From ea27bb406e3d8fe9466ba274af38e6f540ff5bfc Mon Sep 17 00:00:00 2001 From: Alexander Wirt Date: Sun, 3 Jun 2012 08:49:55 +0200 Subject: Imported Upstream version 1.2.1 --- doc/cli/test.sh | 106 ++++ doc/debian.conntrackd.init.d | 48 ++ doc/manual/Makefile | 4 + doc/manual/config.xsl | 10 + doc/manual/conntrack-tools.tmpl | 1033 ++++++++++++++++++++++++++++++++++++++ doc/manual/docbook.css | 43 ++ doc/stats/conntrackd.conf | 141 ++++++ doc/sync/alarm/README | 1 + doc/sync/alarm/conntrackd.conf | 404 +++++++++++++++ doc/sync/ftfw/README | 1 + doc/sync/ftfw/conntrackd.conf | 428 ++++++++++++++++ doc/sync/keepalived.conf | 43 ++ doc/sync/notrack/README | 3 + doc/sync/notrack/conntrackd.conf | 466 +++++++++++++++++ doc/sync/primary-backup.sh | 126 +++++ 15 files changed, 2857 insertions(+) create mode 100644 doc/cli/test.sh create mode 100644 doc/debian.conntrackd.init.d create mode 100644 doc/manual/Makefile create mode 100644 doc/manual/config.xsl create mode 100644 doc/manual/conntrack-tools.tmpl create mode 100644 doc/manual/docbook.css create mode 100644 doc/stats/conntrackd.conf create mode 100644 doc/sync/alarm/README create mode 100644 doc/sync/alarm/conntrackd.conf create mode 100644 doc/sync/ftfw/README create mode 100644 doc/sync/ftfw/conntrackd.conf create mode 100644 doc/sync/keepalived.conf create mode 100644 doc/sync/notrack/README create mode 100644 doc/sync/notrack/conntrackd.conf create mode 100755 doc/sync/primary-backup.sh (limited to 'doc') diff --git a/doc/cli/test.sh b/doc/cli/test.sh new file mode 100644 index 0000000..2a0fef7 --- /dev/null +++ b/doc/cli/test.sh @@ -0,0 +1,106 @@ +CONNTRACK=conntrack + +SRC=1.1.1.1 +DST=2.2.2.2 +SPORT=2005 +DPORT=21 + +case $1 in + dump) + echo "Dumping conntrack table" + $CONNTRACK -L + ;; + flush) + echo "Flushing conntrack table" + $CONNTRACK -F + ;; + new) + echo "creating a new conntrack" + $CONNTRACK -I --orig-src $SRC --orig-dst $DST \ + --reply-src $DST --reply-dst $SRC -p tcp \ + --orig-port-src $SPORT --orig-port-dst $DPORT \ + --reply-port-src $DPORT --reply-port-dst $SPORT \ + --state LISTEN -u SEEN_REPLY -t 50 + ;; + new-simple) + echo "creating a new conntrack (simplified)" + $CONNTRACK -I -s $SRC -d $DST \ + -p tcp --sport $SPORT --dport $DPORT \ + --state LISTEN -u SEEN_REPLY -t 50 + ;; + new-nat) + echo "creating a new conntrack (NAT)" + $CONNTRACK -I -s $SRC -d $DST \ + -p tcp --sport $SPORT --dport $DPORT \ + --state LISTEN -u SEEN_REPLY -t 50 --dst-nat 8.8.8.8 + ;; + get) + echo "getting a conntrack" + $CONNTRACK -G -s $SRC -d $DST \ + -p tcp --sport $SPORT --dport $DPORT + ;; + change) + echo "change a conntrack" + $CONNTRACK -U -s $SRC -d $DST \ + -p tcp --sport $SPORT --dport $DPORT \ + --state TIME_WAIT -u ASSURED,SEEN_REPLY -t 500 + ;; + delete) + $CONNTRACK -D -s $SRC -d $DST \ + -p tcp --sport $SPORT --dport $DPORT + ;; + output) + proc=$(cat /proc/net/ip_conntrack | wc -l) + netl=$($CONNTRACK -L | wc -l) + count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count) + if [ $proc -ne $netl ]; then + echo "proc is $proc and netl is $netl and count is $count" + else + if [ $proc -ne $count ]; then + echo "proc is $proc and netl is $netl and count is $count" + else + echo "now $proc" + fi + fi + ;; + dump-expect) + $CONNTRACK -L expect + ;; + flush-expect) + $CONNTRACK -F expect + ;; + create-expect) + # requires modprobe ip_conntrack_ftp + $CONNTRACK -I expect --orig-src $SRC --orig-dst $DST \ + --tuple-src 4.4.4.4 --tuple-dst 5.5.5.5 \ + --mask-src 255.255.255.0 --mask-dst 255.255.255.255 \ + -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT \ + -t 200 --tuple-port-src 10240 --tuple-port-dst 10241\ + --mask-port-src 10 --mask-port-dst 300 + ;; + get-expect) + $CONNTRACK -G expect --orig-src 4.4.4.4 --orig-dst 5.5.5.5 \ + --p tcp --orig-port-src 10240 --orig-port-dst 10241 + ;; + delete-expect) + $CONNTRACK -D expect --orig-src 4.4.4.4 \ + --orig-dst 5.5.5.5 -p tcp --orig-port-src 10240 \ + --orig-port-dst 10241 + ;; + *) + echo "Usage: $0 [dump" + echo " |new" + echo " |new-simple" + echo " |new-nat" + echo " |get" + echo " |change" + echo " |delete" + echo " |output" + echo " |flush" + echo " |dump-expect" + echo " |flush-expect" + echo " |create-expect" + echo " |get-expect" + echo " |delete-expect]" + ;; +esac diff --git a/doc/debian.conntrackd.init.d b/doc/debian.conntrackd.init.d new file mode 100644 index 0000000..ba847dd --- /dev/null +++ b/doc/debian.conntrackd.init.d @@ -0,0 +1,48 @@ +#!/bin/sh +# +# /etc/init.d/conntrackd +# +# Maximilian Wilhelm +# -- Mon, 06 Nov 2006 18:39:07 +0100 +# + +export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +NAME="conntrackd" +DAEMON=`command -v conntrackd` +CONFIG="/etc/conntrack/conntrackd.conf" +PIDFILE="/var/run/${NAME}.pid" + + +# Gracefully exit if there is no daemon (debian way of life) +if [ ! -x "${DAEMON}" ]; then + exit 0 +fi + +# Check for config file +if [ ! -f /etc/conntrackd/conntrackd.conf ]; then + echo "Error: There is no config file for $NAME" >&2 + exit 1; +fi + +case "$1" in + start) + echo -n "Starting $NAME: " + start-stop-daemon --start --quiet --make-pidfile --pidfile "/var/run/${NAME}.pid" --background --exec "${DAEMON}" && echo "done." || echo "FAILED!" + ;; + stop) + echo -n "Stopping $NAME:" + start-stop-daemon --stop --quiet --oknodo --pidfile "/var/run/${NAME}.pid" && echo "done." || echo "FAILED!" + ;; + + restart) + $0 start + $0 stop + ;; + + *) + echo "Usage: /etc/init.d/conntrackd {start|stop|restart}" + exit 1 +esac + +exit 0 diff --git a/doc/manual/Makefile b/doc/manual/Makefile new file mode 100644 index 0000000..bd179a6 --- /dev/null +++ b/doc/manual/Makefile @@ -0,0 +1,4 @@ +html-no-chunks: + xmlto xhtml-nochunks -m config.xsl conntrack-tools.tmpl +clean: + rm -f conntrack-tools.html diff --git a/doc/manual/config.xsl b/doc/manual/config.xsl new file mode 100644 index 0000000..04722a5 --- /dev/null +++ b/doc/manual/config.xsl @@ -0,0 +1,10 @@ + + + + + + + + diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl new file mode 100644 index 0000000..dbf836d --- /dev/null +++ b/doc/manual/conntrack-tools.tmpl @@ -0,0 +1,1033 @@ + + + + + + The conntrack-tools user manual + + + + Pablo + Neira Ayuso + +
+ pablo@netfilter.org +
+ + + + + + 2008-2011 + Pablo Neira Ayuso + + + + + Permission is granted to copy, distribute and/or modify this document + under the terms of the GNU Free Documentation License, Version 1.2 + or any later version published by the Free Software Foundation; + with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. + A copy of the license is included in the section entitled "GNU + Free Documentation License". + + + + + This document details how to install and configure the + conntrack-tools + >= 1.0.0. This document will evolve in the future to cover new features + and changes. + + + + + + Introduction + + This document should be a kick-off point to install and configure the + conntrack-tools. + If you find any error or imprecision in this document, please send an email + to the author, it will be appreciated. + + In this document, the author assumes that the reader is familiar with firewalling concepts and iptables in general. If this is not your case, I suggest you to read the iptables documentation before going ahead. Moreover, the reader must also understand the difference between stateful and stateless firewalls. If this is not your case, I strongly suggest you to read the article Netfilter's Connection Tracking System published in :login; the USENIX magazine. That document contains a general description that should help to clarify the concepts. + +If you do not fulfill the previous requirements, this documentation is likely to be a source of frustration. Probably, you wonder why I'm insisting on these prerequisites too much, the fact is that if your iptables rule-set is stateless, it is very likely that the conntrack-tools will not be of any help for you. You have been warned! + + + What are the conntrack-tools? + + The conntrack-tools are a set of free software tools for GNU/Linux that allow system administrators interact, from user-space, with the in-kernel Connection Tracking System, which is the module that enables stateful packet inspection for iptables. Probably, you did not hear about this module so far. However, if any of the rules of your rule-set use the state or ctstate iptables matches, you are indeed using it. + + + +The conntrack-tools package contains two programs: + + + + conntrack is command line interface conntrack provides a more flexible interface to the connnection tracking system than /proc/net/ip_conntrack. With conntrack, you can show, delete and update the existing state entries; and you can also listen to flow events. + + + conntrackd is the user-space connection tracking daemon. This daemon can be used to deploy fault-tolerant GNU/Linux firewalls but you can also use it to collect flow-based statistics of the firewall use. + + + + Although the name of both tools is very similar - and you can blame me for that, I'm not a marketing guy - they are used for very different tasks. + + + + Requirements + + You have to install the following software in order to get the conntrack-tools working. Make sure that you have installed them correctly before going ahead: + + + + Linux kernel version >= 2.6.18 that, at least, has support for: + + + Connection Tracking System. + + + CONFIG_NF_CONNTRACK=m + + + CONFIG_NF_CONNTRACK_IPV4=m + + + CONFIG_NF_CONNTRACK_IPV6=m (if your setup supports IPv6) + + + + + nfnetlink: the generic messaging interface for Netfilter. + + + CONFIG_NETFILTER_NETLINK=m + + + + + nf_conntrack_netlink: the messaging interface for the Connection Tracking System. + + + CONFIG_NF_CT_NETLINK=m + + + + + connection tracking event notification API: the flow-based event notification interface. + + + CONFIG_NF_CONNTRACK_EVENTS=y + + + + + Verifying kernel support + + Make sure you have loaded nf_conntrack, nf_conntrack_ipv4 (if your setup also supports IPv6, nf_conntrack_ipv6) and nf_conntrack_netlink. + + + + + libnfnetlink: the netfilter netlink library use the official release available in netfilter.org + + + libnetfilter_conntrack: the netfilter netlink library use the official release available in netfilter.org + + + + + Installation + + To compile and install the conntrack-tools run the following commands: + + (non-root)$ tar xvjf conntrack-tools-x.x.x.tar.bz2 + (non-root)$ cd conntrack-tools-x.x.x + (non-root)$ ./configure --prefix=/usr + (non-root)$ make + (root) # make install + +Fedora Users + If you are installing the libraries in /usr/local/, do not forget to do the following things: + + PKG_CONFIG_PATH=/usr/local/lib/pkgconfig; export PKG_CONFIG_PATH + Add `/usr/local/lib' to your /etc/ld.so.conf file and run `ldconfig' + + Check `ldd' for trouble-shooting, read this for more information on how libraries work. + + +Verifying kernel support + To check that the modules are enabled in the kernel, run `conntrack -E' and generate traffic, you should see flow events reporting new connections and updates. + + + + + + Using conntrack: the command line interface + + The /proc/net/ip_conntrack interface is very limited as it only allows you to display the existing flows, their state and other information: + + + # cat /proc/net/ip_conntrack + tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1 + tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 secmark=0 use=1 + + +The command line tool conntrack can be used to display the same information: + + # conntrack -L + tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1 + tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 secmark=0 use=1 +conntrack v0.9.7 (conntrack-tools): 2 flow entries have been shown. + + +You can natively filter the output without using grep: + + # conntrack -L -p tcp --dport 34856 + tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1 +conntrack v0.9.7 (conntrack-tools): 1 flow entries have been shown. + + +Update the mark based on a selection, this allows you to change the mark of an entry without using the CONNMARK target: + + # conntrack -U -p tcp --dport 3486 --mark 10 + tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=1 secmark=0 use=1 +conntrack v0.9.7 (conntrack-tools): 1 flow entries has been updated. + + +Delete one entry, this can be used to block traffic if: + + You have a stateful rule-set that blocks traffic in INVALID state. + You have set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose or /proc/sys/net/netfilter/nf_conntrack_tcp_loose, depending on your kernel version, to zero. + + + + # conntrack -D -p tcp --dport 3486 + tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=1 secmark=0 use=1 +conntrack v0.9.7 (conntrack-tools): 1 flow entries has been deleted. + + +Display the connection tracking events: + + # conntrack -E + [NEW] udp 17 30 src=192.168.2.100 dst=192.168.2.1 sport=57767 dport=53 [UNREPLIED] src=192.168.2.1 dst=192.168.2.100 sport=53 dport=57767 + [UPDATE] udp 17 29 src=192.168.2.100 dst=192.168.2.1 sport=57767 dport=53 src=192.168.2.1 dst=192.168.2.100 sport=53 dport=57767 + [NEW] tcp 6 120 SYN_SENT src=192.168.2.100 dst=66.102.9.104 sport=33379 dport=80 [UNREPLIED] src=66.102.9.104 dst=192.168.2.100 sport=80 dport=33379 + [UPDATE] tcp 6 60 SYN_RECV src=192.168.2.100 dst=66.102.9.104 sport=33379 dport=80 src=66.102.9.104 dst=192.168.2.100 sport=80 dport=33379 + [UPDATE] tcp 6 432000 ESTABLISHED src=192.168.2.100 dst=66.102.9.104 sport=33379 dport=80 src=66.102.9.104 dst=192.168.2.100 sport=80 dport=33379 [ASSURED] + + +You can also display the existing flows in XML format, filter the output based on the NAT handling applied, etc. + + + + Setting up conntrackd: the daemon + + The daemon conntrackd supports two working modes: + + + + State table synchronization: the daemon can be used to synchronize the connection tracking state table between several firewall replicas. This can be used to deploy fault-tolerant stateful firewalls. This is the main feature of the daemon. + + + Flow-based statistics collection: the daemon can be used to collect flow-based statistics. This feature is similar to what ulogd-2.x provides. + + + + State table synchronization + + Requirements + + In order to get conntrackd working in synchronization mode, you have to fulfill the following requirements: + + + + A high availability manager like keepalived that manages the virtual IPs of the + firewall cluster, detects errors, and decide when to migrate the virtual IPs + from one firewall replica to another. Without it, conntrackd will not work appropriately. + + The state synchronization setup requires a working installation of keepalived, preferibly a recent version. Check if your distribution comes with a recent packaged version. Otherwise, you may compile it from the sources. + + + + There is a very simple example file in the conntrackd + sources to setup a simple HA cluster with keepalived (see the file + keepalived.conf under the doc/sync/ directory). This file can be used to + set up a simple VRRP cluster composed of two machines that hold the virtual + IPs 192.168.0.100 on eth0 and 192.168.1.100 on eth1. + + If you are not familiar with keepalived, please + read the official documentation available at the keepalived website + (http://www.keepalived.org). + +If you use a different high availability manager, make sure it works correctly before going ahead. + + + + + A dedicated link. The dedicated link between the firewalls is used + to transmit and receive the state information. The use of a dedicated link + is mandatory for security reasons as someone may pick the state information + that is transfered between the firewalls. + + + + A well-formed stateful rule-set. Otherwise you are likely to experience + problems during the fail-over. An example of a well-formed stateful iptables + rule-set is available in the conntrack-tools website. + + + + If your Linux kernel is < 2.6.22, you have to disable TCP window + tracking: + + # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal + + + + + + + + + Configuring the daemon + + The daemon conntrackd in synchronization mode + supports up to three replication approaches: + + + + notrack: this approach is the most simple as + it is based on a best effort replication protocol, ie. unreliable + protocol. This protocol sends and receives the state information + without performing any specific checking. + + + + ft-fw: this approach is based on a reliable + protocol that performs message tracking. Thus, the protocol can recover + from message loss, re-ordering and corruption. + + + alarm: this approach is spamming. It is based + on a alarm-based protocol that periodically re-sends the flow state to + the backup firewall replicas. This protocol consumes a lot of bandwidth + but it resolves synchronization problems fast. + + + + The three existing approaches are soft real-time asynchronous + replication protocols that are aimed to have negligible impact in terms + of latency and bandwidth throughput in the stateful firewall filtering. + + To configure conntrackd in any of the existing + synchronization modes, you have to copy the example configuration file to + the directory /etc/conntrackd/ on every firewall replica. Note that + _type_ is the synchronization type selected. + + + (conntrack-tools-x.x.x)# cp doc/_type_/conntrackd.conf /etc/conntrackd/conntrackd.conf + + + + Do not forget to edit the files before going ahead. There are several + parameters that you have to tune to adapt the example configuration file + to your setup. + + +Configuration file location + If you don't want to put the config file under /etc/conntrackd/, just tell conntrackd where to find it passing the option -C. + + + + +Active-Backup setup + + Stateful firewall architectures + A good reading to extend the information about firewall architectures is Demystifying cluster-based fault-tolerant firewalls published in IEEE Internet Computing magazine. + + + + In the Active-Backup setup, one of the stateful firewall replicas + filters traffic and the other acts as backup. If you use this approach, + you have to copy the script primary-backup.sh to: + + + + (conntrack-tools-x.x.x)# cp doc/sync/primary-backup.sh /etc/conntrackd/ + + + The HA manager invokes this script when a transition happens, ie. If + a stateful firewall replica: + + + + becomes active to recover the filtering. + + + becomes backup. + + + hits failure (this is available if the HA manager has a failure state, which is true for keepalived. + + + + The script is simple, and it contains the different actions that + conntrackd performs to recover the filtering or + purge obsolete entries from the state table, among others. The script is + commented, you can have a look at it if you need further information. + + + +Active-Active setup + + The Active-Active setup consists of having more than one stateful + firewall replicas actively filtering traffic. Thus, we reduce the resource + waste that implies to have a backup firewall which does nothing. + + We can classify the type of Active-Active setups in several + families: + + + + Symmetric path routing: The stateful firewall + replicas share the workload in terms of flows, ie. the packets that are + part of a flow are always filtered by the same firewall. + + + Asymmetric multi-path routing: The packets that + are part of a flow can be filtered by whatever stateful firewall in the + cluster. Thus, every flow-states have to be propagated to all the firewalls + in the cluster as we do not know which one would be the next to filter a + packet. This setup goes against the design of stateful firewalls as we + define the filtering policy based on flows, not in packets anymore. + + + + + As for 0.9.8, the design of conntrackd allows you + to deploy an symmetric Active-Active setup based on a static approach. + For example, assume that you have two virtual IPs, vIP1 and vIP2, and two + firewall replicas, FW1 and FW2. You can give the virtual vIP1 to the + firewall FW1 and the vIP2 to the FW2. + + + Unfortunately, you will have to wait for the support for the + Active-Active setup based on dynamic approach, ie. a workload sharing setup + without directors that allow the stateful firewall share the filtering. + + On the other hand, the asymmetric scenario may work if your setup + fulfills several strong assumptions. However, in the opinion of the author + of this work, the asymmetric setup goes against the design of stateful + firewalls and conntrackd. Therefore, you have two + choices here: you can deploy an Active-Backup setup or go back to your + old stateless rule-set (in that case, the conntrack-tools will not be + of any help anymore, of course). + + + +Launching conntrackd + + + Once you have configured conntrackd, you can run in + console mode which is an interactive mode, in that case + type 'conntrackd' as root. + + (root)# conntrackd + + If you want to run conntrackd in daemon + mode, then type: + + (root)# conntrackd -d + + You