From 6643c43bd67d104e1107a9524acbfa5265b5b7b6 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 15 May 2021 11:04:30 +0200 Subject: conntrack-sync: improve overall documentation (cherry picked from commit 1c2d4401144553acd1dafdceadd6beda10ae87f1) --- docs/configuration/service/conntrack-sync.rst | 197 +++++++++++++++++--------- 1 file changed, 127 insertions(+), 70 deletions(-) (limited to 'docs/configuration/service/conntrack-sync.rst') diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst index 3c9f08e4..b38854d1 100644 --- a/docs/configuration/service/conntrack-sync.rst +++ b/docs/configuration/service/conntrack-sync.rst @@ -1,7 +1,8 @@ -.. include:: /_include/need_improvement.txt +.. _conntrack-sync: -Conntrack ---------- +############## +Conntrack Sync +############## One of the important features built on top of the Netfilter framework is connection tracking. Connection tracking allows the kernel to keep track of all @@ -28,106 +29,165 @@ will be mandatorily defragmented. It is possible to use either Multicast or Unicast to sync conntrack traffic. Most examples below show Multicast, but unicast can be specified by using the -"peer" keywork after the specificed interface, as in the following example: +"peer" keywork after the specificed interface, as in the following example: -set service conntrack-sync interface eth0 peer 192.168.0.250 +:cfgcmd:`set service conntrack-sync interface eth0 peer 192.168.0.250` +************* Configuration -^^^^^^^^^^^^^ +************* -.. code-block:: none + .. cfgcmd:: set service conntrack-sync accept-protocol - # Protocols only for which local conntrack entries will be synced (tcp, udp, icmp, sctp) - set service conntrack-sync accept-protocol + Accept only certain protocols: You may want to replicate the state of flows + depending on their layer 4 protocol. - # Queue size for listening to local conntrack events (in MB) - set service conntrack-sync event-listen-queue-size + Protocols are: tcp, sctp, udp and icmp. - # Protocol for which expect entries need to be synchronized. (all, ftp, h323, nfs, sip, sqlnet) - set service conntrack-sync expect-sync + .. note:: When using multiple protocols they must be separated by comma. - # Failover mechanism to use for conntrack-sync [REQUIRED] - set service conntrack-sync failover-mechanism + .. cfgcmd:: set service conntrack-sync event-listen-queue-size - set service conntrack-sync cluster group - set service conntrack-sync vrrp sync-group <1-255> + The daemon doubles the size of the netlink event socket buffer size if it + detects netlink event message dropping. This clause sets the maximum buffer + size growth that can be reached. - # IP addresses for which local conntrack entries will not be synced - set service conntrack-sync ignore-address ipv4 + Queue size for listening to local conntrack events in MB. - # Interface to use for syncing conntrack entries [REQUIRED] - set service conntrack-sync interface - - # Multicast group to use for syncing conntrack entries - set service conntrack-sync mcast-group - - # Peer to send Unicast UDP conntrack sync entires to, if not using Multicast above - set service conntrack-sync interface peer + .. cfgcmd:: set service conntrack-sync expect-sync - # Queue size for syncing conntrack entries (in MB) - set service conntrack-sync sync-queue-size + Protocol for which expect entries need to be synchronized. -Example -^^^^^^^ -The next example is a simple configuration of conntrack-sync. + .. cfgcmd:: set service conntrack-sync failover-mechanism vrrp sync-group + Failover mechanism to use for conntrack-sync. -.. figure:: /_static/images/service_conntrack_sync-schema.png - :scale: 60 % - :alt: Conntrack Sync Example + Only VRRP is supported. Required option. - Conntrack Sync Example + .. cfgcmd:: set service conntrack-sync ignore-address ipv4 -First of all, make sure conntrack is enabled by running + IP addresses or networks for which local conntrack entries will not be synced -.. code-block:: none + .. cfgcmd:: set service conntrack-sync interface - show conntrack table ipv4 + Interface to use for syncing conntrack entries. -If the table is empty and you have a warning message, it means conntrack is not -enabled. To enable conntrack, just create a NAT or a firewall rule. + .. cfgcmd:: set service conntrack-sync mcast-group -.. code-block:: none + Multicast group to use for syncing conntrack entries. - set firewall state-policy established action accept + Defaults to 225.0.0.50. -You now should have a conntrack table + .. cfgcmd:: set service conntrack-sync interface peer
