Hello Nataraj, --On 12. August 2008 22:56:48 -0700 Nataraj <incoming-centos at rjl.com> wrote: > On Sun, 2008-08-10 at 20:28 +0200, Dirk H. Schulz wrote: - snip - >> The setup works - using "conntrackd -e" I can see the connection table >> entries the other router's conntrackd has synchronized. What I cannot >> check is if the receiving conntrackd writes the received entries into >> the kernels connection tracking table. > - snip - > Also: cat /proc/net/nf_conntrack Okay, that was good (it is ip_conntrack, but never mind). Now I now that the kernel connection table does NOT get updated. Just have to find out why. > The doc says you must have kernel 2.6.18 or later. It looks like there > are some iptables features that you can use that will not allow this to > work. Are you in compliance with all of the dependencies listed in > http://conntrack-tools.netfilter.org/conntrackd.html ? Yes, the libraries are installed. The kernel should meet the prerequisites: CONFIG_NF_CONNTRACK=m: yes CONFIG_NF_CONNTRACK_IPV4=m: no, did not find it, could not enable it CONFIG_NETFILTER_NETLINK=m: yes, CONFIG_NF_CT_NETLINK=m: yes, it is called NF_CONNTRACK_NETLINK=m CONFIG_NF_CONNTRACK_EVENTS=y: yes So only CONFIG_NF_CONNTRACK_IPV4 module is missing, but I thought that connection tracking would not work at all (even on just one netfilter instance) if a dedicated module für IPv4 additionally to the general NF_CONNTRACK module would really be needed. Is there a debug mode for conntrackd where I can get more verbose logging to find out why conntrackd does not update the kernel connection table? Docs do not mention a debug mode, but maybe ... By the way, when committing manually (conntrackd -c) I get the following entries in the log: > [Tue Aug 12 12:51:49 2008] (pid=22668) [notice] Committed 139 new entries > [Tue Aug 12 12:51:49 2008] (pid=22668) [notice] 2 entries can't be committed > [Tue Aug 12 12:51:54 2008] (pid=22671) [notice] committing external cache > [Tue Aug 12 12:51:54 2008] (pid=22671) [ERROR] commit: Invalid argument > Tue Aug 12 12:51:54 2008 tcp 6 180 SYN_SENT src=88.217.141.81 dst=93.94.80.2 sport=54930 dport=22 [UNREPLIED] src=93.94.80.2 dst=88.217.141.81 sport=22 dport=54930 > [Tue Aug 12 12:51:54 2008] (pid=22671) [ERROR] commit: Invalid argument > Tue Aug 12 12:51:54 2008 tcp 6 180 SYN_SENT src=88.217.141.81 dst=93.94.80.2 sport=54929 dport=22 [UNREPLIED] src=93.94.80.2 dst=88.217.141.81 sport=22 dport=54929 > [Tue Aug 12 12:51:54 2008] (pid=22671) [notice] Committed 139 new entries [Tue Aug 12 12:51:54 2008] (pid=22671) [notice] 2 entries can't be committed Why can not all cache entries be committed? I did not find much about this. My kernel is a 2.6.18-92.1.6.el5 (CentOS 5). Thanks for your help. Dirk