http://localhost:3000/
http://localhost:3000/favicon.ico?1669909233
2020-03-30T10:51:55Z
ungleich redmine
Open Infrastructure - Task #7890: test conntrack sync
http://localhost:3000/issues/7890?journal_id=31847
2020-03-30T10:51:55Z
Jin-Guk Kwon
<ul></ul><p><img src="http://localhost:3000/attachments/download/3384/conntrack.png" alt="" loading="lazy" /></p>
Open Infrastructure - Task #7890: test conntrack sync
http://localhost:3000/issues/7890?journal_id=31848
2020-03-30T10:52:02Z
Jin-Guk Kwon
<ul></ul><p><strong>- test conntrack sync on debian</strong><br />1. install conntrack, conntrackd at router1,2<br /><pre>
apt install conntrack conntrackd
</pre></p>
<p>2. config conntrackd file as notrack mode at router1,2</p>
<p>3. set router at host1,2<br />- host1 <br /><pre>
ip -6 route add host2 via router1
</pre></p>
<p>- host2<br /><pre>
ip -6 route add host1 via router2
</pre></p>
<p>4. set ip6table at router 1<br /><pre>
sysctl -w net.ipv6.conf.all.forwarding=1
ip6tables -P FORWARD DROP
ip6tables -A FORWARD -s host1 -j ACCEPT
ip6tables -A FORWARD -s host2 -j ACCEPT
ip6tables -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
</pre></p>
<p>5. test packet<br />- host1<br /><pre>
#iperf3 -c 2a0a:e5c0:2:12:0:f0ff:fea9:c47f -t 10000
Connecting to host 2a0a:e5c0:2:12:0:f0ff:fea9:c47f, port 5201
[ 5] local 2a0a:e5c0:2:12:0:f0ff:fea9:c47b port 51314 connected to 2a0a:e5c0:2:12:0:f0ff:fea9:c47f port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 121 MBytes 1.02 Gbits/sec 0 3.01 MBytes
[ 5] 1.00-2.00 sec 118 MBytes 986 Mbits/sec 0 3.01 MBytes
[ 5] 2.00-3.00 sec 119 MBytes 996 Mbits/sec 0 3.01 MBytes
</pre></p>
<p>- host2<br /><pre>
#iperf3 -s
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 2a0a:e5c0:2:12:0:f0ff:fea9:c47b, port 51312
[ 5] local 2a0a:e5c0:2:12:0:f0ff:fea9:c47f port 5201 connected to 2a0a:e5c0:2:12:0:f0ff:fea9:c47b port 51314
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 118 MBytes 990 Mbits/sec
[ 5] 1.00-2.00 sec 118 MBytes 990 Mbits/sec
</pre></p>
<p>6. check conntrack table<br />- router1<br /><pre>
test-debian-connt1:/etc/conntrackd# conntrackd -i
tcp 6 SYN_RECV src=2a0a:e5c0:2:12:0:f0ff:fea9:c47b dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47f sport=51312 dport=5201 src=2a0a:e5c0:2:12:0:f0ff:fea9:c47f dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47b sport=5201 dport=51312 [active since 17s]
test-debian-connt1:/etc/conntrackd#
</pre></p>
<p>-router2<br /><pre>
test-debian-connt2:/etc/conntrackd# ./primary-backup.sh backup
test-debian-connt2:/etc/conntrackd# conntrackd -e
tcp 6 ESTABLISHED src=2a0a:e5c0:2:12:0:f0ff:fea9:c47b dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47f sport=51314 dport=5201 [ASSURED] [active since 71s]
test-debian-connt2:
</pre></p>
Open Infrastructure - Task #7890: test conntrack sync
http://localhost:3000/issues/7890?journal_id=31849
2020-03-30T11:03:46Z
Jin-Guk Kwon
<ul></ul><p><strong>- test conntrack sync on alpine</strong><br />1. install conntrack, conntrackd at router1,2<br /><pre>
apk add conntrack-tools
</pre></p>
<p>2. config conntrackd file as notrack mode at router1,2</p>
<p>3. set router at host1,2<br />- host1 <br /><pre>
ip -6 route add host2 via router1
</pre></p>
<p>- host2<br /><pre>
ip -6 route add host1 via router1
</pre></p>
<p>4. set ip6table at router 1<br /><pre>
sysctl -w net.ipv6.conf.all.forwarding=1
ip6tables -P FORWARD DROP
ip6tables -A FORWARD -s host1 -j ACCEPT
ip6tables -A FORWARD -s host2 -j ACCEPT
ip6tables -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
</pre></p>
<p>5. check conntrack table<br />- router1<br /><pre>
test-alpine-connt1:/etc/conntrackd# conntrackd -i
[ERROR] inet_pton(): IPv6 unsupported!