can verify that conntrackd is running by checking the log messages + via ps. Moreover, if conntrackd is + running fine, you can dump the current status of the daemon: + + + # conntrackd -s + cache internal: + current active connections: 4 + connections created: 4 failed: 0 + connections updated: 0 failed: 0 + connections destroyed: 0 failed: 0 + + cache external: + current active connections: 0 + connections created: 0 failed: 0 + connections updated: 0 failed: 0 + connections destroyed: 0 failed: 0 + + traffic processed: + 0 Bytes 0 Pckts + + multicast traffic: + 352 Bytes sent 0 Bytes recv + 22 Pckts sent 0 Pckts recv + 0 Error send 0 Error recv + + multicast sequence tracking: + 0 Pckts mfrm 0 Pckts lost + + + This command displays the number of entries in the internal and + external cache: + + + + The internal cache contains the states that this firewall replica is filtering, ie. this is a cache of the kernel state table. + + + + The external cache contains the states that the other firewall replica is filtering. + + + + + You can dump the internal cache with the following command: + + + # conntrackd -i + tcp 6 ESTABLISHED src=192.168.2.100 dst=139.174.175.20 sport=58491 dport=993 src=139.174.175.20 dst=192.168.2.100 sport=993 dport=58491 [ASSURED] mark=0 secmark=0 [active since 536s] + tcp 6 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=38211 dport=993 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=38211 [ASSURED] mark=0 secmark=0 [active since 536s] + tcp 6 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=38209 dport=993 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=38209 [ASSURED] mark=0 secmark=0 [active since 536s] + tcp 6 TIME_WAIT src=192.168.2.100 dst=74.125.45.166 sport=42593 dport=80 src=74.125.45.166 dst=192.168.2.100 sport=80 dport=42593 [ASSURED] [active since 165s] + tcp 6 ESTABLISHED src=192.168.2.100 dst=139.174.175.20 sport=37962 dport=993 src=139.174.175.20 dst=192.168.2.100 sport=993 dport=37962 [ASSURED] mark=0 secmark=0 [active since 536s] + + + You can dump the external cache with the following command: + + # conntrackd -e + + If the replication works fine, conntrackd -s + displays the active's internal cache should display the same number of + entries than the backup's external cache and vice-versa. + + To verify that the recovery works fine, if you trigger a fail-over, + the log files should display the following information: + + + [Thu Sep 18 18:03:02 2008] (pid=9759) [notice] committing external cache + [Thu Sep 18 18:03:02 2008] (pid=9759) [notice] Committed 1545 new entries + + This means that the state entries have been injected into the kernel correctly. + + + +Other configuration options + + The daemon allows several configuration options that you may want to + enable. This section contains some information about them. + +Disabling external cache + + It is possible to disable the external cache. Thus, + conntrackd directly injects the flow-states into the + in-kernel Connection Tracking System of the backup firewall. You can do it + by enabling the DisableExternalCache option in the + conntrackd.conf configuration file: + + + +Sync { + Mode FTFW { + [...] + DisableExternalCache Off + } +} + + + You can also use this option with the NOTRACK and ALARM modes. This + increases CPU consumption in the backup firewall but now you do not need + to commit the flow-states during the master failures since they are already + in the in-kernel Connection Tracking table. Moreover, you save memory in + the backup firewall since you do not need to store the foreign flow-states + anymore. + + + + +Disabling internal cache + + You can also disable the internal cache by means of the + DisableInternalCache option in the + conntrackd.conf configuration file: + + + +Sync { + Mode NOTRACK { + [...] + DisableInternalCache Off + } +} + + + However, this option is only available for the NOTRACK mode. This + mode provides unreliable flow-state synchronization between firewalls. + Thus, if flow-states are lost during the synchronization, the protocol + provides no way to recover them. + + + + +Using UDP, TCP or multicast for flow-state synchronization + + You can use up to three different transport layer protocols to + synchronize flow-state changes between the firewalls: UDP, TCP and + Multicast. UDP and multicast are unreliable but together with the FT-FW + mode provide partial reliable flow-state synchronization. + + + The preferred choice is FT-FW over UDP, or multicast alternatively. + TCP introduces latency in the flow-state synchronization due to the + congestion control. Under flow-state message are lost, the FIFO delivery + becomes also a problem since the backup firewall quickly gets out of + sync. For that reason, its use is discouraged. Note that using TCP only + makes sense with the NOTRACK mode. + + + + +Redundant dedicated links + + You can set redundant dedicated links without using bonding, you have + to configure as many redundant links as you want in the configuration file. + In case of failure of the master dedicated link, conntrackd failovers to one + of the backups. An example of this configuration is the following: + + + +Sync { + Mode FTFW { + [...] + } + # default master dedicated link + UDP Default { + IPv4_address 192.168.2.1 + IPv4_Destination_Address 192.168.2.2 + Port 3780 + Interface eth3 + SndSocketBuffer 24985600 + RcvSocketBuffer 24985600 + Checksum on + } + # backup dedicated link + UDP { + IPv4_address 192.168.1.3 + IPv4_Destination_Address 192.168.1.4 + Port 3780 + Interface eth2 + SndSocketBuffer 24985600 + RcvSocketBuffer 24985600 + Checksum on + } + [...] +} + + + + + +Filtering Connection tracking events with iptables + + Since Linux kernel >= 2.6.34, iptables provides the + CT iptables target that allows to reduce the + amount of Connection Tracking events that are delivered to user-space. + However, you will have to use a Linux kernel >= 2.6.38 to profit + from this feature, since several aspects of the event filtering were + broken. + + The following example shows how to only generate the + assured and destroy + events: + + + # iptables -I PREROUTING -t raw -j CT --ctevents assured,destroy + + + Assured flows + One flow is assured if the firewall has seen traffic for it in + both directions. + + + Reducing the amount of events generated helps to reduce CPU + consumption in the active firewall. + + + +Synchronization of expectations + + The connection tracking system provides helpers that allows you to + filter multi-flow application protocols like FTP, H.323 and SIP among many + others. These protocols usually split the control and data traffic in + different flows. Moreover, the control flow usually announces layer 3 and + 4 information to let the other peer know where the data flows will be + open. This sort of protocols require that the firewall inspects the + content of the packet, otherwise filtering by layer 3 and 4 selectors + like addresses and ports become a real nightmare. Netfilter already + provides the so-called helpers that track this + protocol aspects to allow deploying appropriate filtering. These + helpers create expectation entries that + represent expected traffic that will arrive to the firewall according + to the inspected packets. + + In case that you have enabled tracking of these protocols, you + may want to enable the state-synchronization of expectation as well. + Thus, established flows for this specific protocols will not suffer + any disruption. + + To enable the expectation support in the configuration file, you + have to use the following option: + + +Sync { + ... + Options { + ExpectationSync { + ftp + sip + h323 + } + } +} + + The example above enables the synchronization of the expectations + for the FTP, SIP and H.323 helpers. + + In my testbed, there are two firewalls in a primary-backup + configuration running keepalived. They use a couple of floating cluster + IP address (192.168.0.100 and 192.168.1.100) that are used by the client. + These firewalls protect one FTP server (192.168.1.2) that will be accessed + by one client. + + In ASCII art, it looks like this: + + + 192.168.0.100 192.168.1.100 + eth1 eth2 + fw-1 + / \ FTP + client ------ ------ server + 192.168.0.2 \ / 192.168.1.2 + fw-2 + + + This is the rule-set for the firewalls: + + + -A FORWARD -m state --state RELATED -j ACCEPT + -A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT + -A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT + -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT + -A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: " + + Before going ahead, make sure nf_conntrack_ftp is + loaded. + + The following steps detail how to check that the expectation support + works fine with FTP traffic: + + + + Switch to the client. Start one FTP control connection to one + server that is protected by the firewalls, enter passive mode: + + + (term-1) user@client$ nc 192.168.1.2 21 + 220 dummy FTP server + USER anonymous + 331 Please specify the password. + PASS nothing + 230 Login successful. + PASV + 227 Entering Passive Mode (192,168,1,2,163,11). + + This means that port 163*256+11=41739 will be used for the data + traffic. I suggest you to read djb's FTP protocol description in case that you + don't understand how this calculation is done. + + + + Switch to fw-1 (primary) to check that the expectation is in the + internal cache. + + + root@fw1# conntrackd -i exp + proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 helper=ftp [active since 5s] + + + + + Switch to fw-2 (backup) to check that the expectation has been + successfully replicated. + + + root@fw2# conntrackd -e exp + proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s] + + + + + Make the primary firewall fw-1 fail. Now fw-2 becomes primary. + + + + Switch to fw-2 (primary) to commit the external cache into the + kernel. The logs should display that the commit was successful: + + + root@fw2# tail -100f /var/log/conntrackd.log + [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations + [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries + [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds + + + + Switch to the client. Open a new terminal and connect to the port that + has been announced by the server: + + + (term-2) user@client$ nc -vvv 192.168.1.2 41739 + (UNKNOWN) [192.168.1.2] 41739 (?) open + + + + Switch to term-1 and ask for the file listing: + + + [...] + 227 Entering Passive Mode (192,168,1,2,163,11). + LIST + + + + Switch to term-2, it should display the listing. That means + everything has worked fine. + + + + + You may want to try disabling the expectation support and + repeating the steps to check that it does not work + without the state-synchronization. + + + + + +Troubleshooting + + Problems with conntrackd? The following list + of questions should help for troubleshooting: + + + + + + + I see packets lost in conntrackd -s + + + + + You can rise the value of McastRcvSocketBuffer and McastRcvSocketBuffer, if the problem is due to buffer overruns in the multicast sender or the receiver, the problem should disapear. + + + + + + + + The log messages report that the maximum netlink socket buffer has been reached. + + + + + You can increase the values of SocketBufferSize and SocketBufferSizeMaxGrown. + + + + + + + + I see can't open multicast server in the log messages + + + + + Make sure that the IPv4_interface clause has the IP of the dedicated link. + + + + + + + + Can I use wackamole, heartattack or any other HA manager? + + + + + Absolutely, you can. But before reporting issues, make sure that your HA manager is not the source of the problems. + + + + + + + + Does conntrackd support TCP flow-recovery with window tracking enabled? + + + + + Yes, but you require a Linux kernel >= 2.6.36 and the conntrack-tools >= 0.9.15. To enable it, check the TCPWindowTracking clause in the example configuration files. + + + + + + + + Does conntrackd support the H.323 and SIP connection tracking helpers? + + + + + Yes, conntrackd includes expectation support since version 1.2.0. + + + + + + + + Is there any way to set up a more verbose mode in the log message for debugging? + + + + + No, but conntrackd provides lots of information that you can look up in + runtime via -s option. + + You can check network statistics to find anomalies: + +# conntrackd -s network + network statistics: + recv: + Malformed messages: 0 + Wrong protocol version: 0 + Malformed header: 0 + Malformed payload: 0 + Bad message type: 0 + Truncated message: 0 + Bad message size: 0 + send: + Malformed messages: 0 + +sequence tracking statistics: + recv: + Packets lost: 42726 + Packets before: 0 + +UDP traffic (active device=eth3): + 564232 Bytes sent 1979844 Bytes recv + 2844 Pckts sent 8029 Pckts recv + 0 Error send 0 Error recv + + + You can check cache statistics: + +# conntrackd -s cache +cache:internal active objects: 0 + active/total entries: 0/ 0 + creation OK/failed: 11068/ 0 + no memory available: 0 + no space left in cache: 0 + update OK/failed: 4128/ 0 + entry not found: 0 + deletion created/failed: 11068/ 0 + entry not found: 0 + +cache:external active objects: 0 + active/total entries: 0/ 0 + creation OK/failed: 10521/ 0 + no memory available: 0 + no space left in cache: 0 + update OK/failed: 8832/ 0 + entry not found: 0 + deletion created/failed: 10521/ 0 + entry not found: 0 + + + You can check runtime miscelaneous statistics: + +# conntrackd -s runtime +daemon uptime: 14 min + +netlink stats: + events received: 24736 + events filtered: 0 + events unknown type: 0 + catch event failed: 0 + dump unknown type: 0 + netlink overrun: 0 + flush kernel table: 1 + resync with kernel table: 0 + current buffer size (in bytes): 8000000 + +runtime stats: + child process failed: 0 + child process segfault: 0 + child process termsig: 0 + select failed: 0 + wait failed: 0 + local read failed: 0 + local unknown request: 0 + + + You can check dedicated link statistics: + +# conntrackd -s link +UDP traffic device=eth3 status=RUNNING role=ACTIVE: + 566848 Bytes sent 1982612 Bytes recv + 3018 Pckts sent 8203 Pckts recv + 0 Error send 0 Error recv + + + You can check network queue statistics: + +# conntrackd -s queue +allocated queue nodes: 1 + +queue txqueue: +current elements: 0 +maximum elements: 2147483647 +not enough space errors: 0 + +queue errorq: +current elements: 0 +maximum elements: 128 +not enough space errors: 0 + +queue rsqueue: +current elements: 1 +maximum elements: 131072 +not enough space errors: 0 + + + + + + + + + + + + + diff --git a/doc/manual/docbook.css b/doc/manual/docbook.css new file mode 100644 index 0000000..81f4016 --- /dev/null +++ b/doc/manual/docbook.css @@ -0,0 +1,43 @@ +/* stolen from "Making your DocBook/XML HTML output not suck" */ + +body { + font-family: luxi sans,sans-serif; +} + +.screen { + font-family: monospace; + font-size: 1em; + display: block; + padding: 10px; + border: 1px solid #bbb; + background-color: #eee; + color: #000; + overflow: auto; + border-radius: 2.5px; + -moz-border-radius: 2.5px; + margin: 0.5em 2em; +} + +.programlisting { + font-family: monospace; + font-size: 1em; + display: block; + padding: 10px; + border: 1px solid #bbb; + background-color: #ddd; + color: #000; + overflow: auto; + border-radius: 2.5px; + -moz-border-radius: 2.5px; + margin: 0.5em 2em; +} + +a { + text-decoration: none; + border-bottom: 1px dotted #000; +} + +a:hover { + background-color: #777; + color: #fff; +} diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf new file mode 100644 index 0000000..16d7a80 --- /dev/null +++ b/doc/stats/conntrackd.conf @@ -0,0 +1,141 @@ +# +# General settings +# +General { + # + # Set the nice value of the daemon. This value goes from -20 + # (most favorable scheduling) to 19 (least favorable). Using a + # negative value reduces the chances to lose state-change events. + # Default is 0. See man nice(1) for more information. + # + Nice -1 + + # + # Select a different scheduler for the daemon, you can select between + # RR and FIFO and the process priority (minimum is 0, maximum is 99). + # See man sched_setscheduler(2) for more information. Using a RT + # scheduler reduces the chances to overrun the Netlink buffer. + # + # Scheduler { + # Type FIFO + # Priority 99 + # } + + # + # Number of buckets in the caches: hash table + # + HashSize 8192 + + # + # Maximum number of conntracks: + # it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max + # + HashLimit 65535 + + # + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off + # + #LogFile on + + # + # Syslog: on, off or a facility name (daemon (default) or local0..7) + # Default: off + # + #Syslog on + + # + # Lockfile + # + LockFile /var/lock/conntrack.lock + + # + # Unix socket configuration + # + UNIX { + Path /var/run/conntrackd.ctl + Backlog 20 + } + + # + # Netlink socket buffer size + # + NetlinkBufferSize 262142 + + # + # Increase the socket buffer up to maximun if required + # + NetlinkBufferSizeMaxGrowth 655355 + + # + # By default, the daemon receives state updates following an + # event-driven model. You can modify this behaviour by switching to + # polling mode with the PollSecs clause. This clause tells conntrackd + # to dump the states in the kernel every N seconds. With regards to + # synchronization mode, the polling mode can only guarantee that + # long-lifetime states are recovered. The main advantage of this method + # is the reduction in the state replication at the cost of reducing the + # chances of recovering connections. + # + # PollSecs 15 + + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # + Filter { + # + # Accept only certain protocols: You may want to log the + # state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + # UDP + } + + # + # Ignore traffic for a certain set of IP's. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + # IPv6_address ::1 + } + + # + # Uncomment this line below if you want to filter by flow state. + # The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED, + # FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } +} + +Stats { + # + # If you enable this option, the daemon writes the information about + # destroyed connections to a logfile. Default is off. + # Logfile: on, off, or a filename + # Default file: (/var/log/conntrackd-stats.log) + # + LogFile on + + # If you want reliable event reporting over Netlink, set on this + # option. If you set on this clause, it is a good idea to set off + # NetlinkOverrunResync. This option is off by default and you need + # a Linux kernel >= 2.6.31. + # + # NetlinkEventsReliable Off + + # + # Enable connection logging via Syslog. Default is off. + # Syslog: on, off or a facility name (daemon (default) or local0..7) + # If you set the facility, use the same as in the General clause, + # otherwise you'll get a warning message. + # + #Syslog on +} diff --git a/doc/sync/alarm/README b/doc/sync/alarm/README new file mode 100644 index 0000000..dfd8474 --- /dev/null +++ b/doc/sync/alarm/README @@ -0,0 +1 @@ +This directory contains the files for the ALARM based protocol diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf new file mode 100644 index 0000000..b9520fb --- /dev/null +++ b/doc/sync/alarm/conntrackd.conf @@ -0,0 +1,404 @@ +# +# Synchronizer settings +# +Sync { + Mode ALARM { + # + # If a conntrack entry is not modified in <= 15 seconds, then + # a message is broadcasted. This mechanism is used to + # resynchronize nodes that just joined the multicast group + # + RefreshTime 15 + + # + # If we don't receive a notification about the state of + # an entry in the external cache after N seconds, then + # remove it. + # + CacheTimeout 180 + + # + # This parameter allows you to set an initial fixed timeout + # for the committed entries when this node goes from backup + # to primary. This mechanism provides a way to purge entries + # that were not recovered appropriately after the specified + # fixed timeout. If you set a low value, TCP entries in + # Established states with no traffic may hang. For example, + # an SSH connection without KeepAlive enabled. If not set, + # the daemon uses an approximate timeout value calculation + # mechanism. By default, this option is not set. + # + # CommitTimeout 180 + + # + # If the firewall replica goes from primary to backup, + # the conntrackd -t command is invoked in the script. + # This command schedules a flush of the table in N seconds. + # This is useful to purge the connection tracking table of + # zombie entries and avoid clashes with old entries if you + # trigger several consecutive hand-overs. Default is 60 seconds + # + # PurgeTimeout 60 + } + + # + # Multicast IP and interface where messages are + # broadcasted (dedicated link). IMPORTANT: Make sure + # that iptables accepts traffic for destination + # 225.0.0.50, eg: + # + # iptables -I INPUT -d 225.0.0.50 -j ACCEPT + # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT + # + Multicast { + # + # Multicast