FTFW with multicast not working properly

FTFW with multicast not working properly

[Jean-Sébastien Frerot]

Hi, I'm trying to set up conntrackd in FTFW mode with the multicast protocol.
The problem I'm having is that my BACKUP firewall is not getting the
states as it's supposed to.
It's receiving the packets (confirmed by a tcpdump), but only a few
states are replicated, even when I used the '-B' option to resend all
the states to the slaves.

If I configure it to use unicast UPD, all is working fine.
I was hoping to use multicast so I can migrate my current active
firewalls, to a new pair of firewalls. But for this to work, I need to
sync the states to all my 4 firewalls.

The version I'm using:
Connection tracking userspace daemon v1.4.4. Licensed under GPLv2.
(C) 2006-2009 Pablo Neira Ayuso <pablo@netfilter.org>

the OS:
centos 7

Here is the MASTER stats for conntrackd
#####
cache internal:
current active connections:        6205
connections created:        6292 failed:           0
connections updated:         179 failed:           0
connections destroyed:          87 failed:           0

cache external:
current active connections:           0
connections created:           0 failed:           0
connections updated:           0 failed:           0
connections destroyed:           0 failed:           0

traffic processed:
                   0 Bytes                         0 Pckts

multicast traffic (active device=bond1.999):
               20468 Bytes sent                  344 Bytes recv
                 318 Pckts sent                   23 Pckts recv
                   0 Error send                    0 Error recv

message tracking:
                   0 Malformed msgs                   99 Lost msgs
######

and the slave:
######
cache internal:
current active connections:           0
connections created:           0 failed:           0
connections updated:           0 failed:           0
connections destroyed:           0 failed:           0

cache external:
current active connections:           1
connections created:           1 failed:           0
connections updated:           0 failed:           0
connections destroyed:           0 failed:           0

traffic processed:
                   0 Bytes                         0 Pckts

multicast traffic (active device=bond1.999):
                1136 Bytes sent               615344 Bytes recv
                  71 Pckts sent                 4053 Pckts recv
                   0 Error send                    0 Error recv

message tracking:
                   0 Malformed msgs                    0 Lost msgs
######

Here is the current configuration
First firewall
######
Sync {
    Mode FTFW {
        ResendQueueSize 131072
        PurgeTimeout 60
        ACKWindowSize 300
        DisableExternalCache off
    }
    Multicast {
      IPv4_address 225.0.0.51
      Group 3781
      IPv4_interface 172.31.2.1
      Interface bond1.999
      SndSocketBuffer 24985600
      RcvSocketBuffer 24985600
      Checksum on
    }
}
General {
    Nice -20
    HashSize 32768
    HashLimit 131072
    LogFile off
    Syslog on
    LockFile /var/lock/conntrack.lock
    UNIX {
        Path /var/run/conntrackd.ctl
        Backlog 20
    }
    NetlinkBufferSize 2097152
    NetlinkBufferSizeMaxGrowth 8388608
    Filter From Userspace {
        Protocol Accept {
            TCP
            SCTP
            DCCP
            UDP
        }
        Address Ignore {
            IPv4_address 172.31.0.1
            IPv4_address 172.31.0.2
            IPv4_address 172.31.2.1
            IPv4_address 172.31.2.2
            IPv4_address 172.31.2.3
            IPv4_address 172.31.2.4
            IPv4_address 169.254.0.9
            IPv4_address 169.254.0.10
        }
    }
}

Second firewall
#####
Sync {
    Mode FTFW {
        ResendQueueSize 131072
        PurgeTimeout 60
        ACKWindowSize 300
        DisableExternalCache off
    }
    Multicast {
      IPv4_address 225.0.0.51
      Group 3781
      IPv4_interface 172.31.2.2
      Interface bond1.999
      SndSocketBuffer 24985600
      RcvSocketBuffer 24985600
      Checksum on
    }
}
General {
    Nice -20
    HashSize 32768
    HashLimit 131072
    LogFile off
    Syslog on
    LockFile /var/lock/conntrack.lock
    UNIX {
        Path /var/run/conntrackd.ctl
        Backlog 20
    }
    NetlinkBufferSize 2097152
    NetlinkBufferSizeMaxGrowth 8388608
    Filter From Userspace {
        Protocol Accept {
            TCP
            SCTP
            DCCP
            UDP
        }
        Address Ignore {
            IPv4_address 10.2.244.2
            IPv4_address 10.2.244.3
            IPv4_address 10.2.244.4
            IPv4_address 10.2.244.5
            IPv4_address 10.2.252.2
            IPv4_address 10.2.252.3
            IPv4_address 10.2.252.4
            IPv4_address 10.2.252.5
            IPv4_address 172.31.0.1
            IPv4_address 172.31.0.2
            IPv4_address 172.31.2.1
            IPv4_address 172.31.2.2
            IPv4_address 172.31.2.3
            IPv4_address 172.31.2.4
            IPv4_address 169.254.0.9
            IPv4_address 169.254.0.10
        }
    }
}