</pre></p>
Open Infrastructure - Task #7890: test conntrack sync
http://localhost:3000/issues/7890?journal_id=31850
2020-03-30T11:14:28Z
Jin-Guk Kwon
<ul></ul><p><strong>- not support IPv6 on alpine package</strong><br />on debian<br /><pre>
[11:05:26] test-debian-connt1:/lib/modules/4.9.0-12-amd64# lsmod | grep nf_conn
nf_conntrack_ipv6 20480 1
nf_defrag_ipv6 16384 1 nf_conntrack_ipv6
nf_conntrack_netlink 40960 0
nf_conntrack 114688 3 nf_conntrack_ipv6,nf_conntrack_netlink,xt_conntrack
nfnetlink 16384 8 nf_conntrack_netlink,nf_tables
[11:05:47] test-debian-connt1:/lib/modules/4.9.0-12-amd64#
</pre></p>
<p>on alpine<br /><pre>
[07:39] test-alpine-connt2:/etc/conntrackd# lsmod | grep nf_conn
nf_conntrack_netlink 53248 0
nf_conntrack 143360 1 nf_conntrack_netlink
nf_defrag_ipv4 16384 1 nf_conntrack
libcrc32c 16384 1 nf_conntrack
nfnetlink 16384 7 nf_conntrack_netlink
nf_defrag_ipv6 16384 2 nf_conntrack,ipv6
[11:07] test-alpine-connt2:/etc/conntrackd#
</pre><br />--> there is no nf_conntrack_ipv6</p>
<p>- check kernel option<br />on debian<br /><pre>
[12:48:12] test-debian-connt1:/lib/modules/4.9.0-12-amd64# grep '^CONFIG_NF_CONNTRACK*' /boot/config-"$(uname -r)"
CONFIG_NF_CONNTRACK=m
......
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_IPV6=m
[10:30:29] test-debian-connt1:/lib/modules/4.9.0-12-amd64#
</pre></p>
<p>on alpine<br /><pre>
[11:10] test-alpine-connt2:/boot# grep '^CONFIG_NF_CONNTRACK*' /boot/config-virt
CONFIG_NF_CONNTRACK=m
......
CONFIG_NF_CONNTRACK_TFTP=m
[11:10] test-alpine-connt2:/boot#
</pre></p>
<p>- check module alias<br />on debian<br /><pre>
[09:39:48] test-debian-connt1:/lib/modules/4.9.0-12-amd64# cat modules.alias | grep conntrack
alias ip_conntrack_proto_sctp nf_conntrack_proto_sctp
......
alias ip_conntrack nf_conntrack_ipv4
alias nf_conntrack-2 nf_conntrack_ipv4
alias nf_conntrack-10 nf_conntrack_ipv6
[09:54:37] test-debian-connt1:/lib/modules/4.9.0-12-amd64#
</pre></p>
<p>on alpine<br /><pre>
[11:13] test-alpine-connt2:/lib/modules/5.4.12-1-virt# cat modules.alias | grep conntrack
alias nf_conntrack-10 nf_conntrack
alias nf_conntrack-2 nf_conntrack
......
alias ipt_conntrack xt_conntrack
[11:13] test-alpine-connt2:/lib/modules/5.4.12-1-virt#
</pre></p>
Open Infrastructure - Task #7890: test conntrack sync
http://localhost:3000/issues/7890?journal_id=31851
2020-03-30T11:20:06Z
Jin-Guk Kwon
<ul></ul><p><strong>- install conntrack-tools from latest source</strong></p>
<pre>
git clone git://git.netfilter.org/conntrack-tools
apk add autoconf automake libtool gcc g++ make
apk add linux-headers libnfnetlink-dev libnetfilter_conntrack-dev bison flex libmnl-dev libnetfilter_cttimeout-dev libnetfilter_cthelper-dev libnetfilter_queue-dev libtirpc-dev
cd conntrack-tools/
./autogen.sh
./configure —prefix=/usr
make
make insatll
mkdir -p /etc/conntrackd
cd /etc/conntrackd
vi conntrackd.conf
apk add ip6tables
</pre>
<p>-->it works</p>
Open Infrastructure - Task #7890: test conntrack sync
http://localhost:3000/issues/7890?journal_id=31852
2020-03-30T11:23:46Z
Jin-Guk Kwon
<ul><li><strong>% Done</strong> changed from <i>0</i> to <i>80</i></li></ul><p>6. test packet<br />- host1<br /><pre>
#iperf3 -c 2a0a:e5c0:2:12:0:f0ff:fea9:c47f -t 10000
Connecting to host 2a0a:e5c0:2:12:0:f0ff:fea9:c47f, port 5201
[ 5] local 2a0a:e5c0:2:12:0:f0ff:fea9:c47b port 51314 connected to 2a0a:e5c0:2:12:0:f0ff:fea9:c47f port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 121 MBytes 1.02 Gbits/sec 0 3.01 MBytes
[ 5] 1.00-2.00 sec 118 MBytes 986 Mbits/sec 0 3.01 MBytes
[ 5] 2.00-3.00 sec 119 MBytes 996 Mbits/sec 0 3.01 MBytes
</pre></p>
<p>- host2<br /><pre>
#iperf3 -s
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 2a0a:e5c0:2:12:0:f0ff:fea9:c47b, port 51312
