summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/manual/conntrack-tools.html202
-rw-r--r--doc/sync/keepalived-multi1.conf71
-rw-r--r--doc/sync/keepalived-multi2.conf71
-rwxr-xr-xdoc/sync/multiprimary.sh212
4 files changed, 556 insertions, 0 deletions
diff --git a/doc/manual/conntrack-tools.html b/doc/manual/conntrack-tools.html
new file mode 100644
index 0000000..c2702b1
--- /dev/null
+++ b/doc/manual/conntrack-tools.html
@@ -0,0 +1,202 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The conntrack-tools user manual</title><link rel="stylesheet" href="docbook.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.72.0" /></head><body><div class="book" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="conntrack-tools-how-to"></a>The conntrack-tools user manual</h1></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Pablo</span> <span class="surname">Neira Ayuso</span></h3><div class="affiliation"><div class="address"><p><br />
+      <code class="email">&lt;<a href="mailto:pablo@netfilter.org">pablo@netfilter.org</a>&gt;</code><br />
+     </p></div></div></div></div></div><div><p class="releaseinfo">
+ This document details how to install and configure the
+ <a href="http://conntrack-tools.netfilter.org" target="_top">conntrack-tools</a>
+ 0.9.8. This software is under development, for that reason, it is likely
+ that this document will evolve in the future to cover new features and
+ changes.</p></div><div><p class="copyright">Copyright © 2008 Pablo Neira Ayuso</p></div><div><div class="legalnotice"><a id="id2592572"></a><p>
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the GNU Free Documentation License, Version 1.2
+ or any later version published by the Free Software Foundation;
+ with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
+ A copy of the license is included in the section entitled "GNU
+ Free Documentation License".
+ </p></div></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="#introduction">1. Introduction</a></span></dt><dt><span class="chapter"><a href="#what">2. What are the conntrack-tools?</a></span></dt><dt><span class="chapter"><a href="#requirements">3. Requirements</a></span></dt><dt><span class="chapter"><a href="#Installation">4. Installation</a></span></dt><dt><span class="chapter"><a href="#conntrack">5. Using conntrack: the command line interface</a></span></dt><dt><span class="chapter"><a href="#settingup">6. Setting up conntrackd: the daemon</a></span></dt><dd><dl><dt><span class="sect1"><a href="#sync">State table synchronization</a></span></dt><dd><dl><dt><span class="sect2"><a href="#sync-requirements">Requirements</a></span></dt><dt><span class="sect2"><a href="#sync-configure">Configuring the daemon</a></span></dt><dt><span class="sect2"><a href="#sync-pb">Active-Backup setup</a></span></dt><dt><span class="sect2"><a href="#sync-aa">Active-Active setup</a></span></dt><dt><span class="sect2"><a href="#sync-launch">Launching conntrackd</a></span></dt><dt><span class="sect2"><a href="#sync-trouble">Troubleshooting</a></span></dt></dl></dd></dl></dd></dl></div><div class="chapter" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="introduction"></a>Chapter 1. Introduction</h2></div></div></div><p>This document should be a kick-off point to install and configure the
+ <a href="http://conntrack-tools.netfilter.org" target="_top">conntrack-tools</a>.
+ If you find any error or imprecision in this document, please send an email
+ to the author, it will be appreciated.</p><p>In this document, the author assumes that the reader is familiar with firewalling concepts and iptables in general. If this is not your case, I suggest you to read the iptables documentation before going ahead. Moreover, the reader must also understand the difference between <span class="emphasis"><em>stateful</em></span> and <span class="emphasis"><em>stateless</em></span> firewalls. If this is not your case, I strongly suggest you to read the article <a href="http://people.netfilter.org/pablo/docs/login.pdf" target="_top">Netfilter's Connection Tracking System</a> published in <span class="emphasis"><em>:login; the USENIX magazine</em></span>. That document contains a general description that should help to clarify the concepts.</p><p>If you do not fulfill the previous requirements, this documentation is likely to be a source of frustration. Probably, you wonder why I'm insisting on these prerequisites too much, the fact is that if your iptables rule-set is <span class="emphasis"><em>stateless</em></span>, it is very likely that the <span class="emphasis"><em>conntrack-tools</em></span> will not be of any help for you. You have been warned!</p></div><div class="chapter" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="what"></a>Chapter 2. What are the conntrack-tools?</h2></div></div></div><p>The conntrack-tools are a set of free software tools for GNU/Linux that allow system administrators interact, from user-space, with the in-kernel <a href="http://people.netfilter.org/pablo/docs/login.pdf" target="_top">Connection Tracking System</a>, which is the module that enables stateful packet inspection for iptables. Probably, you did not hear about this module so far. However, if any of the rules of your rule-set use the <span class="emphasis"><em>state</em></span> or <span class="emphasis"><em>ctstate</em></span> iptables matches, you are indeed using it.