any idea where the problem could be ?
Thank you.

Re: FTFW with multicast not working properly

[Pablo Neira Ayuso]

On Fri, Nov 27, 2020 at 11:56:22AM -0500, Jean-Sébastien Frerot wrote:
> Hi, I'm trying to set up conntrackd in FTFW mode with the multicast protocol.
> The problem I'm having is that my BACKUP firewall is not getting the
> states as it's supposed to.
> It's receiving the packets (confirmed by a tcpdump), but only a few
> states are replicated, even when I used the '-B' option to resend all
> the states to the slaves.
> 
> If I configure it to use unicast UPD, all is working fine.
> I was hoping to use multicast so I can migrate my current active
> firewalls, to a new pair of firewalls. But for this to work, I need to
> sync the states to all my 4 firewalls.

FT-FW only works with 2 firewalls. For more than 2 firewalls, please
try NOTRACK mode.

FT-FW would need to be extended to support more than 2 firewalls, by
adding some sort of node ID and independent retransmissions queues for
each firewall in the cluster.

Re: FTFW with multicast not working properly

[Jean-Sébastien Frerot]

Ok, I can understand if it's not working with more than 2 firewalls.
But it's not working with 2 !
The details I sent are only for 2 firewalls ATM.


Le ven. 27 nov. 2020, à 13 h 57, Pablo Neira Ayuso
<pablo@netfilter.org> a écrit :
>
> On Fri, Nov 27, 2020 at 11:56:22AM -0500, Jean-Sébastien Frerot wrote:
> > Hi, I'm trying to set up conntrackd in FTFW mode with the multicast protocol.
> > The problem I'm having is that my BACKUP firewall is not getting the
> > states as it's supposed to.
> > It's receiving the packets (confirmed by a tcpdump), but only a few
> > states are replicated, even when I used the '-B' option to resend all
> > the states to the slaves.
> >
> > If I configure it to use unicast UPD, all is working fine.
> > I was hoping to use multicast so I can migrate my current active
> > firewalls, to a new pair of firewalls. But for this to work, I need to
> > sync the states to all my 4 firewalls.
>
> FT-FW only works with 2 firewalls. For more than 2 firewalls, please
> try NOTRACK mode.
>
> FT-FW would need to be extended to support more than 2 firewalls, by
> adding some sort of node ID and independent retransmissions queues for
> each firewall in the cluster.



-- 
Jean-Sébastien Frerot
Senior Linux System Administrator
jsfrerot@ludia.com



410 St.Nicolas, suite 400
Montréal, QC H2Y 2P5
www.ludia.com

Re: FTFW with multicast not working properly

[Jean-Sébastien Frerot]

After further investigation, it seems this is not only related to
multicast, but also with unicast udp packets.
So I have moved on to my new firewalls under ubuntu server 20.04 with
conntrackd 1.4.5.
I added the "StartupResync on" and The initial states are getting in
the backup firewall. But all state changes are not updated.

I noticed the rsqueue "current elements" is rising constantly.
# conntrackd -s queue
allocated queue nodes:            0

queue txqueue:
current elements:            0
maximum elements:   2147483647
not enough space errors:            0

queue errorq:
current elements:            0
maximum elements:          128
not enough space errors:            0

queue rsqueue:
current elements:         5863
maximum elements:       131072
not enough space errors:            0

Any idea what could cause this?

Thank you.

