
		#
		Protocol Accept {
			TCP
		}

		#
		# Ignore traffic for a certain set of IP's.
		#
		Address Ignore {
			IPv4_address 127.0.0.1 # loopback
		}

		#
		# Uncomment this line below if you want to filter by flow state.
		# The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
		# FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED, LISTEN.
		#
		# State Accept {
		#	ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
		# }
	}
}

# 2011-07-28 tyler - see:
# http://conntrack-tools.netfilter.org/manual.html
# /usr/share/doc/conntrackd/examples/sync/notrack/conntrackd.conf.gz

Sync {
#	Mode NOTRACK { }
#	Mode FTFW {
#		DisableExternalCache Off
#	}
	Mode FTFW { }
	Multicast {
		IPv4_address 225.0.0.50
		Group 3780
		IPv4_interface 10.10.2.57
		Interface vlan43
		SndSocketBuffer 1249280
		RcvSocketBuffer 1249280
		Checksum on
	}
}

Re: DisableExternalCache on conntrackd 0.9.14 not syncing to kernel

[Pablo Neira Ayuso]

Hi,

On 28/07/11 17:22, Tyler J. Wagner wrote:
> Hi all,
> 
> I've configured two routers, in active-backup mode, but where both can
> route to all endpoints at all times. Under some circumstances, traffic
> can enter at the backup. So I'm trying to provide either a full
> active-active asymmetric solution, or at least active-active symmetric,
> where the backup has the active's sessions in the kernel table at all times.
> 
> Two questions:
> 
> 1. "Mode FTFW { DisableExternalCache Off }" does not appear to work as
> advertised. The backup router continues to show connections in "cache
> external", and these connections are not synced to the local kernel. Can
> you tell me why?

You want to inject your flow-state information inmediately, right? In
that case, you can to explicitly set DisableExternalCache On. Removing
the DisableExternalCache clause from the config file defaults to off (as
it shows your config file).

> 2. Does anyone have advice on the best way practice to configure
> conntrackd for complete active/active asymmetric routing? I want to
> avoid flushing sessions at failover, and just have them sync state full
> time.

Active/active with asymmetric routing for stateful firewalls is poor
design for stateful firewalls. I don't recommend it to you. Please read:
http://1984.lsi.us.es/~pablo/docs/intcomp09.pdf.

I started some work to allow active/active setup with load-sharing.

http://1984.lsi.us.es/git/?p=cluster-match-scripts/.git;a=summary

It's still preliminary and undocumented, I'm looking for someone
interested in sponsoring this effort with no success.

> Details:
> 
> conntrackd is 0.9.14-2ubuntu1 on Ubuntu 10.04 lucid. This is the package
> Ubuntu provides for 11.04 natty, backported to lucid. The package is
> unchanged from the Ubuntu sources. All else is stock lucid.

There are few differences between 0.9.14 and 1.0.0, but I suggest you to
upgrade to 1.0.0 since you'll benefit from several fixes of minor bugs
that happened during that period.

You may use the conntrack-tools 1.0.0 debian packages in sid:
http://packages.debian.org/unstable/net/conntrack

> Both routers are configured as in the attached file (with the exception
> of IPv4_interface).

Re: DisableExternalCache on conntrackd 0.9.14 not syncing to kernel

[Tyler J. Wagner]

Thank you for your help, Pablo. My comments below.

On 2011-08-02 21:15, Pablo Neira Ayuso wrote:
> You want to inject your flow-state information inmediately, right? In
> that case, you can to explicitly set DisableExternalCache On. Removing
> the DisableExternalCache clause from the config file defaults to off (as
> it shows your config file).

Correct, that's what I want. I'll try the "On" argument instead. The
manual states to use the "Off" argument, albeit in an unclear example:

http://conntrack-tools.netfilter.org/manual.html

Can someone correct it?

> Active/active with asymmetric routing for stateful firewalls is poor
> design for stateful firewalls. I don't recommend it to you. Please read:
> http://1984.lsi.us.es/~pablo/docs/intcomp09.pdf.

I read that white paper. It made fine reading on a recent flight. Thank you.

What I want is not true active/active asymmetric routing. IE, I don't
need state information to propagate ahead of user traffic (thus adding
latency). I just want active/backup, but where both the active and the
backup have each others' state tables in the kernel. This way, if an
asymmetric loop does occur (due to stale ARP data), the traffic will
pass the firewall. If the state data has propagated by that time, of course.

> There are few differences between 0.9.14 and 1.0.0, but I suggest you to
> upgrade to 1.0.0 since you'll benefit from several fixes of minor bugs
> that happened during that period.

I'll attempt to use or repackage 1.0.0 for Ubuntu lucid. If so, I'll
publish it in my PPA. Thanks.

Regards,
Tyler

-- 
"No one can terrorize a whole nation, unless we are all his accomplices."
   -- Edward R. Murrow