+
+ </p><p>The <a href="http://conntrack-tools.netfilter.org" target="_top">conntrack-tools</a> package contains two programs:</p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>conntrack</em></span> is command line interface conntrack provides a more flexible interface to the connnection tracking system than /proc/net/ip_conntrack. With conntrack, you can show, delete and update the existing state entries; and you can also listen to flow events.</p></li><li><p><span class="emphasis"><em>conntrackd</em></span> is the user-space connection tracking daemon. This daemon can be used to deploy fault-tolerant GNU/Linux firewalls but you can also use it to collect flow-based statistics of the firewall use.</p></li></ul></div><p>Although the name of both tools is very similar - and you can blame me for that, I'm not a marketing guy - they are used for very different tasks.</p></div><div class="chapter" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="requirements"></a>Chapter 3. Requirements</h2></div></div></div><p>You have to install the following software in order to get the <span class="emphasis"><em>conntrack-tools</em></span> working. Make sure that you have installed them correctly before going ahead:</p><div class="itemizedlist"><ul type="disc"><li><p><a href="http://www.kernel.org" target="_top">Linux kernel</a> version &gt;= 2.6.18 that, at least, has support for:</p><div class="itemizedlist"><ul type="circle"><li><p>Connection Tracking System.</p><div class="itemizedlist"><ul type="square"><li><p>CONFIG_NF_CONNTRACK=m</p></li><li><p>CONFIG_NF_CONNTRACK_IPV4=m</p></li><li><p>CONFIG_NF_CONNTRACK_IPV6=m (if your setup supports IPv6)</p></li></ul></div></li><li><p>nfnetlink: the generic messaging interface for Netfilter.</p><div class="itemizedlist"><ul type="square"><li><p>CONFIG_NETFILTER_NETLINK=m</p></li></ul></div></li><li><p>nf_conntrack_netlink: the messaging interface for the Connection Tracking System.</p><div class="itemizedlist"><ul type="square"><li><p>CONFIG_NF_CT_NETLINK=m</p></li></ul></div></li><li><p>connection tracking event notification API: the flow-based event notification interface.</p><div class="itemizedlist"><ul type="square"><li><p>CONFIG_NF_CONNTRACK_EVENTS=y</p></li></ul></div></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Verifying kernel support"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">Verifying kernel support</th></tr><tr><td align="left" valign="top"><p>
+ Make sure you have loaded <span class="emphasis"><em>nf_conntrack</em></span>, <span class="emphasis"><em>nf_conntrack_ipv4</em></span> (if your setup also supports IPv6, <span class="emphasis"><em>nf_conntrack_ipv6</em></span>) and <span class="emphasis"><em>nf_conntrack_netlink</em></span>.
+ </p></td></tr></table></div></li><li><p>libnfnetlink: the netfilter netlink library use the official release available in <a href="http://www.netfilter.org" target="_top">netfilter.org</a></p></li><li><p>libnetfilter_conntrack: the netfilter netlink library use the official release available in <a href="http://www.netfilter.org" target="_top">netfilter.org</a></p></li></ul></div></div><div class="chapter" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="Installation"></a>Chapter 4. Installation</h2></div></div></div><p>To compile and install the <span class="emphasis"><em>conntrack-tools</em></span> run the following commands:</p><pre class="programlisting">
+ (non-root)$ tar xvjf conntrack-tools-x.x.x.tar.bz2
+ (non-root)$ cd conntrack-tools-x.x.x
+ (non-root)$ ./configure --prefix=/usr
+ (non-root)$ make
+ (root) # make install</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Fedora Users"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">Fedora Users</th></tr><tr><td align="left" valign="top"><p>If you are installing the libraries in /usr/local/, do not forget to do the following things:</p><div class="itemizedlist"><ul type="disc"><li><p>PKG_CONFIG_PATH=/usr/local/lib/pkgconfig; export PKG_CONFIG_PATH</p></li><li><p>Add `/usr/local/lib' to your /etc/ld.so.conf file and run `ldconfig'</p></li></ul></div><p>Check `ldd' for trouble-shooting, read <a href="http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html" target="_top">this</a> for more information on how libraries work.</p></td></tr></table></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Verifying kernel support"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">Verifying kernel support</th></tr><tr><td align="left" valign="top"><p>To check that the modules are enabled in the kernel, run <span class="emphasis"><em>`conntrack -E'</em></span> and generate traffic, you should see flow events reporting new connections and updates.
