Project

General

Profile

Actions

Task #7890

closed

test conntrack sync

Added by Jin-Guk Kwon almost 4 years ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Start date:
03/30/2020
Due date:
% Done:

80%

Estimated time:
PM Check date:

Description

test conntrack sync on alpine


Files

conntrack.png (28 KB) conntrack.png Jin-Guk Kwon, 03/30/2020 11:31 AM
Actions #1

Updated by Jin-Guk Kwon almost 4 years ago

Actions #2

Updated by Jin-Guk Kwon almost 4 years ago

- test conntrack sync on debian
1. install conntrack, conntrackd at router1,2

apt install conntrack conntrackd

2. config conntrackd file as notrack mode at router1,2

3. set router at host1,2
- host1

ip -6 route add host2 via router1

- host2

ip -6 route add host1 via router2

4. set ip6table at router 1

sysctl -w net.ipv6.conf.all.forwarding=1
ip6tables -P FORWARD DROP
ip6tables -A FORWARD -s host1 -j ACCEPT
ip6tables -A FORWARD -s host2 -j ACCEPT
ip6tables -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

5. test packet
- host1

#iperf3 -c 2a0a:e5c0:2:12:0:f0ff:fea9:c47f -t 10000
Connecting to host 2a0a:e5c0:2:12:0:f0ff:fea9:c47f, port 5201
[  5] local 2a0a:e5c0:2:12:0:f0ff:fea9:c47b port 51314 connected to 2a0a:e5c0:2:12:0:f0ff:fea9:c47f port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   121 MBytes  1.02 Gbits/sec    0   3.01 MBytes
[  5]   1.00-2.00   sec   118 MBytes   986 Mbits/sec    0   3.01 MBytes
[  5]   2.00-3.00   sec   119 MBytes   996 Mbits/sec    0   3.01 MBytes

- host2

#iperf3 -s
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 2a0a:e5c0:2:12:0:f0ff:fea9:c47b, port 51312
[  5] local 2a0a:e5c0:2:12:0:f0ff:fea9:c47f port 5201 connected to 2a0a:e5c0:2:12:0:f0ff:fea9:c47b port 51314
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   118 MBytes   990 Mbits/sec
[  5]   1.00-2.00   sec   118 MBytes   990 Mbits/sec

6. check conntrack table
- router1

test-debian-connt1:/etc/conntrackd# conntrackd -i
tcp      6 SYN_RECV src=2a0a:e5c0:2:12:0:f0ff:fea9:c47b dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47f sport=51312 dport=5201 src=2a0a:e5c0:2:12:0:f0ff:fea9:c47f dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47b sport=5201 dport=51312 [active since 17s]
test-debian-connt1:/etc/conntrackd#

-router2

test-debian-connt2:/etc/conntrackd# ./primary-backup.sh backup
test-debian-connt2:/etc/conntrackd# conntrackd -e
tcp      6 ESTABLISHED src=2a0a:e5c0:2:12:0:f0ff:fea9:c47b dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47f sport=51314 dport=5201 [ASSURED] [active since 71s]
test-debian-connt2:

Actions #3

Updated by Jin-Guk Kwon almost 4 years ago

- test conntrack sync on alpine
1. install conntrack, conntrackd at router1,2

apk add conntrack-tools

2. config conntrackd file as notrack mode at router1,2

3. set router at host1,2
- host1

ip -6 route add host2 via router1

- host2

ip -6 route add host1 via router1

4. set ip6table at router 1

sysctl -w net.ipv6.conf.all.forwarding=1
ip6tables -P FORWARD DROP
ip6tables -A FORWARD -s host1 -j ACCEPT
ip6tables -A FORWARD -s host2 -j ACCEPT
ip6tables -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

5. check conntrack table
- router1

test-alpine-connt1:/etc/conntrackd# conntrackd -i
[ERROR] inet_pton(): IPv6 unsupported!

