Actions
Task #7890
closedtest conntrack sync
Added by Jin-Guk Kwon about 4 years ago. Updated 4 months ago.
Start date:
03/30/2020
Due date:
% Done:
80%
Estimated time:
PM Check date:
Description
test conntrack sync on alpine
Files
| conntrack.png (28 KB) conntrack.png | Jin-Guk Kwon, 03/30/2020 11:31 AM |
Updated by Jin-Guk Kwon about 4 years ago
- test conntrack sync on debian
1. install conntrack, conntrackd at router1,2
apt install conntrack conntrackd
2. config conntrackd file as notrack mode at router1,2
3. set router at host1,2
- host1
ip -6 route add host2 via router1
- host2
ip -6 route add host1 via router2
4. set ip6table at router 1
sysctl -w net.ipv6.conf.all.forwarding=1 ip6tables -P FORWARD DROP ip6tables -A FORWARD -s host1 -j ACCEPT ip6tables -A FORWARD -s host2 -j ACCEPT ip6tables -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
5. test packet
- host1
#iperf3 -c 2a0a:e5c0:2:12:0:f0ff:fea9:c47f -t 10000 Connecting to host 2a0a:e5c0:2:12:0:f0ff:fea9:c47f, port 5201 [ 5] local 2a0a:e5c0:2:12:0:f0ff:fea9:c47b port 51314 connected to 2a0a:e5c0:2:12:0:f0ff:fea9:c47f port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 121 MBytes 1.02 Gbits/sec 0 3.01 MBytes [ 5] 1.00-2.00 sec 118 MBytes 986 Mbits/sec 0 3.01 MBytes [ 5] 2.00-3.00 sec 119 MBytes 996 Mbits/sec 0 3.01 MBytes
- host2
#iperf3 -s ----------------------------------------------------------- Server listening on 5201 ----------------------------------------------------------- Accepted connection from 2a0a:e5c0:2:12:0:f0ff:fea9:c47b, port 51312 [ 5] local 2a0a:e5c0:2:12:0:f0ff:fea9:c47f port 5201 connected to 2a0a:e5c0:2:12:0:f0ff:fea9:c47b port 51314 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 118 MBytes 990 Mbits/sec [ 5] 1.00-2.00 sec 118 MBytes 990 Mbits/sec
6. check conntrack table
- router1
test-debian-connt1:/etc/conntrackd# conntrackd -i tcp 6 SYN_RECV src=2a0a:e5c0:2:12:0:f0ff:fea9:c47b dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47f sport=51312 dport=5201 src=2a0a:e5c0:2:12:0:f0ff:fea9:c47f dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47b sport=5201 dport=51312 [active since 17s] test-debian-connt1:/etc/conntrackd#
-router2
test-debian-connt2:/etc/conntrackd# ./primary-backup.sh backup test-debian-connt2:/etc/conntrackd# conntrackd -e tcp 6 ESTABLISHED src=2a0a:e5c0:2:12:0:f0ff:fea9:c47b dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47f sport=51314 dport=5201 [ASSURED] [active since 71s] test-debian-connt2:
Updated by Jin-Guk Kwon about 4 years ago
- test conntrack sync on alpine
1. install conntrack, conntrackd at router1,2
apk add conntrack-tools
2. config conntrackd file as notrack mode at router1,2
3. set router at host1,2
- host1
ip -6 route add host2 via router1
- host2
ip -6 route add host1 via router1
4. set ip6table at router 1
sysctl -w net.ipv6.conf.all.forwarding=1 ip6tables -P FORWARD DROP ip6tables -A FORWARD -s host1 -j ACCEPT ip6tables -A FORWARD -s host2 -j ACCEPT ip6tables -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
5. check conntrack table
- router1
test-alpine-connt1:/etc/conntrackd# conntrackd -i [ERROR] inet_pton(): IPv6 unsupported!