+ </p></td></tr></table></div></div><div class="chapter" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="conntrack"></a>Chapter 5. Using conntrack: the command line interface</h2></div></div></div><p>The <span class="emphasis"><em>/proc/net/ip_conntrack</em></span> interface is very limited as it only allows you to display the existing flows, their state and other information:</p><pre class="programlisting">
+ # cat /proc/net/ip_conntrack
+ tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1
+ tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 secmark=0 use=1
+ </pre><p>The command line tool <span class="emphasis"><em>conntrack</em></span> can be used to display the same information:</p><pre class="programlisting">
+ # conntrack -L
+ tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1
+ tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 secmark=0 use=1
+conntrack v0.9.7 (conntrack-tools): 2 flow entries has been shown.
+ </pre><p>You can natively filter the output without using <span class="emphasis"><em>grep</em></span>:</p><pre class="programlisting">
+ # conntrack -L -p tcp --dport 34856
+ tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1
+conntrack v0.9.7 (conntrack-tools): 1 flow entries has been shown.
+ </pre><p>Update the mark based on a selection, this allows you to change the mark of an entry without using the CONNMARK target:</p><pre class="programlisting">
+ # conntrack -U -p tcp --dport 3486 --mark 10
+ tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=1 secmark=0 use=1
+conntrack v0.9.7 (conntrack-tools): 1 flow entries has been updated.
+ </pre><p>Delete one entry, this can be used to block traffic (you have to set <span class="emphasis"><em>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal</em></span> to zero).</p><pre class="programlisting">
+ # conntrack -D -p tcp --dport 3486
+ tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=1 secmark=0 use=1
+conntrack v0.9.7 (conntrack-tools): 1 flow entries has been deleted.
+ </pre><p>Display the connection tracking events:</p><pre class="programlisting">
+ # conntrack -E
+ [NEW] udp 17 30 src=192.168.2.100 dst=192.168.2.1 sport=57767 dport=53 [UNREPLIED] src=192.168.2.1 dst=192.168.2.100 sport=53 dport=57767
+ [UPDATE] udp 17 29 src=192.168.2.100 dst=192.168.2.1 sport=57767 dport=53 src=192.168.2.1 dst=192.168.2.100 sport=53 dport=57767
+ [NEW] tcp 6 120 SYN_SENT src=192.168.2.100 dst=66.102.9.104 sport=33379 dport=80 [UNREPLIED] src=66.102.9.104 dst=192.168.2.100 sport=80 dport=33379
+ [UPDATE] tcp 6 60 SYN_RECV src=192.168.2.100 dst=66.102.9.104 sport=33379 dport=80 src=66.102.9.104 dst=192.168.2.100 sport=80 dport=33379
+ [UPDATE] tcp 6 432000 ESTABLISHED src=192.168.2.100 dst=66.102.9.104 sport=33379 dport=80 src=66.102.9.104 dst=192.168.2.100 sport=80 dport=33379 [ASSURED]
+</pre><p>You can also display the existing flows in XML format, filter the output based on the NAT handling applied, etc.</p></div><div class="chapter" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="settingup"></a>Chapter 6. Setting up conntrackd: the daemon</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#sync">State table synchronization</a></span></dt><dd><dl><dt><span class="sect2"><a href="#sync-requirements">Requirements</a></span></dt><dt><span class="sect2"><a href="#sync-configure">Configuring the daemon</a></span></dt><dt><span class="sect2"><a href="#sync-pb">Active-Backup setup</a></span></dt><dt><span class="sect2"><a href="#sync-aa">Active-Active setup</a></span></dt><dt><span class="sect2"><a href="#sync-launch">Launching conntrackd</a></span></dt><dt><span class="sect2"><a href="#sync-trouble">Troubleshooting</a></span></dt></dl></dd></dl></div><p>The daemon <span class="emphasis"><em>conntrackd</em></span> supports two working modes:</p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>State table synchronization</em></span>: the daemon can be used to synchronize the connection tracking state table between several firewall replicas. This can be used to deploy fault-tolerant stateful firewalls. This is the main feature of the daemon.</p></li><li><p><span class="emphasis"><em>Flow-based statistics collection</em></span>: the daemon can be used to collect flow-based statistics. This feature is similar to what <a href="http://www.netfilter.org/projects/ulogd2/" target="_top">ulogd-2.x</a> provides.</p></li></ul></div><div class="sect1" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="sync"></a>State table synchronization</h2></div></div></div><div class="sect2" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="sync-requirements"></a>Requirements</h3></div></div></div><p>In order to get <span class="emphasis"><em>conntrackd</em></span> working in synchronization mode, you have to fulfill the following requirements:</p><div class="orderedlist"><ol type="1"><li><p>A <span class="emphasis"><em>high availability manager</em></span> like <a href="http://www.keepalived.org" target="_top">keepalived</a> that manages the virtual IPs of the
+ firewall cluster, detects errors, and decide when to migrate the virtual IPs
+ from one firewall replica to another. Without it, <span class="emphasis"><em>conntrackd</em></span> will not work appropriately.</p><p>The state synchronization setup requires a working installation of <a href="http://www.keepalived.org" target="_top">keepalived</a>, preferibly a recent version. Check if your distribution comes with a recent packaged version. Otherwise, you may compile it from the sources.
