Hello Nataraj,
--On 12. August 2008 22:56:48 -0700 Nataraj <incoming-centos@xxxxxxx> wrote:
On Sun, 2008-08-10 at 20:28 +0200, Dirk H. Schulz wrote:
- snip -
The setup works - using "conntrackd -e" I can see the connection table
entries the other router's conntrackd has synchronized. What I cannot
check is if the receiving conntrackd writes the received entries into
the kernels connection tracking table.
- snip -
Also: cat /proc/net/nf_conntrack
Okay, that was good (it is ip_conntrack, but never mind). Now I now that
the kernel connection table does NOT get updated. Just have to find out
why.
The doc says you must have kernel 2.6.18 or later. It looks like there
are some iptables features that you can use that will not allow this to
work. Are you in compliance with all of the dependencies listed in
http://conntrack-tools.netfilter.org/conntrackd.html ?
Yes, the libraries are installed. The kernel should meet the prerequisites:
CONFIG_NF_CONNTRACK=m: yes
CONFIG_NF_CONNTRACK_IPV4=m: no, did not find it, could not enable it
CONFIG_NETFILTER_NETLINK=m: yes,
CONFIG_NF_CT_NETLINK=m: yes, it is called NF_CONNTRACK_NETLINK=m
CONFIG_NF_CONNTRACK_EVENTS=y: yes
So only CONFIG_NF_CONNTRACK_IPV4 module is missing, but I thought that
connection tracking would not work at all (even on just one netfilter
instance) if a dedicated module für IPv4 additionally to the general
NF_CONNTRACK module would really be needed.
Is there a debug mode for conntrackd where I can get more verbose logging
to find out why conntrackd does not update the kernel connection table?
Docs do not mention a debug mode, but maybe ...
By the way, when committing manually (conntrackd -c) I get the following
entries in the log:
[Tue Aug 12 12:51:49 2008] (pid=22668) [notice] Committed 139 new entries
[Tue Aug 12 12:51:49 2008] (pid=22668) [notice] 2 entries can't be
committed
[Tue Aug 12 12:51:54 2008] (pid=22671) [notice] committing external cache
[Tue Aug 12 12:51:54 2008] (pid=22671) [ERROR] commit: Invalid argument
Tue Aug 12 12:51:54 2008 tcp 6 180 SYN_SENT src=88.217.141.81
dst=93.94.80.2 sport=54930 dport=22 [UNREPLIED] src=93.94.80.2
dst=88.217.141.81 sport=22 dport=54930
[Tue Aug 12 12:51:54 2008] (pid=22671) [ERROR] commit: Invalid argument
Tue Aug 12 12:51:54 2008 tcp 6 180 SYN_SENT src=88.217.141.81
dst=93.94.80.2 sport=54929 dport=22 [UNREPLIED] src=93.94.80.2
dst=88.217.141.81 sport=22 dport=54929
[Tue Aug 12 12:51:54 2008] (pid=22671) [notice] Committed 139 new entries
[Tue Aug 12 12:51:54 2008] (pid=22671) [notice] 2 entries can't be committed
Why can not all cache entries be committed? I did not find much about this.
My kernel is a 2.6.18-92.1.6.el5 (CentOS 5).
Thanks for your help.
Dirk
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