Updated by Jin-Guk Kwon about 4 years ago
- not support IPv6 on alpine package
on debian
[11:05:26] test-debian-connt1:/lib/modules/4.9.0-12-amd64# lsmod | grep nf_conn nf_conntrack_ipv6 20480 1 nf_defrag_ipv6 16384 1 nf_conntrack_ipv6 nf_conntrack_netlink 40960 0 nf_conntrack 114688 3 nf_conntrack_ipv6,nf_conntrack_netlink,xt_conntrack nfnetlink 16384 8 nf_conntrack_netlink,nf_tables [11:05:47] test-debian-connt1:/lib/modules/4.9.0-12-amd64#
on alpine
[07:39] test-alpine-connt2:/etc/conntrackd# lsmod | grep nf_conn nf_conntrack_netlink 53248 0 nf_conntrack 143360 1 nf_conntrack_netlink nf_defrag_ipv4 16384 1 nf_conntrack libcrc32c 16384 1 nf_conntrack nfnetlink 16384 7 nf_conntrack_netlink nf_defrag_ipv6 16384 2 nf_conntrack,ipv6 [11:07] test-alpine-connt2:/etc/conntrackd#
--> there is no nf_conntrack_ipv6
- check kernel option
on debian
[12:48:12] test-debian-connt1:/lib/modules/4.9.0-12-amd64# grep '^CONFIG_NF_CONNTRACK*' /boot/config-"$(uname -r)" CONFIG_NF_CONNTRACK=m ...... CONFIG_NF_CONNTRACK_IPV4=m CONFIG_NF_CONNTRACK_IPV6=m [10:30:29] test-debian-connt1:/lib/modules/4.9.0-12-amd64#
on alpine
[11:10] test-alpine-connt2:/boot# grep '^CONFIG_NF_CONNTRACK*' /boot/config-virt CONFIG_NF_CONNTRACK=m ...... CONFIG_NF_CONNTRACK_TFTP=m [11:10] test-alpine-connt2:/boot#
- check module alias
on debian
[09:39:48] test-debian-connt1:/lib/modules/4.9.0-12-amd64# cat modules.alias | grep conntrack alias ip_conntrack_proto_sctp nf_conntrack_proto_sctp ...... alias ip_conntrack nf_conntrack_ipv4 alias nf_conntrack-2 nf_conntrack_ipv4 alias nf_conntrack-10 nf_conntrack_ipv6 [09:54:37] test-debian-connt1:/lib/modules/4.9.0-12-amd64#
on alpine
[11:13] test-alpine-connt2:/lib/modules/5.4.12-1-virt# cat modules.alias | grep conntrack alias nf_conntrack-10 nf_conntrack alias nf_conntrack-2 nf_conntrack ...... alias ipt_conntrack xt_conntrack [11:13] test-alpine-connt2:/lib/modules/5.4.12-1-virt#
Updated by Jin-Guk Kwon about 4 years ago
- install conntrack-tools from latest source
git clone git://git.netfilter.org/conntrack-tools apk add autoconf automake libtool gcc g++ make apk add linux-headers libnfnetlink-dev libnetfilter_conntrack-dev bison flex libmnl-dev libnetfilter_cttimeout-dev libnetfilter_cthelper-dev libnetfilter_queue-dev libtirpc-dev cd conntrack-tools/ ./autogen.sh ./configure —prefix=/usr make make insatll mkdir -p /etc/conntrackd cd /etc/conntrackd vi conntrackd.conf apk add ip6tables
-->it works
Updated by Jin-Guk Kwon about 4 years ago
- % Done changed from 0 to 80
6. test packet
- host1
#iperf3 -c 2a0a:e5c0:2:12:0:f0ff:fea9:c47f -t 10000 Connecting to host 2a0a:e5c0:2:12:0:f0ff:fea9:c47f, port 5201 [ 5] local 2a0a:e5c0:2:12:0:f0ff:fea9:c47b port 51314 connected to 2a0a:e5c0:2:12:0:f0ff:fea9:c47f port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 121 MBytes 1.02 Gbits/sec 0 3.01 MBytes [ 5] 1.00-2.00 sec 118 MBytes 986 Mbits/sec 0 3.01 MBytes [ 5] 2.00-3.00 sec 119 MBytes 996 Mbits/sec 0 3.01 MBytes
- host2