+ </p><p>
+ There is a very simple example file in the <span class="emphasis"><em>conntrackd</em></span>
+ sources to setup a simple HA cluster with keepalived (see the file
+ keepalived.conf under the doc/sync/ directory). This file can be used to
+ set up a simple VRRP cluster composed of two machines that hold the virtual
+ IPs 192.168.0.100 on eth0 and 192.168.1.100 on eth1.</p><p>If you are not familiar with <span class="emphasis"><em>keepalived</em></span>, please
+ read the official documentation available at the keepalived website
+ (<a href="http://www.keepalived.org" target="_top">http://www.keepalived.org</a>).</p><p>If you use a different high availability manager, make sure it works correctly before going ahead.</p></li><li><p>A dedicated link. The dedicated link between the firewalls is used
+ to transmit and receive the state information. The use of a dedicated link
+ is mandatory for security reasons as someone may pick the state information
+ that is transfered between the firewalls.</p></li><li><p>A well-formed stateful rule-set. Otherwise you are likely to experience
+ problems during the fail-over. An example of a well-formed stateful iptables
+ rule-set is available in the <a href="http://conntrack-tools.netfilter.org/testcase.html" target="_top">conntrack-tools website</a>.</p></li><li><p>If your Linux kernel is &lt; 2.6.22, you have to disable TCP window
+ tracking:
+ </p><pre class="programlisting">
+ # echo 1 &gt; /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
+ </pre><p>
+ </p></li></ol></div></div><div class="sect2" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="sync-configure"></a>Configuring the daemon</h3></div></div></div><p>The daemon <span class="emphasis"><em>conntrackd</em></span> in synchronization mode
+ supports up to three replication approaches:</p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>notrack</em></span>: this approach is the most simple as
+ it is based on a best effort replication protocol, ie. unreliable
+ protocol. This protocol sends and receives the state information
+ without performing any specific checking.
+ </p></li><li><p><span class="emphasis"><em>ft-fw</em></span>: this approach is based on a reliable
+ protocol that performs message tracking. Thus, the protocol can recover
+ from message loss, re-ordering and corruption.</p></li><li><p><span class="emphasis"><em>alarm</em></span>: this approach is spamming. It is based
+ on a alarm-based protocol that periodically re-sends the flow state to
+ the backup firewall replicas. This protocol consumes a lot of bandwidth
+ but it resolves synchronization problems fast.</p></li></ul></div><p>The three existing approaches are soft real-time asynchronous
+ replication protocols that are aimed to have negligible impact in terms
+ of latency and bandwidth throughput in the stateful firewall filtering.</p><p>To configure <span class="emphasis"><em>conntrackd</em></span> in any of the existing
+ synchronization modes, you have to copy the example configuration file to
+ the directory /etc/conntrackd/ on every firewall replica. Note that
+ <span class="emphasis"><em>_type_</em></span> is the synchronization type selected.</p><pre class="programlisting">
+ (conntrack-tools-x.x.x)# cp doc/_type_/conntrackd.conf /etc/conntrackd/conntrackd.conf
+</pre><p>
+ Do not forget to edit the files before going ahead. There are several
+ parameters that you have to tune to adapt the example configuration file
+ to your setup.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Configuration file location"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png" /></td><th align="left">Configuration file location</th></tr><tr><td align="left" valign="top"><p>If you don't want to put the config file under /etc/conntrackd/, just tell conntrackd where to find it passing the option -C.</p></td></tr></table></div></div><div class="sect2" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="sync-pb"></a>Active-Backup setup</h3></div></div></div><p>In the Active-Backup setup, one of the stateful firewall replicas
+ filters traffic and the other acts as backup. If you use this approach,
+ you have to copy the script <span class="emphasis"><em>primary-backup.sh</em></span> to:
+ </p><pre class="programlisting">
+ (conntrack-tools-x.x.x)# cp doc/sync/primary-backup.sh /etc/conntrackd/
+</pre><p>The HA manager invokes this script when a transition happens, ie. If
+ a stateful firewall replica:</p><div class="itemizedlist"><ul type="disc"><li><p>becomes active to recover the filtering.</p></li><li><p>becomes backup.</p></li><li><p>hits failure (this is available if the HA manager has a failure state, which is true for <a href="http://www.keepalived.org" target="_top">keepalived</a>.</p></li></ul></div><p>The script is simple, and it contains the different actions that
+ <span class="emphasis"><em>conntrackd</em></span> performs to recover the filtering or
+ purge obsolete entries from the state table, among others. The script is
+ commented, you can have a look at it if you need further information.</p></div><div class="sect2" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="sync-aa"></a>Active-Active setup</h3></div></div></div><p>The Active-Active setup consists of having more than one stateful
+ firewall replicas actively filtering traffic. Thus, we reduce the resource
+ waste that implies to have a backup firewall which does nothing.</p><p>We can classify the type of Active-Active setups in several
+ families:</p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>Symmetric path routing</em></span>: The stateful firewall
+ replicas share the workload in terms of flows, ie. the packets that are
+ part of a flow are always filtered by the same firewall.</p></li><li><p><span class="emphasis"><em>Asymmetric multi-path routing</em></span>: The packets that
+ are part of a flow can be filtered by whatever stateful firewall in the
+ cluster. Thus, every flow-states have to be propagated to all the firewalls
+ in the cluster as we do not know which one would be the next to filter a
+ packet. This setup goes against the design of stateful firewalls as we
+ define the filtering policy based on flows, not in packets anymore.