Actions #4

Updated by Jin-Guk Kwon almost 4 years ago

- not support IPv6 on alpine package
on debian

[11:05:26] test-debian-connt1:/lib/modules/4.9.0-12-amd64# lsmod | grep nf_conn
nf_conntrack_ipv6      20480  1
nf_defrag_ipv6         16384  1 nf_conntrack_ipv6
nf_conntrack_netlink    40960  0
nf_conntrack          114688  3 nf_conntrack_ipv6,nf_conntrack_netlink,xt_conntrack
nfnetlink              16384  8 nf_conntrack_netlink,nf_tables
[11:05:47] test-debian-connt1:/lib/modules/4.9.0-12-amd64#

on alpine

[07:39] test-alpine-connt2:/etc/conntrackd# lsmod | grep nf_conn
nf_conntrack_netlink    53248  0
nf_conntrack          143360  1 nf_conntrack_netlink
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  1 nf_conntrack
nfnetlink              16384  7 nf_conntrack_netlink
nf_defrag_ipv6         16384  2 nf_conntrack,ipv6
[11:07] test-alpine-connt2:/etc/conntrackd#

--> there is no nf_conntrack_ipv6

- check kernel option
on debian

[12:48:12] test-debian-connt1:/lib/modules/4.9.0-12-amd64# grep '^CONFIG_NF_CONNTRACK*' /boot/config-"$(uname -r)" 
CONFIG_NF_CONNTRACK=m
......
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_IPV6=m
[10:30:29] test-debian-connt1:/lib/modules/4.9.0-12-amd64#

on alpine

[11:10] test-alpine-connt2:/boot# grep '^CONFIG_NF_CONNTRACK*' /boot/config-virt
CONFIG_NF_CONNTRACK=m
......
CONFIG_NF_CONNTRACK_TFTP=m
[11:10] test-alpine-connt2:/boot#

- check module alias
on debian

[09:39:48] test-debian-connt1:/lib/modules/4.9.0-12-amd64# cat modules.alias | grep conntrack
alias ip_conntrack_proto_sctp nf_conntrack_proto_sctp
......
alias ip_conntrack nf_conntrack_ipv4
alias nf_conntrack-2 nf_conntrack_ipv4
alias nf_conntrack-10 nf_conntrack_ipv6
[09:54:37] test-debian-connt1:/lib/modules/4.9.0-12-amd64#

on alpine

[11:13] test-alpine-connt2:/lib/modules/5.4.12-1-virt# cat modules.alias | grep conntrack
alias nf_conntrack-10 nf_conntrack
alias nf_conntrack-2 nf_conntrack
......
alias ipt_conntrack xt_conntrack
[11:13] test-alpine-connt2:/lib/modules/5.4.12-1-virt#

Actions #5

Updated by Jin-Guk Kwon almost 4 years ago

- install conntrack-tools from latest source

git clone git://git.netfilter.org/conntrack-tools
apk add autoconf automake libtool gcc g++ make
apk add linux-headers libnfnetlink-dev libnetfilter_conntrack-dev bison flex libmnl-dev libnetfilter_cttimeout-dev libnetfilter_cthelper-dev libnetfilter_queue-dev libtirpc-dev
cd conntrack-tools/
./autogen.sh
./configure —prefix=/usr
make
make insatll
mkdir -p /etc/conntrackd
cd /etc/conntrackd
vi conntrackd.conf
apk add ip6tables

-->it works

Actions #6

Updated by Jin-Guk Kwon almost 4 years ago

  • % Done changed from 0 to 80

6. test packet
- host1

#iperf3 -c 2a0a:e5c0:2:12:0:f0ff:fea9:c47f -t 10000
Connecting to host 2a0a:e5c0:2:12:0:f0ff:fea9:c47f, port 5201
[  5] local 2a0a:e5c0:2:12:0:f0ff:fea9:c47b port 51314 connected to 2a0a:e5c0:2:12:0:f0ff:fea9:c47f port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   121 MBytes  1.02 Gbits/sec    0   3.01 MBytes
[  5]   1.00-2.00   sec   118 MBytes   986 Mbits/sec    0   3.01 MBytes
[  5]   2.00-3.00   sec   119 MBytes   996 Mbits/sec    0   3.01 MBytes