-.. code-block:: none + Peer to send unicast UDP conntrack sync entires to, if not using Multicast + configuration from above above. - $ show conntrack table ipv4 - TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, - FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK, - TW - TIME WAIT, CL - CLOSE, LI - LISTEN + .. cfgcmd:: set service conntrack-sync sync-queue-size - CONN ID Source Destination Protocol TIMEOUT - 1015736576 10.35.100.87:58172 172.31.20.12:22 tcp [6] ES 430279 - 1006235648 10.35.101.221:57483 172.31.120.21:22 tcp [6] ES 413310 - 1006237088 10.100.68.100 172.31.120.21 icmp [1] 29 - 1015734848 10.35.100.87:56282 172.31.20.12:22 tcp [6] ES 300 - 1015734272 172.31.20.12:60286 239.10.10.14:694 udp [17] 29 - 1006239392 10.35.101.221 172.31.120.21 icmp [1] 29 + Queue size for syncing conntrack entries in MB. -Now configure conntrack-sync service on ``router1`` **and** ``router2`` +********* +Operation +********* -.. code-block:: none +.. opcmd:: show conntrack table ipv4 - set service conntrack-sync accept-protocol 'tcp,udp,icmp' - set service conntrack-sync event-listen-queue-size '8' - set service conntrack-sync failover-mechanism cluster group 'GROUP' - set service conntrack-sync interface 'eth0' - set service conntrack-sync mcast-group '225.0.0.50' - set service conntrack-sync sync-queue-size '8' + Make sure conntrack is enabled by running and show connection tracking table. + + .. code-block:: none + + vyos@vyos:~$ show conntrack table ipv4 + TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, + FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK, + TW - TIME WAIT, CL - CLOSE, LI - LISTEN + + CONN ID Source Destination Protocol TIMEOUT + 1015736576 10.35.100.87:58172 172.31.20.12:22 tcp [6] ES 430279 + 1006235648 10.35.101.221:57483 172.31.120.21:22 tcp [6] ES 413310 + 1006237088 10.100.68.100 172.31.120.21 icmp [1] 29 + 1015734848 10.35.100.87:56282 172.31.20.12:22 tcp [6] ES 300 + 1015734272 172.31.20.12:60286 239.10.10.14:694 udp [17] 29 + 1006239392 10.35.101.221 172.31.120.21 icmp [1] 29 + + .. note:: If the table is empty and you have a warning message, it means + conntrack is not enabled. To enable conntrack, just create a NAT or a firewall + rule. :cfgcmd:`set firewall state-policy established action accept` + +.. opcmd:: show conntrack-sync external-cache + + Show connection syncing external cache entries + +.. opcmd:: show conntrack-sync internal-cache + + Show connection syncing internal cache entries + +.. opcmd:: show conntrack-sync statistics + + Retrieve current statistics of connection tracking subsystem. + + .. code-block:: none + + vyos@vyos:~$ show conntrack-sync statistics + Main Table Statistics: + + cache internal: + current active connections: 19606 + connections created: 6298470 failed: 0 + connections updated: 3786793 failed: 0 + connections destroyed: 6278864 failed: 0 -If you are using VRRP, you need to define a VRRP sync-group, and use -``vrrp sync-group`` instead of ``cluster group``. + cache external: + current active connections: 15771 + connections created: 1660193 failed: 0 + connections updated: 77204 failed: 0 + connections destroyed: 1644422 failed: 0 + + traffic processed: + 0 Bytes 0 Pckts + + multicast traffic (active device=eth0.5): + 976826240 Bytes sent 212898000 Bytes recv + 8302333 Pckts sent 2009929 Pckts recv + 0 Error send 0 Error recv + + message tracking: + 0 Malformed msgs 263 Lost msgs + + +.. opcmd:: show conntrack-sync status + + Retrieve current status of connection tracking subsystem. + + .. code-block:: none + + vyos@vyos:~$ show conntrack-sync status + sync-interface : eth0.5 + failover-mechanism : vrrp [sync-group GEFOEKOM] + last state transition : no transition yet! + ExpectationSync : disabled + + +******* +Example +******* + +The next example is a simple configuration of conntrack-sync. + +.. figure:: /_static/images/service_conntrack_sync-schema.png + :scale: 60 % + :alt: Conntrack Sync Example + +Now configure conntrack-sync service on ``router1`` **and** ``router2`` .. code-block:: none set high-availablilty vrrp group internal virtual-address ... etc ... set high-availability vrrp sync-group syncgrp member 'internal' + set service conntrack-sync accept-protocol 'tcp,udp,icmp' set service conntrack-sync failover-mechanism vrrp sync-group 'syncgrp' - + set service conntrack-sync interface 'eth0' + set service conntrack-sync mcast-group '225.0.0.50' On the active router, you should have information in the internal-cache of conntrack-sync. The same current active connections number should be shown in @@ -164,11 +224,8 @@ On active router run: message tracking: 0 Malformed msgs 0 Lost msgs - - On standby router run: - .. code-block:: none -- cgit v1.2.3