+ </p></li></ul></div><p>As for 0.9.8, the design of <span class="emphasis"><em>conntrackd</em></span> allows you
+ to deploy an symmetric Active-Active setup based on a static approach.
+ For example, assume that you have two virtual IPs, vIP1 and vIP2, and two
+ firewall replicas, FW1 and FW2. You can give the virtual vIP1 to the
+ firewall FW1 and the vIP2 to the FW2.
+ </p><p>Unfortunately, you will have to wait for the support for the
+ Active-Active setup based on dynamic approach, ie. a workload sharing setup
+ without directors that allow the stateful firewall share the filtering.</p><p>On the other hand, the asymmetric scenario may work if your setup
+ fulfills several strong assumptions. However, in the opinion of the author
+ of this work, the asymmetric setup goes against the design of stateful
+ firewalls and <span class="emphasis"><em>conntrackd</em></span>. Therefore, you have two
+ choices here: you can deploy an Active-Backup setup or go back to your
+ old stateless rule-set (in that case, the conntrack-tools will not be
+ of any help anymore, of course).</p></div><div class="sect2" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="sync-launch"></a>Launching conntrackd</h3></div></div></div><p>
+ Once you have configured <span class="emphasis"><em>conntrackd</em></span>, you can run in
+ <span class="emphasis"><em>console mode</em></span> which is an interactive mode, in that case
+ type 'conntrackd' as root.</p><pre class="programlisting">(root)# conntrackd</pre><p>If you want to run <span class="emphasis"><em>conntrackd</em></span> in <span class="emphasis"><em>daemon
+ mode</em></span>, then type:</p><pre class="programlisting">(root)# conntrackd -d</pre><p>You can verify that conntrackd is running by checking the log messages
+ via <span class="emphasis"><em>ps</em></span>. Moreover, if <span class="emphasis"><em>conntrackd</em></span> is
+ running fine, you can dump the current status of the daemon:</p><pre class="programlisting">
+ # conntrackd -s
+ cache internal:
+ current active connections: 4
+ connections created: 4 failed: 0
+ connections updated: 0 failed: 0
+ connections destroyed: 0 failed: 0
+
+ cache external:
+ current active connections: 0
+ connections created: 0 failed: 0
+ connections updated: 0 failed: 0
+ connections destroyed: 0 failed: 0
+
+ traffic processed:
+ 0 Bytes 0 Pckts
+
+ multicast traffic:
+ 352 Bytes sent 0 Bytes recv
+ 22 Pckts sent 0 Pckts recv
+ 0 Error send 0 Error recv
+
+ multicast sequence tracking:
+ 0 Pckts mfrm 0 Pckts lost
+ </pre><p>This command displays the number of entries in the internal and
+ external cache:</p><div class="itemizedlist"><ul type="disc"><li><p>The internal cache contains the states that this firewall replica is filtering, ie. this is a cache of the kernel state table.
+ </p></li><li><p>The external cache contains the states that the other firewall replica is filtering.