address: The address that you use as destination + # in the synchronization messages. You do not have to add + # this IP to any of your existing interfaces. If any doubt, + # do not modify this value. + # + IPv4_address 225.0.0.50 + + # + # The multicast group that identifies the cluster. If any + # doubt, do not modify this value. + # + Group 3780 + + # + # IP address of the interface that you are going to use to + # send the synchronization messages. Remember that you must + # use a dedicated link for the synchronization messages. + # + IPv4_interface 192.168.100.100 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + Interface eth2 + + # The multicast sender uses a buffer to enqueue the packets + # that are going to be transmitted. The default size of this + # socket buffer is available at /proc/sys/net/core/wmem_default. + # This value determines the chances to have an overrun in the + # sender queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size + # of the sender buffer. The default size is usually around + # ~100 KBytes which is fairly small for busy firewalls. + # + SndSocketBuffer 1249280 + + # The multicast receiver uses a buffer to enqueue the packets + # that the socket is pending to handle. The default size of this + # socket buffer is available at /proc/sys/net/core/rmem_default. + # This value determines the chances to have an overrun in the + # receiver queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size of + # the receiver buffer. The default size is usually around + # ~100 KBytes which is fairly small for busy firewalls. + # + RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. This is a good + # property to achieve fault-tolerance. In case of doubt, do + # not modify this value. + # + Checksum on + } + # + # You can specify more than one dedicated link. Thus, if one dedicated + # link fails, conntrackd can fail-over to another. Note that adding + # more than one dedicated link does not mean that state-updates will + # be sent to all of them. There is only one active dedicated link at + # a given moment. The `Default' keyword indicates that this interface + # will be selected as the initial dedicated link. You can have + # up to 4 redundant dedicated links. Note: Use different multicast + # groups for every redundant link. + # + # Multicast Default { + # IPv4_address 225.0.0.51 + # Group 3781 + # IPv4_interface 192.168.100.101 + # Interface eth3 + # # SndSocketBuffer 1249280 + # # RcvSocketBuffer 1249280 + # Checksum on + # } + + # + # You can use Unicast UDP instead of Multicast to propagate events. + # Note that you cannot use unicast UDP and Multicast at the same + # time, you can only select one. + # + # UDP { + # + # UDP address that this firewall uses to listen to events. + # + # IPv4_address 192.168.2.100 + # + # or you may want to use an IPv6 address: + # + # IPv6_address fe80::215:58ff:fe28:5a27 + + # + # Destination UDP address that receives events, ie. the other + # firewall's dedicated link address. + # + # IPv4_Destination_Address 192.168.2.101 + # + # or you may want to use an IPv6 address: + # + # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c + + # + # UDP port used + # + # Port 3780 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + # Interface eth2 + + # + # The sender socket buffer size + # + # SndSocketBuffer 1249280 + + # + # The receiver socket buffer size + # + # RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. + # + # Checksum on + # } + + # + # Other unsorted options that are related to the synchronization. + # + # Options { + # + # TCP state-entries have window tracking disabled by default, + # you can enable it with this option. As said, default is off. + # This feature requires a Linux kernel >= 2.6.36. + # + # TCPWindowTracking Off + + # Set this option on if you want to enable the synchronization + # of expectations. You have to specify the list of helpers that + # you want to enable. Default is off. + # + # ExpectationSync { + # ftp + # ras + # q.931 + # h.245 + # sip + # } + # + # You can use this alternatively: + # + # ExpectationSync On + # + # If you want to synchronize expectations of all helpers. + # } +} + +# +# General settings +# +General { + # + # Set the nice value of the daemon, this value goes from -20 + # (most favorable scheduling) to 19 (least favorable). Using a + # very low value reduces the chances to lose state-change events. + # Default is 0 but this example file sets it to most favourable + # scheduling as this is generally a good idea. See man nice(1) for + # more information. + # + Nice -20 + + # + # Select a different scheduler for the daemon, you can select between + # RR and FIFO and the process priority (minimum is 0, maximum is 99). + # See man sched_setscheduler(2) for more information. Using a RT + # scheduler reduces the chances to overrun the Netlink buffer. + # + # Scheduler { + # Type FIFO + # Priority 99 + # } + + # + # Number of buckets in the cache hashtable. The bigger it is, + # the closer it gets to O(1) at the cost of consuming more memory. + # Read some documents about tuning hashtables for further reference. + # + HashSize 32768 + + # + # Maximum number of conntracks, it should be double of: + # $ cat /proc/sys/net/netfilter/nf_conntrack_max + # since the daemon may keep some dead entries cached for possible + # retransmission during state synchronization. + # + HashLimit 131072 + + # + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off + # + LogFile on + + # + # Syslog: on, off or a facility name (daemon (default) or local0..7) + # Default: off + # + #Syslog on + + # + # Lockfile + # + LockFile /var/lock/conntrack.lock + + # + # Unix socket configuration + # + UNIX { + Path /var/run/conntrackd.ctl + Backlog 20 + } + + # + # Netlink event socket buffer size. If you do not specify this clause, + # the default buffer size value in /proc/net/core/rmem_default is + # used. This default value is usually around 100 Kbytes which is + # fairly small for busy firewalls. This leads to event message dropping + # and high CPU consumption. This example configuration file sets the + # size to 2 MBytes to avoid this sort of problems. + # + NetlinkBufferSize 2097152 + + # + # The daemon doubles the size of the netlink event socket buffer size + # if it detects netlink event message dropping. This clause sets the + # maximum buffer size growth that can be reached. This example file + # sets the size to 8 MBytes. + # + NetlinkBufferSizeMaxGrowth 8388608 + + # + # If the daemon detects that Netlink is dropping state-change events, + # it automatically schedules a resynchronization against the Kernel + # after 30 seconds (default value). Resynchronizations are expensive + # in terms of CPU consumption since the daemon has to get the full + # kernel state-table and purge state-entries that do not exist anymore. + # Be careful of setting a very small value here. You have the following + # choices: On (enabled, use default 30 seconds value), Off (disabled) + # or Value (in seconds, to set a specific amount of time). If not + # specified, the daemon assumes that this option is enabled. + # + # NetlinkOverrunResync On + + # If you want reliable event reporting over Netlink, set on this + # option. If you set on this clause, it is a good idea to set off + # NetlinkOverrunResync. This option is off by default and you need + # a Linux kernel >= 2.6.31. + # + # NetlinkEventsReliable Off + + # + # By default, the daemon receives state updates following an + # event-driven model. You can modify this behaviour by switching to + # polling mode with the PollSecs clause. This clause tells conntrackd + # to dump the states in the kernel every N seconds. With regards to + # synchronization mode, the polling mode can only guarantee that + # long-lifetime states are recovered. The main advantage of this method + # is the reduction in the state replication at the cost of reducing the + # chances of recovering connections. + # + # PollSecs 15 + + # + # The daemon prioritizes the handling of state-change events coming + # from the core. With this clause, you can set the maximum number of + # state-change events (those coming from kernel-space) that the daemon + # will handle after which it will handle other events coming from the + # network or userspace. A low value improves interactivity (in terms of + # real-time behaviour) at the cost of extra CPU consumption. + # Default (if not set) is 100. + # + # EventIterationLimit 100 + + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # You can select if conntrackd filters the event messages from + # user-space or kernel-space. The kernel-space event filtering + # saves some CPU cycles by avoiding the copy of the event message + # from kernel-space to user-space. The kernel-space event filtering + # is prefered, however, you require a Linux kernel >= 2.6.29 to + # filter from kernel-space. If you want to select kernel-space + # event filtering, use the keyword 'Kernelspace' instead of + # 'Userspace'. + # + Filter From Userspace { + # + # Accept only certain protocols: You may want to replicate + # the state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + SCTP + DCCP + # UDP + # ICMP # This requires a Linux kernel >= 2.6.31 + # IPv6-ICMP # This requires a Linux kernel >= 2.6.31 + } + + # + # Ignore traffic for a certain set of IP's: Usually all the + # IP assigned to the firewall since local traffic must be + # ignored, only forwarded connections are worth to replicate. + # Note that these values depends on the local IPs that are + # assigned to the firewall. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + IPv4_address 192.168.0.100 # virtual IP 1 + IPv4_address 192.168.1.100 # virtual IP 2 + IPv4_address 192.168.0.1 + IPv4_address 192.168.1.1 + IPv4_address 192.168.100.100 # dedicated link ip + # + # You can also specify networks in format IP/cidr. + # IPv4_address 192.168.0.0/24 + # + # You can also specify an IPv6 address + # IPv6_address ::1 + } + + # + # Uncomment this line below if you want to filter by flow state. + # This option introduces a trade-off in the replication: it + # reduces CPU consumption at the cost of having lazy backup + # firewall replicas. The existing TCP states are: SYN_SENT, + # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, + # TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } +} diff --git a/doc/sync/ftfw/README b/doc/sync/ftfw/README new file mode 100644 index 0000000..a09db10 --- /dev/null +++ b/doc/sync/ftfw/README @@ -0,0 +1 @@ +This directory contains the files for the FT-FW based protocol diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf new file mode 100644 index 0000000..53a7d0f --- /dev/null +++ b/doc/sync/ftfw/conntrackd.conf @@ -0,0 +1,428 @@ +# +# Synchronizer settings +# +Sync { + Mode FTFW { + # + # Size of the resend queue (in objects). This is the maximum + # number of objects that can be stored waiting to be confirmed + # via acknoledgment. If you keep this value low, the daemon + # will have less chances to recover state-changes under message + # omission. On the other hand, if you keep this value high, + # the daemon will consume more memory to store dead objects. + # Default is 131072 objects. + # + # ResendQueueSize 131072 + + # + # This parameter allows you to set an initial fixed timeout + # for the committed entries when this node goes from backup + # to primary. This mechanism provides a way to purge entries + # that were not recovered appropriately after the specified + # fixed timeout. If you set a low value, TCP entries in + # Established states with no traffic may hang. For example, + # an SSH connection without KeepAlive enabled. If not set, + # the daemon uses an approximate timeout value calculation + # mechanism. By default, this option is not set. + # + # CommitTimeout 180 + + # + # If the firewall replica goes from primary to backup, + # the conntrackd -t command is invoked in the script. + # This command schedules a flush of the table in N seconds. + # This is useful to purge the connection tracking table of + # zombie entries and avoid clashes with old entries if you + # trigger several consecutive hand-overs. Default is 60 seconds. + # + # PurgeTimeout 60 + + # Set the acknowledgement window size. If you decrease this + # value, the number of acknowlegdments increases. More + # acknowledgments means more overhead as conntrackd has to + # handle more control messages. On the other hand, if you + # increase this value, the resend queue gets more populated. + # This results in more overhead in the queue releasing. + # The following value is based on some practical experiments + # measuring the cycles spent by the acknowledgment handling + # with oprofile. If not set, default window size is 300. + # + # ACKWindowSize 300 + + # + # This clause allows you to disable the external cache. Thus, + # the state entries are directly injected into the kernel + # conntrack table. As a result, you save memory in user-space + # but you consume slots in the kernel conntrack table for + # backup state entries. Moreover, disabling the external cache + # means more CPU consumption. You need a Linux kernel + # >= 2.6.29 to use this feature. By default, this clause is + # set off. If you are installing conntrackd for first time, + # please read the user manual and I encourage you to consider + # using the fail-over scripts instead of enabling this option! + # + # DisableExternalCache Off + } + + # + # Multicast IP and interface where messages are + # broadcasted (dedicated link). IMPORTANT: Make sure + # that iptables accepts traffic for destination + # 225.0.0.50, eg: + # + # iptables -I INPUT -d 225.0.0.50 -j ACCEPT + # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT + # + Multicast { + # + # Multicast address: The address that you use as destination + # in the synchronization messages. You do not have to add + # this IP to any of your existing interfaces. If any doubt, + # do not modify this value. + # + IPv4_address 225.0.0.50 + + # + # The multicast group that identifies the cluster. If any + # doubt, do not modify this value. + # + Group 3780 + + # + # IP address of the interface that you are going to use to + # send the synchronization messages. Remember that you must + # use a dedicated link for the synchronization messages. + # + IPv4_interface 192.168.100.100 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + Interface eth2 + + # The multicast sender uses a buffer to enqueue the packets + # that are going to be transmitted. The default size of this + # socket buffer is available at /proc/sys/net/core/wmem_default. + # This value determines the chances to have an overrun in the + # sender queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size + # of the sender buffer. The default size is usually around + # ~100 KBytes which is fairly small for busy firewalls. + # + SndSocketBuffer 1249280 + + # The multicast receiver uses a buffer to enqueue the packets + # that the socket is pending to handle. The default size of this + # socket buffer is available at /proc/sys/net/core/rmem_default. + # This value determines the chances to have an overrun in the + # receiver queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size of + # the receiver buffer. The default size is usually around + # ~100 KBytes which is fairly small for busy firewalls. + # + RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. This is a good + # property to achieve fault-tolerance. In case of doubt, do + # not modify this value. + # + Checksum on + } + # + # You can specify more than one dedicated link. Thus, if one dedicated + # link fails, conntrackd can fail-over to another. Note that adding + # more than one dedicated link does not mean that state-updates will + # be sent to all of them. There is only one active dedicated link at + # a given moment. The `Default' keyword indicates that this interface + # will be selected as the initial dedicated link. You can have + # up to 4 redundant dedicated links. Note: Use different multicast + # groups for every redundant link. + # + # Multicast Default { + # IPv4_address 225.0.0.51 + # Group 3781 + # IPv4_interface 192.168.100.101 + # Interface eth3 + # # SndSocketBuffer 1249280 + # # RcvSocketBuffer 1249280 + # Checksum on + # } + + # + # You can use Unicast UDP instead of Multicast to propagate events. + # Note that you cannot use unicast UDP and Multicast at the same + # time, you can only select one. + # + # UDP { + # + # UDP address that this firewall uses to listen to events. + # + # IPv4_address 192.168.2.100 + # + # or you may want to use an IPv6 address: + # + # IPv6_address fe80::215:58ff:fe28:5a27 + + # + # Destination UDP address that receives events, ie. the other + # firewall's dedicated link address. + # + # IPv4_Destination_Address 192.168.2.101 + # + # or you may want to use an IPv6 address: + # + # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c + + # + # UDP port used + # + # Port 3780 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + # Interface eth2 + + # + # The sender socket buffer size + # + # SndSocketBuffer 1249280 + + # + # The receiver socket buffer size + # + # RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. + # + # Checksum on + # } + + # + # Other unsorted options that are related to the synchronization. + # + # Options { + # + # TCP state-entries have window tracking disabled by default, + # you can enable it with this option. As said, default is off. + # This feature requires a Linux kernel >= 2.6.36. + # + # TCPWindowTracking Off + + # Set this option on if you want to enable the synchronization + # of expectations. You have to specify the list of helpers that + # you want to enable. Default is off. + # + # ExpectationSync { + # ftp + # ras + # q.931 + # h.245 + # sip + # } + # + # You can use this alternatively: + # + # ExpectationSync On + # + # If you want to synchronize expectations of all helpers. + # } +} + +# +# General settings +# +General { + # + # Set the nice value of the daemon, this value goes from -20 + # (most favorable scheduling) to 19 (least favorable). Using a + # very low value reduces the chances to lose state-change events. + # Default is 0 but this example file sets it to most favourable + # scheduling as this is generally a good idea. See man nice(1) for + # more information. + # + Nice -20 + + # + # Select a different scheduler for the daemon, you can select between + # RR and FIFO and the process priority (minimum is 0, maximum is 99). + # See man sched_setscheduler(2) for more information. Using a RT + # scheduler reduces the chances to overrun the Netlink buffer. + # + # Scheduler { + # Type FIFO + # Priority 99 + # } + + # + # Number of buckets in the cache hashtable. The bigger it is, + # the closer it gets to O(1) at the cost of consuming more memory. + # Read some documents about tuning hashtables for further reference. + # + HashSize 32768 + + # + # Maximum number of conntracks, it should be double of: + # $ cat /proc/sys/net/netfilter/nf_conntrack_max + # since the daemon may keep some dead entries cached for possible + # retransmission during state synchronization. + # + HashLimit 131072 + + # + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off + # + LogFile on + + # + # Syslog: on, off or a facility name (daemon (default) or local0..7) + # Default: off + # + #Syslog on + + # + # Lockfile + # + LockFile /var/lock/conntrack.lock + + # + # Unix socket configuration + # + UNIX { + Path /var/run/conntrackd.ctl + Backlog 20 + } + + # + # Netlink event socket buffer size. If you do not specify this clause, + # the default buffer size value in /proc/net/core/rmem_default is + # used. This default value is usually around 100 Kbytes which is + # fairly small for busy firewalls. This leads to event message dropping + # and high CPU consumption. This example configuration file sets the + # size to 2 MBytes to avoid this sort of problems. + # + NetlinkBufferSize 2097152 + + # + # The daemon doubles the size of the netlink event socket buffer size + # if it detects netlink event message dropping. This clause sets the + # maximum buffer size growth that can be reached. This example file + # sets the size to 8 MBytes. + # + NetlinkBufferSizeMaxGrowth 8388608 + + # + # If the daemon detects that Netlink is dropping state-change events, + # it automatically schedules a resynchronization against the Kernel + # after 30 seconds (default value). Resynchronizations are expensive + # in terms of CPU consumption since the daemon has to get the full + # kernel state-table and purge state-entries that do not exist anymore. + # Be careful of setting a very small value here. You have the following + # choices: On (enabled, use default 30 seconds value), Off (disabled) + # or Value (in seconds, to set a specific amount of time). If not + # specified, the daemon assumes that this option is enabled. + # + # NetlinkOverrunResync On + + # + # If you want reliable