[ 5] local 2a0a:e5c0:2:12:0:f0ff:fea9:c47f port 5201 connected to 2a0a:e5c0:2:12:0:f0ff:fea9:c47b port 51314
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 118 MBytes 990 Mbits/sec
[ 5] 1.00-2.00 sec 118 MBytes 990 Mbits/sec
</pre></p>
<p>7. check conntrack table<br />- router1<br /><pre>
[12:49] test-alpine-connt1:/etc/conntrackd# conntrackd -i
[Fri Mar 27 12:49:38 2020] (pid=18086) [warning] getprotobyname() cannot find protocol `SCTP' in /etc/protocols
[Fri Mar 27 12:49:38 2020] (pid=18086) [warning] getprotobyname() cannot find protocol `DCCP' in /etc/protocols
[Fri Mar 27 12:49:38 2020] (pid=18086) [warning] getprotobyname() cannot find protocol `ICMP' in /etc/protocols
[Fri Mar 27 12:49:38 2020] (pid=18086) [warning] getprotobyname() cannot find protocol `IPv6-ICMP' in /etc/protocols
tcp 6 SYN_RECV src=2a0a:e5c0:2:12:0:f0ff:fea9:c47b dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47f sport=51312 dport=5201 src=2a0a:e5c0:2:12:0:f0ff:fea9:c47f dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47b sport=5201 dport=51312 [active since 17s]
[12:49] test-alpine-connt1:/etc/conntrackd#
</pre></p>
<p>-router2<br /><pre>
[12:50] test-alpine-connt2:/etc/conntrackd# ./primary-backup.sh backup
</pre><br /><pre>
[12:50] test-alpine-connt2:/etc/conntrackd# conntrackd -e
[Fri Mar 27 12:51:02 2020] (pid=18102) [warning] getprotobyname() cannot find protocol `SCTP' in /etc/protocols
[Fri Mar 27 12:51:02 2020] (pid=18102) [warning] getprotobyname() cannot find protocol `DCCP' in /etc/protocols
[Fri Mar 27 12:51:02 2020] (pid=18102) [warning] getprotobyname() cannot find protocol `ICMP' in /etc/protocols
[Fri Mar 27 12:51:02 2020] (pid=18102) [warning] getprotobyname() cannot find protocol `IPv6-ICMP' in /etc/protocols
tcp 6 ESTABLISHED src=2a0a:e5c0:2:12:0:f0ff:fea9:c47b dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47f sport=51314 dport=5201 [ASSURED] [active since 71s]
[12:51] test-alpine-connt2:
</pre></p>
Open Infrastructure - Task #7890: test conntrack sync
http://localhost:3000/issues/7890?journal_id=31853
2020-03-30T11:31:55Z
Jin-Guk Kwon
<ul><li><strong>File</strong> <a href="/attachments/3384">conntrack.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3384/conntrack.png">conntrack.png</a> added</li></ul>
Open Infrastructure - Task #7890: test conntrack sync
http://localhost:3000/issues/7890?journal_id=31858
2020-03-31T13:17:01Z
Jin-Guk Kwon
<ul></ul><p><strong>- conntrack-tools package issue</strong><br /><pre>
[12:32] test-alpine-connt1:~# conntrackd -d
[Tue Mar 31 12:32:58 2020] (pid=2954) [ERROR] inet_pton(): IPv6 unsupported!
[12:32] test-alpine-connt1:~#
</pre></p>
<p><del>package source from <a class="external" href="https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools">https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools</a></del>$pkgver.tar.bz2<br /><pre>
read_config_yy.y file
udp_option : T_IPV6_DEST_ADDR T_IP
{
......
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
break;
} else {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
......
</pre></p>
<p>- git source from <a class="external" href="http://git.netfilter.org/conntrack-tools/tree/?h=conntrack-tools-1.4.5">http://git.netfilter.org/conntrack-tools/tree/?h=conntrack-tools-1.4.5</a><br /><pre>
read_config_yy.y file
udp_option : T_IPV6_DEST_ADDR T_IP
{
.....
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
.....
</pre></p>
Open Infrastructure - Task #7890: test conntrack sync
http://localhost:3000/issues/7890?journal_id=52371
2024-01-03T18:31:08Z
Nico Schottelius
nico.schottelius@ungleich.ch
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Closed</i></li></ul>