+ </p></li></ul></div><p>You can dump the internal cache with the following command:</p><pre class="programlisting">
+ # conntrackd -i
+ tcp 6 ESTABLISHED src=192.168.2.100 dst=139.174.175.20 sport=58491 dport=993 src=139.174.175.20 dst=192.168.2.100 sport=993 dport=58491 [ASSURED] mark=0 secmark=0 [active since 536s]
+ tcp 6 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=38211 dport=993 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=38211 [ASSURED] mark=0 secmark=0 [active since 536s]
+ tcp 6 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=38209 dport=993 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=38209 [ASSURED] mark=0 secmark=0 [active since 536s]
+ tcp 6 TIME_WAIT src=192.168.2.100 dst=74.125.45.166 sport=42593 dport=80 src=74.125.45.166 dst=192.168.2.100 sport=80 dport=42593 [ASSURED] [active since 165s]
+ tcp 6 ESTABLISHED src=192.168.2.100 dst=139.174.175.20 sport=37962 dport=993 src=139.174.175.20 dst=192.168.2.100 sport=993 dport=37962 [ASSURED] mark=0 secmark=0 [active since 536s]
+ </pre><p>You can dump the external cache with the following command:</p><pre class="programlisting"># conntrackd -e</pre><p>If the replication works fine, <span class="emphasis"><em>conntrackd -s</em></span>
+ displays the active's internal cache should display the same number of
+ entries than the backup's external cache and vice-versa.</p><p>To verify that the recovery works fine, if you trigger a fail-over,
+ the log files should display the following information:</p><pre class="programlisting">
+ [Thu Sep 18 18:03:02 2008] (pid=9759) [notice] committing external cache
+ [Thu Sep 18 18:03:02 2008] (pid=9759) [notice] Committed 1545 new entries</pre><p>This means that the state entries have been injected into the kernel correctly.</p></div><div class="sect2" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="sync-trouble"></a>Troubleshooting</h3></div></div></div><p>Problems with <span class="emphasis"><em>conntrackd</em></span>? The following list
+ of questions should help for troubleshooting:</p><div class="qandaset"><dl><dt>1. <a href="#id2553370">
+ I see packets lost in conntrackd -s
+ </a></dt><dt>2. <a href="#id2553403">
+ The log messages report that the maximum netlink socket buffer has been reached.
+ </a></dt><dt>3. <a href="#id2553432">
+ I see can't open multicast server in the log messages
+ </a></dt><dt>4. <a href="#id2602252">
+ Can I use wackamole, heartattack or any other HA manager?
+ </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%" /><tbody><tr class="question"><td align="left" valign="top"><a id="id2553370"></a><a id="id2553372"></a><b>1.</b></td><td align="left" valign="top"><p>
+ I see <span class="emphasis"><em>packets lost</em></span> in <span class="emphasis"><em>conntrackd -s</em></span>
+ </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
+ You can rise the value of <span class="emphasis"><em>McastRcvSocketBuffer</em></span> and <span class="emphasis"><em>McastRcvSocketBuffer</em></span>, if the problem is due to buffer overruns in the multicast sender or the receiver, the problem should disapear.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2553403"></a><a id="id2553405"></a><b>2.</b></td><td align="left" valign="top"><p>
+ The log messages report that the <span class="emphasis"><em>maximum netlink socket buffer has been reached</em></span>.
+ </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
+ You can increase the values of <span class="emphasis"><em>SocketBufferSize</em></span> and <span class="emphasis"><em>SocketBufferSizeMaxGrown</em></span>.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2553432"></a><a id="id2553435"></a><b>3.</b></td><td align="left" valign="top"><p>
+ I see <span class="emphasis"><em>can't open multicast server</em></span> in the log messages
+ </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
+ Make sure that the <span class="emphasis"><em>IPv4_interface</em></span> clause has the IP of the dedicated link.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2602252"></a><a id="id2602254"></a><b>4.</b></td><td align="left" valign="top"><p>
+ Can I use <a href="http://www.backhand.org/wackamole/" target="_top">wackamole</a>, heartattack or any other HA manager?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
+ Absolutely, you can. But before reporting issues, make sure that your HA manager is not the source of the problems.