Le ven. 27 nov. 2020, à 14 h 04, Jean-Sébastien Frerot
<jsfrerot@ludia.com> a écrit :
>
> Ok, I can understand if it's not working with more than 2 firewalls.
> But it's not working with 2 !
> The details I sent are only for 2 firewalls ATM.
>
>
> Le ven. 27 nov. 2020, à 13 h 57, Pablo Neira Ayuso
> <pablo@netfilter.org> a écrit :
> >
> > On Fri, Nov 27, 2020 at 11:56:22AM -0500, Jean-Sébastien Frerot wrote:
> > > Hi, I'm trying to set up conntrackd in FTFW mode with the multicast protocol.
> > > The problem I'm having is that my BACKUP firewall is not getting the
> > > states as it's supposed to.
> > > It's receiving the packets (confirmed by a tcpdump), but only a few
> > > states are replicated, even when I used the '-B' option to resend all
> > > the states to the slaves.
> > >
> > > If I configure it to use unicast UPD, all is working fine.
> > > I was hoping to use multicast so I can migrate my current active
> > > firewalls, to a new pair of firewalls. But for this to work, I need to
> > > sync the states to all my 4 firewalls.
> >
> > FT-FW only works with 2 firewalls. For more than 2 firewalls, please
> > try NOTRACK mode.
> >
> > FT-FW would need to be extended to support more than 2 firewalls, by
> > adding some sort of node ID and independent retransmissions queues for
> > each firewall in the cluster.

Re: FTFW with multicast not working properly

[Jean-Sébastien Frerot]

And what I see after the weekend:
allocated queue nodes:       131072

queue txqueue:
current elements:            0
maximum elements:   2147483647
not enough space errors:            0

queue errorq:
current elements:            0
maximum elements:          128
not enough space errors:            0

queue rsqueue:
current elements:       131072
maximum elements:       131072
not enough space errors:       109663


Le ven. 4 déc. 2020, à 13 h 21, Jean-Sébastien Frerot
<jsfrerot@ludia.com> a écrit :
>
> After further investigation, it seems this is not only related to
> multicast, but also with unicast udp packets.
> So I have moved on to my new firewalls under ubuntu server 20.04 with
> conntrackd 1.4.5.
> I added the "StartupResync on" and The initial states are getting in
> the backup firewall. But all state changes are not updated.
>
> I noticed the rsqueue "current elements" is rising constantly.
> # conntrackd -s queue
> allocated queue nodes:            0
>
> queue txqueue:
> current elements:            0
> maximum elements:   2147483647
> not enough space errors:            0
>
> queue errorq:
> current elements:            0
> maximum elements:          128
> not enough space errors:            0
>
> queue rsqueue:
> current elements:         5863
> maximum elements:       131072
> not enough space errors:            0
>
> Any idea what could cause this?
>
> Thank you.
>
> Le ven. 27 nov. 2020, à 14 h 04, Jean-Sébastien Frerot
> <jsfrerot@ludia.com> a écrit :
> >
> > Ok, I can understand if it's not working with more than 2 firewalls.
> > But it's not working with 2 !
> > The details I sent are only for 2 firewalls ATM.
> >
> >
> > Le ven. 27 nov. 2020, à 13 h 57, Pablo Neira Ayuso
> > <pablo@netfilter.org> a écrit :
> > >
> > > On Fri, Nov 27, 2020 at 11:56:22AM -0500, Jean-Sébastien Frerot wrote:
> > > > Hi, I'm trying to set up conntrackd in FTFW mode with the multicast protocol.
> > > > The problem I'm having is that my BACKUP firewall is not getting the
> > > > states as it's supposed to.
> > > > It's receiving the packets (confirmed by a tcpdump), but only a few
> > > > states are replicated, even when I used the '-B' option to resend all
> > > > the states to the slaves.
> > > >
> > > > If I configure it to use unicast UPD, all is working fine.
> > > > I was hoping to use multicast so I can migrate my current active
> > > > firewalls, to a new pair of firewalls. But for this to work, I need to
> > > > sync the states to all my 4 firewalls.
> > >
> > > FT-FW only works with 2 firewalls. For more than 2 firewalls, please
> > > try NOTRACK mode.
> > >
> > > FT-FW would need to be extended to support more than 2 firewalls, by
> > > adding some sort of node ID and independent retransmissions queues for
> > > each firewall in the cluster.