#iperf3 -s ----------------------------------------------------------- Server listening on 5201 ----------------------------------------------------------- Accepted connection from 2a0a:e5c0:2:12:0:f0ff:fea9:c47b, port 51312 [ 5] local 2a0a:e5c0:2:12:0:f0ff:fea9:c47f port 5201 connected to 2a0a:e5c0:2:12:0:f0ff:fea9:c47b port 51314 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 118 MBytes 990 Mbits/sec [ 5] 1.00-2.00 sec 118 MBytes 990 Mbits/sec
7. check conntrack table
- router1
[12:49] test-alpine-connt1:/etc/conntrackd# conntrackd -i [Fri Mar 27 12:49:38 2020] (pid=18086) [warning] getprotobyname() cannot find protocol `SCTP' in /etc/protocols [Fri Mar 27 12:49:38 2020] (pid=18086) [warning] getprotobyname() cannot find protocol `DCCP' in /etc/protocols [Fri Mar 27 12:49:38 2020] (pid=18086) [warning] getprotobyname() cannot find protocol `ICMP' in /etc/protocols [Fri Mar 27 12:49:38 2020] (pid=18086) [warning] getprotobyname() cannot find protocol `IPv6-ICMP' in /etc/protocols tcp 6 SYN_RECV src=2a0a:e5c0:2:12:0:f0ff:fea9:c47b dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47f sport=51312 dport=5201 src=2a0a:e5c0:2:12:0:f0ff:fea9:c47f dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47b sport=5201 dport=51312 [active since 17s] [12:49] test-alpine-connt1:/etc/conntrackd#
-router2
[12:50] test-alpine-connt2:/etc/conntrackd# ./primary-backup.sh backup
[12:50] test-alpine-connt2:/etc/conntrackd# conntrackd -e [Fri Mar 27 12:51:02 2020] (pid=18102) [warning] getprotobyname() cannot find protocol `SCTP' in /etc/protocols [Fri Mar 27 12:51:02 2020] (pid=18102) [warning] getprotobyname() cannot find protocol `DCCP' in /etc/protocols [Fri Mar 27 12:51:02 2020] (pid=18102) [warning] getprotobyname() cannot find protocol `ICMP' in /etc/protocols [Fri Mar 27 12:51:02 2020] (pid=18102) [warning] getprotobyname() cannot find protocol `IPv6-ICMP' in /etc/protocols tcp 6 ESTABLISHED src=2a0a:e5c0:2:12:0:f0ff:fea9:c47b dst=2a0a:e5c0:2:12:0:f0ff:fea9:c47f sport=51314 dport=5201 [ASSURED] [active since 71s] [12:51] test-alpine-connt2:
Updated by Jin-Guk Kwon about 4 years ago
- File conntrack.png conntrack.png added
Updated by Jin-Guk Kwon about 4 years ago
- conntrack-tools package issue
[12:32] test-alpine-connt1:~# conntrackd -d [Tue Mar 31 12:32:58 2020] (pid=2954) [ERROR] inet_pton(): IPv6 unsupported! [12:32] test-alpine-connt1:~#
package source from https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools$pkgver.tar.bz2
read_config_yy.y file
udp_option : T_IPV6_DEST_ADDR T_IP
{
......
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
break;
} else {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
......
- git source from http://git.netfilter.org/conntrack-tools/tree/?h=conntrack-tools-1.4.5
read_config_yy.y file
udp_option : T_IPV6_DEST_ADDR T_IP
{
.....
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
.....
Updated by Nico Schottelius 4 months ago
- Status changed from In Progress to Closed
Actions