+ </p></td></tr></tbody></table></div></div></div></div></div></body></html>
diff --git a/doc/sync/keepalived-multi1.conf b/doc/sync/keepalived-multi1.conf
new file mode 100644
index 0000000..5ffb318
--- /dev/null
+++ b/doc/sync/keepalived-multi1.conf
@@ -0,0 +1,71 @@
+#
+# Simple script for multi-primary setups
+#
+
+vrrp_sync_group G1 { # must be before vrrp_instance declaration
+ group {
+ VI_1
+ VI_2
+ }
+ notify_master "/etc/conntrackd/multiprimary.sh primary 1"
+ notify_backup "/etc/conntrackd/multiprimary.sh backup 1"
+ notify_fault "/etc/conntrackd/multiprimary.sh fault 1"
+}
+
+vrrp_sync_group G2 { # must be before vrrp_instance declaration
+ group {
+ VI_3
+ VI_4
+ }
+ notify_master "/etc/conntrackd/multiprimary.sh primary 2"
+ notify_backup "/etc/conntrackd/multiprimary.sh backup 2"
+ notify_fault "/etc/conntrackd/multiprimary.sh fault 2"
+}
+
+vrrp_instance VI_1 {
+ interface eth1
+ state SLAVE
+ virtual_router_id 61
+ priority 90
+ advert_int 3
+ authentication {
+ auth_type PASS
+ auth_pass papas_con_tomate
+ }
+}
+
+vrrp_instance VI_2 {
+ interface eth2
+ state SLAVE
+ virtual_router_id 61
+ priority 90
+ advert_int 3
+ authentication {
+ auth_type PASS
+ auth_pass papas_con_tomate
+ }
+}
+
+vrrp_instance VI_3 {
+ interface eth1
+ state SLAVE
+ virtual_router_id 62
+ priority 10
+ advert_int 3
+ authentication {
+ auth_type PASS
+ auth_pass papas_con_tomate
+ }
+}
+
+vrrp_instance VI_4 {
+ interface eth2
+ state SLAVE
+ virtual_router_id 62
+ priority 10
+ advert_int 3
+ authentication {
+ auth_type PASS
+ auth_pass papas_con_tomate
+ }
+}
diff --git a/doc/sync/keepalived-multi2.conf b/doc/sync/keepalived-multi2.conf
new file mode 100644
index 0000000..91ab019
--- /dev/null
+++ b/doc/sync/keepalived-multi2.conf
@@ -0,0 +1,71 @@
+#
+# Simple script for multi-primary setups
+#
+
+vrrp_sync_group G1 { # must be before vrrp_instance declaration
+ group {
+ VI_1
+ VI_2
+ }
+ notify_master "/etc/conntrackd/multiprimary.sh primary 1"
+ notify_backup "/etc/conntrackd/multiprimary.sh backup 1"
+ notify_fault "/etc/conntrackd/multiprimary.sh fault 1"
+}
+
+vrrp_sync_group G2 { # must be before vrrp_instance declaration
+ group {
+ VI_3
+ VI_4
+ }
+ notify_master "/etc/conntrackd/multiprimary.sh primary 2"
+ notify_backup "/etc/conntrackd/multiprimary.sh backup 2"
+ notify_fault "/etc/conntrackd/multiprimary.sh fault 2"
+}
+
+vrrp_instance VI_1 {
+ interface eth1
+ state SLAVE
+ virtual_router_id 61
+ priority 10
+ advert_int 3
+ authentication {
+ auth_type PASS
+ auth_pass papas_con_tomate
+ }
+}
+
+vrrp_instance VI_2 {
+ interface eth2
+ state SLAVE
+ virtual_router_id 61
+ priority 10
+ advert_int 3
+ authentication {
+ auth_type PASS
+ auth_pass papas_con_tomate
+ }
+}
+
+vrrp_instance VI_3 {
+ interface eth1
+ state SLAVE
+ virtual_router_id 62
+ priority 90
+ advert_int 3
+ authentication {
+ auth_type PASS
+ auth_pass papas_con_tomate
+ }
+}
+
+vrrp_instance VI_4 {
+ interface eth2
+ state SLAVE
+ virtual_router_id 62
+ priority 90
+ advert_int 3
+ authentication {
+ auth_type PASS
+ auth_pass papas_con_tomate
+ }
+}
diff --git a/doc/sync/multiprimary.sh b/doc/sync/multiprimary.sh
new file mode 100755
index 0000000..5c585c9
--- /dev/null
+++ b/doc/sync/multiprimary.sh
@@ -0,0 +1,212 @@
+#!/bin/sh
+#
+# (C) 2009 by Pablo Neira Ayuso <pablo@netfilter.org>
+#
+# This software may be used and distributed according to the terms
+# of the GNU General Public License, incorporated herein by reference.
+#
+
+#
+# This is the node ID, must be >= 1 and <= 2. You have to CHANGE IT according
+# to the number of node where you are.
+#
+NODEID=1
+
+CONNTRACKD_BIN="/usr/sbin/conntrackd"
+CONNTRACKD_LOCK="/var/lock/conntrack.lock"
+CONNTRACKD_CONFIG="/etc/conntrackd/conntrackd.conf"
+
+ETHER1="eth1"
+ETHER2="eth2"
+
+state_primary()
+{
+ #
+ # commit the external cache into the kernel table
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -c"
+ fi
+
+ #
+ # flush the internal and the external caches
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -f"
+ fi
+
+ #
+ # resynchronize my internal cache to the kernel table
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -R"
+ fi
+
+ #
+ # send a bulk update to backups
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -B"
+ fi
+}
+
+state_backup() {
+ #
+ # is conntrackd running? request some statistics to check it
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s
+ if [ $? -eq 1 ]
+ then
+ #
+ # something's wrong, do we have a lock file?