event reporting over Netlink, set on this + # option. If you set on this clause, it is a good idea to set off + # NetlinkOverrunResync. This option is off by default and you need + # a Linux kernel >= 2.6.31. + # + # NetlinkEventsReliable Off + + # + # By default, the daemon receives state updates following an + # event-driven model. You can modify this behaviour by switching to + # polling mode with the PollSecs clause. This clause tells conntrackd + # to dump the states in the kernel every N seconds. With regards to + # synchronization mode, the polling mode can only guarantee that + # long-lifetime states are recovered. The main advantage of this method + # is the reduction in the state replication at the cost of reducing the + # chances of recovering connections. + # + # PollSecs 15 + + # + # The daemon prioritizes the handling of state-change events coming + # from the core. With this clause, you can set the maximum number of + # state-change events (those coming from kernel-space) that the daemon + # will handle after which it will handle other events coming from the + # network or userspace. A low value improves interactivity (in terms of + # real-time behaviour) at the cost of extra CPU consumption. + # Default (if not set) is 100. + # + # EventIterationLimit 100 + + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # You can select if conntrackd filters the event messages from + # user-space or kernel-space. The kernel-space event filtering + # saves some CPU cycles by avoiding the copy of the event message + # from kernel-space to user-space. The kernel-space event filtering + # is prefered, however, you require a Linux kernel >= 2.6.29 to + # filter from kernel-space. If you want to select kernel-space + # event filtering, use the keyword 'Kernelspace' instead of + # 'Userspace'. + # + Filter From Userspace { + # + # Accept only certain protocols: You may want to replicate + # the state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + SCTP + DCCP + # UDP + # ICMP # This requires a Linux kernel >= 2.6.31 + # IPv6-ICMP # This requires a Linux kernel >= 2.6.31 + } + + # + # Ignore traffic for a certain set of IP's: Usually all the + # IP assigned to the firewall since local traffic must be + # ignored, only forwarded connections are worth to replicate. + # Note that these values depends on the local IPs that are + # assigned to the firewall. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + IPv4_address 192.168.0.100 # virtual IP 1 + IPv4_address 192.168.1.100 # virtual IP 2 + IPv4_address 192.168.0.1 + IPv4_address 192.168.1.1 + IPv4_address 192.168.100.100 # dedicated link ip + # + # You can also specify networks in format IP/cidr. + # IPv4_address 192.168.0.0/24 + # + # You can also specify an IPv6 address + # IPv6_address ::1 + } + + # + # Uncomment this line below if you want to filter by flow state. + # This option introduces a trade-off in the replication: it + # reduces CPU consumption at the cost of having lazy backup + # firewall replicas. The existing TCP states are: SYN_SENT, + # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, + # TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } +} diff --git a/doc/sync/keepalived.conf b/doc/sync/keepalived.conf new file mode 100644 index 0000000..84f1383 --- /dev/null +++ b/doc/sync/keepalived.conf @@ -0,0 +1,43 @@ +# +# Simple script for primary-backup setups +# + +vrrp_sync_group G1 { # must be before vrrp_instance declaration + group { + VI_1 + VI_2 + } + notify_master "/etc/conntrackd/primary-backup.sh primary" + notify_backup "/etc/conntrackd/primary-backup.sh backup" + notify_fault "/etc/conntrackd/primary-backup.sh fault" +} + +vrrp_instance VI_1 { + interface eth1 + state SLAVE + virtual_router_id 61 + priority 80 + advert_int 3 + authentication { + auth_type PASS + auth_pass papas_con_tomate + } + virtual_ipaddress { + 192.168.0.100 # default CIDR mask is /32 + } +} + +vrrp_instance VI_2 { + interface eth0 + state SLAVE + virtual_router_id 62 + priority 80 + advert_int 3 + authentication { + auth_type PASS + auth_pass papas_con_tomate + } + virtual_ipaddress { + 192.168.1.100 + } +} diff --git a/doc/sync/notrack/README b/doc/sync/notrack/README new file mode 100644 index 0000000..b064e21 --- /dev/null +++ b/doc/sync/notrack/README @@ -0,0 +1,3 @@ +This directory contains the files for the NOTRACK replication protocol. This +protocol provides best effort delivery. Therefore, it is unreliable unless +that you select TCP-based state-synchronization. diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf new file mode 100644 index 0000000..11f022e --- /dev/null +++ b/doc/sync/notrack/conntrackd.conf @@ -0,0 +1,466 @@ +# +# Synchronizer settings +# +Sync { + Mode NOTRACK { + # + # This parameter allows you to set an initial fixed timeout + # for the committed entries when this node goes from backup + # to primary. This mechanism provides a way to purge entries + # that were not recovered appropriately after the specified + # fixed timeout. If you set a low value, TCP entries in + # Established states with no traffic may hang. For example, + # an SSH connection without KeepAlive enabled. If not set, + # the daemon uses an approximate timeout value calculation + # mechanism. By default, this option is not set. + # + # CommitTimeout 180 + + # + # If the firewall replica goes from primary to backup, + # the conntrackd -t command is invoked in the script. + # This command schedules a flush of the table in N seconds. + # This is useful to purge the connection tracking table of + # zombie entries and avoid clashes with old entries if you + # trigger several consecutive hand-overs. Default is 60 seconds. + # + # PurgeTimeout 60 + + # + # This clause allows you to disable the internal cache. Thus, + # the synchronization messages are directly send through + # the dedicated link. This option is set of off by default. + # + # DisableInternalCache Off + + # + # This clause allows you to disable the external cache. Thus, + # the state entries are directly injected into the kernel + # conntrack table. As a result, you save memory in user-space + # but you consume slots in the kernel conntrack table for + # backup state entries. Moreover, disabling the external cache + # means more CPU consumption. You need a Linux kernel + # >= 2.6.29 to use this feature. By default, this clause is + # set off. If you are installing conntrackd for first time, + # please read the user manual and I encourage you to consider + # using the fail-over scripts instead of enabling this option! + # + # DisableExternalCache Off + } + + # + # Multicast IP and interface where messages are + # broadcasted (dedicated link). IMPORTANT: Make sure + # that iptables accepts traffic for destination + # 225.0.0.50, eg: + # + # iptables -I INPUT -d 225.0.0.50 -j ACCEPT + # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT + # + Multicast { + # + # Multicast address: The address that you use as destination + # in the synchronization messages. You do not have to add + # this IP to any of your existing interfaces. If any doubt, + # do not modify this value. + # + IPv4_address 225.0.0.50 + + # + # The multicast group that identifies the cluster. If any + # doubt, do not modify this value. + # + Group 3780 + + # + # IP address of the interface that you are going to use to + # send the synchronization messages. Remember that you must + # use a dedicated link for the synchronization messages. + # + IPv4_interface 192.168.100.100 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + Interface eth2 + + # The multicast sender uses a buffer to enqueue the packets + # that are going to be transmitted. The default size of this + # socket buffer is available at /proc/sys/net/core/wmem_default. + # This value determines the chances to have an overrun in the + # sender queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size + # of the sender buffer. The default size is usually around + # ~100 KBytes which is fairly small for busy firewalls. + # Note: This protocol is best effort, it is really recommended + # to increase the buffer size. + # + SndSocketBuffer 1249280 + + # The multicast receiver uses a buffer to enqueue the packets + # that the socket is pending to handle. The default size of this + # socket buffer is available at /proc/sys/net/core/rmem_default. + # This value determines the chances to have an overrun in the + # receiver queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size of + # of the sender buffer. The default size is usually around + # ~100 KBytes which is fairly small for busy firewalls. + # Note: This protocol is best effort, it is really recommended + # to increase the buffer size. + # + RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. This is a good + # property to achieve fault-tolerance. In case of doubt, do + # not modify this value. + # + Checksum on + } + # + # You can specify more than one dedicated link. Thus, if one dedicated + # link fails, conntrackd can fail-over to another. Note that adding + # more than one dedicated link does not mean that state-updates will + # be sent to all of them. There is only one active dedicated link at + # a given moment. The `Default' keyword indicates that this interface + # will be selected as the initial dedicated link. You can have + # up to 4 redundant dedicated links. Note: Use different multicast + # groups for every redundant link. + # + # Multicast Default { + # IPv4_address 225.0.0.51 + # Group 3781 + # IPv4_interface 192.168.100.101 + # Interface eth3 + # # SndSocketBuffer 1249280 + # # RcvSocketBuffer 1249280 + # Checksum on + # } + + # + # You can use Unicast UDP instead of Multicast to propagate events. + # Note that you cannot use unicast UDP and Multicast at the same + # time, you can only select one. + # + # UDP { + # + # UDP address that this firewall uses to listen to events. + # + # IPv4_address 192.168.2.100 + # + # or you may want to use an IPv6 address: + # + # IPv6_address fe80::215:58ff:fe28:5a27 + + # + # Destination UDP address that receives events, ie. the other + # firewall's dedicated link address. + # + # IPv4_Destination_Address 192.168.2.101 + # + # or you may want to use an IPv6 address: + # + # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c + + # + # UDP port used + # + # Port 3780 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + # Interface eth2 + + # + # The sender socket buffer size + # + # SndSocketBuffer 1249280 + + # + # The receiver socket