[CentOS] conntrack-tools and Session syncing
Dirk H. Schulz
dirk.schulz at kinzesberg.de
Wed Aug 13 08:27:13 UTC 2008
Hello Nataraj,
--On 12. August 2008 22:56:48 -0700 Nataraj <incoming-centos at rjl.com> wrote:
> On Sun, 2008-08-10 at 20:28 +0200, Dirk H. Schulz wrote:
- snip -
>> The setup works - using "conntrackd -e" I can see the connection table
>> entries the other router's conntrackd has synchronized. What I cannot
>> check is if the receiving conntrackd writes the received entries into
>> the kernels connection tracking table.
>
- snip -
> Also: cat /proc/net/nf_conntrack
Okay, that was good (it is ip_conntrack, but never mind). Now I now that
the kernel connection table does NOT get updated. Just have to find out
why.
> The doc says you must have kernel 2.6.18 or later. It looks like there
> are some iptables features that you can use that will not allow this to
> work. Are you in compliance with all of the dependencies listed in
> http://conntrack-tools.netfilter.org/conntrackd.html ?
Yes, the libraries are installed. The kernel should meet the prerequisites:
CONFIG_NF_CONNTRACK=m: yes
CONFIG_NF_CONNTRACK_IPV4=m: no, did not find it, could not enable it
CONFIG_NETFILTER_NETLINK=m: yes,
CONFIG_NF_CT_NETLINK=m: yes, it is called NF_CONNTRACK_NETLINK=m
CONFIG_NF_CONNTRACK_EVENTS=y: yes
So only CONFIG_NF_CONNTRACK_IPV4 module is missing, but I thought that
connection tracking would not work at all (even on just one netfilter
instance) if a dedicated module für IPv4 additionally to the general
NF_CONNTRACK module would really be needed.
Is there a debug mode for conntrackd where I can get more verbose logging
to find out why conntrackd does not update the kernel connection table?
Docs do not mention a debug mode, but maybe ...
By the way, when committing manually (conntrackd -c) I get the following
entries in the log:
> [Tue Aug 12 12:51:49 2008] (pid=22668) [notice] Committed 139 new entries
> [Tue Aug 12 12:51:49 2008] (pid=22668) [notice] 2 entries can't be
committed
> [Tue Aug 12 12:51:54 2008] (pid=22671) [notice] committing external cache
> [Tue Aug 12 12:51:54 2008] (pid=22671) [ERROR] commit: Invalid argument
> Tue Aug 12 12:51:54 2008 tcp 6 180 SYN_SENT src=88.217.141.81
dst=93.94.80.2 sport=54930 dport=22 [UNREPLIED] src=93.94.80.2
dst=88.217.141.81 sport=22 dport=54930
> [Tue Aug 12 12:51:54 2008] (pid=22671) [ERROR] commit: Invalid argument
> Tue Aug 12 12:51:54 2008 tcp 6 180 SYN_SENT src=88.217.141.81
dst=93.94.80.2 sport=54929 dport=22 [UNREPLIED] src=93.94.80.2
dst=88.217.141.81 sport=22 dport=54929
> [Tue Aug 12 12:51:54 2008] (pid=22671) [notice] Committed 139 new entries
[Tue Aug 12 12:51:54 2008] (pid=22671) [notice] 2 entries can't be committed
Why can not all cache entries be committed? I did not find much about this.
My kernel is a 2.6.18-92.1.6.el5 (CentOS 5).
Thanks for your help.
Dirk
More information about the CentOS
mailing list