+ #
+ if [ -f $CONNTRACKD_LOCK ]
+ then
+ logger "WARNING: conntrackd was not cleanly stopped."
+ logger "If you suspect that it has crashed:"
+ logger "1) Enable coredumps"
+ logger "2) Try to reproduce the problem"
+ logger "3) Post the coredump to netfilter-devel@vger.kernel.org"
+ rm -f $CONNTRACKD_LOCK
+ fi
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: cannot launch conntrackd"
+ exit 1
+ fi
+ fi
+ #
+ # shorten kernel conntrack timers to remove the zombie entries.
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -t"
+ fi
+
+ #
+ # request resynchronization with master firewall replica (if any)
+ # Note: this does nothing in the alarm approach.
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -n"
+ fi
+}
+
+state_fault() {
+ #
+ # shorten kernel conntrack timers to remove the zombie entries.
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -t"
+ fi
+}
+
+iptables_add_cluster_rule() {
+ iptables -I CLUSTERDEV1 -t mangle -m cluster \
+ --cluster-total-nodes 2 --cluster-local-node $1 \
+ --cluster-hash-seed 0xdeadbeed -j MARK --set-mark 0xffff
+ iptables -I CLUSTERDEV2 -t mangle -m cluster \
+ --cluster-total-nodes 2 --cluster-local-node $1 \
+ --cluster-hash-seed 0xdeadbeed -j MARK --set-mark 0xffff
+}
+
+iptables_del_cluster_rule() {
+ iptables -D CLUSTERDEV1 -t mangle -m cluster \
+ --cluster-total-nodes 2 --cluster-local-node $1 \
+ --cluster-hash-seed 0xdeadbeed -j MARK --set-mark 0xffff
+ iptables -D CLUSTERDEV2 -t mangle -m cluster \
+ --cluster-total-nodes 2 --cluster-local-node $1 \
+ --cluster-hash-seed 0xdeadbeed -j MARK --set-mark 0xffff
+}
+
+iptables_start_cluster_rule() {
+ iptables -N CLUSTERDEV1 -t mangle
+ iptables -N CLUSTERDEV2 -t mangle
+ iptables_add_cluster_rule $1
+ iptables -A CLUSTERDEV1 -t mangle -m mark ! --mark 0xffff -j DROP
+ iptables -A CLUSTERDEV2 -t mangle -m mark ! --mark 0xffff -j DROP
+ iptables -I PREROUTING -t mangle -p vrrp -j ACCEPT
+ iptables -A PREROUTING -t mangle -i $ETHER1 -j CLUSTERDEV1
+ iptables -A PREROUTING -t mangle -i $ETHER2 -j CLUSTERDEV2
+}
+
+iptables_stop_cluster_rule() {
+ iptables -D PREROUTING -t mangle -i $ETHER1 -j CLUSTERDEV1
+ iptables -D PREROUTING -t mangle -i $ETHER2 -j CLUSTERDEV2
+ iptables -D PREROUTING -t mangle -p vrrp -j ACCEPT
+ iptables -F CLUSTERDEV1 -t mangle
+ iptables -F CLUSTERDEV2 -t mangle
+ iptables -X CLUSTERDEV1 -t mangle
+ iptables -X CLUSTERDEV2 -t mangle
+}
+
+# this can be called without options
+case "$1" in
+ start)
+ iptables_start_cluster_rule $NODEID
+ exit 0
+ ;;
+ stop)
+ iptables_stop_cluster_rule $NODEID
+ exit 0
+ ;;
+esac
+
+if [ $# -ne 2 ]
+then
+ logger "ERROR: missing arguments"
+ echo "Usage: $0 {primary|backup|fault|start|stop} {nodeid}"
+ exit 1
+fi
+
+case "$1" in
+ primary)
+ #
+ # We are entering the MASTER state, it may be for G1 or G2, but we
+ # commit the external cache anyway.
+ #
+ state_primary
+ iptables_add_cluster_rule $2
+ ;;
+ backup)
+ #
+ # We are entering the BACKUP state. We can enter it from G1 or G2.
+ # Assuming that we are node 1 and that we have entered BACKUP in G2,
+ # this means that node 2 has come back to life. In that case, skip
+ # state_backup because we are still in MASTER state for G1.
+ #
+ if [ $NODEID -eq $2 ]
+ then
+ state_backup
+ fi
+ iptables_del_cluster_rule $2
+ ;;
+ fault)
+ #
+ # We are entering the FAULT state, something bad is happening to us.
+ #
+ state_fault
+ iptables_del_cluster_rule $2
+ ;;
+ *)
+ logger "ERROR: unknown state transition"
+ echo "Usage: $0 {primary|backup|fault|start|stop} {nodeid}"
+ exit 1
+ ;;
+esac
+
+exit 0