Project

General

Profile

Actions

Task #7553

closed

Task #7284: router1.place6 phase back in

Setup conntrackd to allow active active firewalls

Added by Nico Schottelius almost 5 years ago. Updated over 4 years ago.

Status:
Rejected
Priority:
Low
Target version:
-
Start date:
01/02/2020
Due date:
% Done:

0%

Estimated time:
PM Check date:

Description

  • So that firewall rules still work with state tracking

Change of objective: get this running on two IPv6 only Alpine VMs first and then we migrate it to the routers

Actions #1

Updated by Nico Schottelius almost 5 years ago

  • Subject changed from Setup conntrackd to Setup conntrackd to allow active active firewalls

router2.place6:

[12:48:38] router2.place6:~# apt install conntrackd

router1.place6

[12:50] router1.place6:~# apk add conntrack-tools

[12:56] router1.place6:~# modprobe nf_conntrack
[12:56] router1.place6:~# /etc/init.d/conntrackd start
 * You need to disable TCP window tracking!
 * Add the following line to your /etc/sysctl.conf:
 *   net.netfilter.nf_conntrack_tcp_be_liberal = 1
 * ...and run this to activate the setting: sysctl -q -p
 * ERROR: conntrackd failed to start
[12:56] router1.place6:~# sysctl 
[12:56] router1.place6:~# sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1
net.netfilter.nf_conntrack_tcp_be_liberal = 1
[12:56] router1.place6:~# /etc/init.d/conntrackd start
 * Starting conntrackd ...                                                                                               [ ok ]
[12:56] router1.place6:~# 

Actions #2

Updated by Nico Schottelius almost 5 years ago

Added sync section, now getting an IPv6 exception:

[13:07] router1.place6:~# vi /etc/conntrackd/conntrackd.conf 
[13:07] router1.place6:~# /etc/init.d/conntrackd restart
 * Starting conntrackd ...
[Thu Jan  2 13:07:44 2020] (pid=5472) [ERROR] inet_pton(): IPv6 unsupported!
 * start-stop-daemon: failed to start `/usr/sbin/conntrackd'                                                             [ !! ]
 * ERROR: conntrackd failed to start
[13:07] router1.place6:~# 
Actions #3

Updated by Nico Schottelius almost 5 years ago

Seems like the code is in read_config.yy.c:

[13:32] line:conntrack-tools-1.4.5% grep "IPv6 unsupported" -r *
src/read_config_yy.y:        dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
src/read_config_yy.y:        dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
src/read_config_yy.y:        dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
src/read_config_yy.y:        dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
src/read_config_yy.y:        dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
src/read_config_yy.y:        dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
src/read_config_yy.c:        dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
src/read_config_yy.c:        dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
src/read_config_yy.c:        dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
src/read_config_yy.c:        dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
src/read_config_yy.c:        dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
src/read_config_yy.c:        dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
[13:32] line:conntrack-tools-1.4.5% 

Code blocks all look similar to

multicast_option : T_IPV6_ADDR T_IP
{
        __max_dedicated_links_reached();
        int err;

        err = inet_pton(AF_INET6, $2,
                        &conf.channel[conf.channel_num].u.mcast.in);
        if (err == 0) {
                dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
                break;
        } else if (err < 0) {
                dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
                exit(EXIT_FAILURE);
        }

Actions #4

Updated by Nico Schottelius almost 5 years ago

  • Description updated (diff)
  • Assignee changed from Nico Schottelius to Timothée Floure
  • Priority changed from Normal to High

And config looks like this:

General {
        HashSize 8192
        HashLimit 65535

        Syslog on
        LogFile on

        LockFile /var/lock/conntrackd.lock

        UNIX {
                Path /var/run/conntrackd.sock
                Backlog 20
        }

        SocketBufferSize 262142
        SocketBufferSizeMaxGrown 655355

        # default debian service unit file is of Type=notify
}

Stats {
        LogFile on
}

Sync {
        Mode FTFW {
                 ResendQueueSize 131072
                 PurgeTimeout 60
                 ACKWindowSize 300
                 DisableExternalCache Off
        }
        UDP Default {
                IPv6_address fe80::d66d:6dff:fe33:e00
                IPv6_Destination_Address fe80::21b:21ff:febc:7c80
                Port 3780
                Interface wlan0
                Checksum on
        }
}
Actions #5

Updated by Timothée Floure over 4 years ago

  • Status changed from In Progress to Waiting

Is this still relevant? A lot of things changed since it has been opened.

Actions #6

Updated by Timothée Floure over 4 years ago

  • Status changed from Waiting to New
  • Priority changed from High to Low

Not a priority at the moment - moving to low.

Actions #7

Updated by Nico Schottelius over 4 years ago

  • Status changed from New to Rejected

Not needed atm

writes:

Actions

Also available in: Atom PDF