buffer size + # + # RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. + # + # Checksum on + # } + + # + # You can also use Unicast TCP to propagate events. Thus, the NOTRACK + # mode becomes reliable. + # + # TCP { + # + # TCP address that this firewall uses to listen to events. + # + # IPv4_address 192.168.2.100 + # + # or you may want to use an IPv6 address: + # + # IPv6_address fe80::215:58ff:fe28:5a27 + + # + # Destination TCP address that receives events, ie. the other + # firewall's dedicated link address. + # + # IPv4_Destination_Address 192.168.2.101 + # + # or you may want to use an IPv6 address: + # + # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c + + # + # TCP port used + # + # Port 3780 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + # Interface eth2 + + # + # The sender socket buffer size + # + # SndSocketBuffer 1249280 + + # + # The receiver socket buffer size + # + # RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. + # + # Checksum on + # } + + # + # Other unsorted options that are related to the synchronization. + # + # Options { + # + # TCP state-entries have window tracking disabled by default, + # you can enable it with this option. As said, default is off. + # This feature requires a Linux kernel >= 2.6.36. + # + # TCPWindowTracking Off + + # Set this option on if you want to enable the synchronization + # of expectations. You have to specify the list of helpers that + # you want to enable. Default is off. + # + # ExpectationSync { + # ftp + # ras + # q.931 + # h.245 + # sip + # } + # + # You can use this alternatively: + # + # ExpectationSync On + # + # If you want to synchronize expectations of all helpers. + # } +} + +# +# General settings +# +General { + # + # Set the nice value of the daemon, this value goes from -20 + # (most favorable scheduling) to 19 (least favorable). Using a + # very low value reduces the chances to lose state-change events. + # Default is 0 but this example file sets it to most favourable + # scheduling as this is generally a good idea. See man nice(1) for + # more information. + # + Nice -20 + + # + # Select a different scheduler for the daemon, you can select between + # RR and FIFO and the process priority (minimum is 0, maximum is 99). + # See man sched_setscheduler(2) for more information. Using a RT + # scheduler reduces the chances to overrun the Netlink buffer. + # + # Scheduler { + # Type FIFO + # Priority 99 + # } + + # + # Number of buckets in the cache hashtable. The bigger it is, + # the closer it gets to O(1) at the cost of consuming more memory. + # Read some documents about tuning hashtables for further reference. + # + HashSize 32768 + + # + # Maximum number of conntracks, it should be double of: + # $ cat /proc/sys/net/netfilter/nf_conntrack_max + # since the daemon may keep some dead entries cached for possible + # retransmission during state synchronization. + # + HashLimit 131072 + + # + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off + # + LogFile on + + # + # Syslog: on, off or a facility name (daemon (default) or local0..7) + # Default: off + # + #Syslog on + + # + # Lockfile + # + LockFile /var/lock/conntrack.lock + + # + # Unix socket configuration + # + UNIX { + Path /var/run/conntrackd.ctl + Backlog 20 + } + + # + # Netlink event socket buffer size. If you do not specify this clause, + # the default buffer size value in /proc/net/core/rmem_default is + # used. This default value is usually around 100 Kbytes which is + # fairly small for busy firewalls. This leads to event message dropping + # and high CPU consumption. This example configuration file sets the + # size to 2 MBytes to avoid this sort of problems. + # + NetlinkBufferSize 2097152 + + # + # The daemon doubles the size of the netlink event socket buffer size + # if it detects netlink event message dropping. This clause sets the + # maximum buffer size growth that can be reached. This example file + # sets the size to 8 MBytes. + # + NetlinkBufferSizeMaxGrowth 8388608 + + # + # If the daemon detects that Netlink is dropping state-change events, + # it automatically schedules a resynchronization against the Kernel + # after 30 seconds (default value). Resynchronizations are expensive + # in terms of CPU consumption since the daemon has to get the full + # kernel state-table and purge state-entries that do not exist anymore. + # Be careful of setting a very small value here. You have the following + # choices: On (enabled, use default 30 seconds value), Off (disabled) + # or Value (in seconds, to set a specific amount of time). If not + # specified, the daemon assumes that this option is enabled. + # + # NetlinkOverrunResync On + + # If you want reliable event reporting over Netlink, set on this + # option. If you set on this clause, it is a good idea to set off + # NetlinkOverrunResync. This option is off by default and you need + # a Linux kernel >= 2.6.31. + # + # NetlinkEventsReliable Off + + # + # By default, the daemon receives state updates following an + # event-driven model. You can modify this behaviour by switching to + # polling mode with the PollSecs clause. This clause tells conntrackd + # to dump the states in the kernel every N seconds. With regards to + # synchronization mode, the polling mode can only guarantee that + # long-lifetime states are recovered. The main advantage of this method + # is the reduction in the state replication at the cost of reducing the + # chances of recovering connections. + # + # PollSecs 15 + + # + # The daemon prioritizes the handling of state-change events coming + # from the core. With this clause, you can set the maximum number of + # state-change events (those coming from kernel-space) that the daemon + # will handle after which it will handle other events coming from the + # network or userspace. A low value improves interactivity (in terms of + # real-time behaviour) at the cost of extra CPU consumption. + # Default (if not set) is 100. + # + # EventIterationLimit 100 + + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # You can select if conntrackd filters the event messages from + # user-space or kernel-space. The kernel-space event filtering + # saves some CPU cycles by avoiding the copy of the event message + # from kernel-space to user-space. The kernel-space event filtering + # is prefered, however, you require a Linux kernel >= 2.6.29 to + # filter from kernel-space. If you want to select kernel-space + # event filtering, use the keyword 'Kernelspace' instead of + # 'Userspace'. + # + Filter From Userspace { + # + # Accept only certain protocols: You may want to replicate + # the state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + SCTP + DCCP + # UDP + # ICMP # This requires a Linux kernel >= 2.6.31 + # IPv6-ICMP # This requires a Linux kernel >= 2.6.31 + } + + # + # Ignore traffic for a certain set of IP's: Usually all the + # IP assigned to the firewall since local traffic must be + # ignored, only forwarded connections are worth to replicate. + # Note that these values depends on the local IPs that are + # assigned to the firewall. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + IPv4_address 192.168.0.100 # virtual IP 1 + IPv4_address 192.168.1.100 # virtual IP 2 + IPv4_address 192.168.0.1 + IPv4_address 192.168.1.1 + IPv4_address 192.168.100.100 # dedicated link ip + # + # You can also specify networks in format IP/cidr. + # IPv4_address 192.168.0.0/24 + # + # You can also specify an IPv6 address + # IPv6_address ::1 + } + + # + # Uncomment this line below if you want to filter by flow state. + # This option introduces a trade-off in the replication: it + # reduces CPU consumption at the cost of having lazy backup + # firewall replicas. The existing TCP states are: SYN_SENT, + # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, + # TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } +} diff --git a/doc/sync/primary-backup.sh b/doc/sync/primary-backup.sh new file mode 100755 index 0000000..fb74adc --- /dev/null +++ b/doc/sync/primary-backup.sh @@ -0,0 +1,126 @@ +#!/bin/sh +# +# (C) 2006-2011 by Pablo Neira Ayuso +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Description: +# +# This is the script for primary-backup setups for keepalived +# (http://www.keepalived.org). You may adapt it to make it work with other +# high-availability managers. +# +# Do not forget to include the required modifications to your keepalived.conf +# file to invoke this script during keepalived's state transitions. +# +# Contributions to improve this script are welcome :). +# + +CONNTRACKD_BIN=/usr/sbin/conntrackd +CONNTRACKD_LOCK=/var/lock/conntrack.lock +CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf + +case "$1" in + primary) + # + # commit the external cache into the kernel table + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -c" + fi + + # + # flush the internal and the external caches + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -f" + fi + + # + # resynchronize my internal cache to the kernel table + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -R" + fi + + # + # send a bulk update to backups + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -B" + fi + ;; + backup) + # + # is conntrackd running? request some statistics to check it + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s + if [ $? -eq 1 ] + then + # + # something's wrong, do we have a lock file? + # + if [ -f $CONNTRACKD_LOCK ] + then + logger "WARNING: conntrackd was not cleanly stopped." + logger "If you suspect that it has crashed:" + logger "1) Enable coredumps" + logger "2) Try to reproduce the problem" + logger "3) Post the coredump to netfilter-devel@vger.kernel.org" + rm -f $CONNTRACKD_LOCK + fi + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d + if [ $? -eq 1 ] + then + logger "ERROR: cannot launch conntrackd" + exit 1 + fi + fi + # + # shorten kernel conntrack timers to remove the zombie entries. + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -t" + fi + + # + # request resynchronization with master firewall replica (if any) + # Note: this does nothing in the alarm approach. + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -n" + fi + ;; + fault) + # + # shorten kernel conntrack timers to remove the zombie entries. + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -t" + fi + ;; + *) + logger "ERROR: unknown state transition" + echo "Usage: primary-backup.sh {primary|backup|fault}" + exit 1 + ;; +esac + +exit 0 -- cgit v1.2.3