- host2

#iperf3 -s
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 2a0a:e5c0:2:12:0:f0ff:fea9:c47b, port 51312
[  5] local 2a0a:e5c0:2:12:0:f0ff:fea9:c47f port 5201 connected to 2a0a:e5c0:2:12:0:f0ff:fea9:c47b port 51314
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   118 MBytes   990 Mbits/sec
[  5]   1.00-2.00   sec   118 MBytes   990 Mbits/sec

7. check conntrack table
- router1

[12:49] test-alpine-connt1:/etc/conntrackd# conntrackd -i
[Fri Mar 27 12:49:38 2020] (pid=18086) [warning] getprotobyname() cannot find protocol `SCTP' in /etc/protocols
[Fri Mar 27 12:49:38 2020] (pid=18086) [warning] getprotobyname() cannot find protocol `DCCP' in /etc/protocols
[Fri Mar 27 12:49:38 2020] (pid=18086) [warning] getprotobyname() cannot find protocol `ICMP' in /etc/protocols
[Fri Mar 27 12:49:38 2020] (pid=18086) [warning] getprotobyname() cannot find protocol `IPv6-ICMP' in /etc/protocols
tcp      6 SYN_RECV src=2a0a:e5c0:2:12:0:f0ff:fea9:c47b dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47f sport=51312 dport=5201 src=2a0a:e5c0:2:12:0:f0ff:fea9:c47f dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47b sport=5201 dport=51312 [active since 17s]
[12:49] test-alpine-connt1:/etc/conntrackd#

-router2

[12:50] test-alpine-connt2:/etc/conntrackd# ./primary-backup.sh backup

[12:50] test-alpine-connt2:/etc/conntrackd# conntrackd -e
[Fri Mar 27 12:51:02 2020] (pid=18102) [warning] getprotobyname() cannot find protocol `SCTP' in /etc/protocols
[Fri Mar 27 12:51:02 2020] (pid=18102) [warning] getprotobyname() cannot find protocol `DCCP' in /etc/protocols
[Fri Mar 27 12:51:02 2020] (pid=18102) [warning] getprotobyname() cannot find protocol `ICMP' in /etc/protocols
[Fri Mar 27 12:51:02 2020] (pid=18102) [warning] getprotobyname() cannot find protocol `IPv6-ICMP' in /etc/protocols
tcp      6 ESTABLISHED src=2a0a:e5c0:2:12:0:f0ff:fea9:c47b dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47f sport=51314 dport=5201 [ASSURED] [active since 71s]
[12:51] test-alpine-connt2:

Actions #8

Updated by Jin-Guk Kwon almost 4 years ago

- conntrack-tools package issue

[12:32] test-alpine-connt1:~# conntrackd -d
[Tue Mar 31 12:32:58 2020] (pid=2954) [ERROR] inet_pton(): IPv6 unsupported!
[12:32] test-alpine-connt1:~#

package source from https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools$pkgver.tar.bz2

read_config_yy.y file

udp_option : T_IPV6_DEST_ADDR T_IP
 {
...... 
         if (err == 0) {
                 dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
                 break;
         } else {
                 dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
                 exit(EXIT_FAILURE);
        }
......

- git source from http://git.netfilter.org/conntrack-tools/tree/?h=conntrack-tools-1.4.5

read_config_yy.y file

udp_option : T_IPV6_DEST_ADDR T_IP
{
.....
        if (err == 0) {
                dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
                free($2);
                break;
        } else if (err < 0) {
                dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
                exit(EXIT_FAILURE);
        }
.....

Actions #9

Updated by Nico Schottelius 3 months ago

  • Status changed from In Progress to Closed
Actions

Also available in: Atom PDF