Re: Second failover failure with conntrackd - INVALID packets

[Yoann Juet <yoann.juet@xxxxxxxxxxxxxx>]

Pablo Neira Ayuso wrote:
> Yoann Juet wrote:
> > Hi pablo,
> >
> > I still have an error as follows with conntrack 0.9.10:
> >
> > #make
> > ...
> > netfilter_conntrack.so -lnfnetlink
> > mcast.o: In function `mcast_dump_stats_extended':
> > /root/conntrack-tools-0.9.10/src/mcast.c:529: undefined reference to
> > `nlif_get_ifflags'
> > sync-mode.o: In function `mcast_iface_handler':
> > /root/conntrack-tools-0.9.10/src/sync-mode.c:203: undefined reference to
> > `nlif_get_ifflags'
> > sync-mode.o: In function `mcast_iface_candidate':
> > /root/conntrack-tools-0.9.10/src/sync-mode.c:185: undefined reference to
> > `nlif_get_ifflags'
> > collect2: ld returned 1 exit status
> > make[1]: *** [conntrackd] Erreur 1
> > make[1]: quittant le répertoire « /root/conntrack-tools-0.9.10/src »
> > make: *** [all-recursive] Erreur 1
> >
> > Do you have an idea ? The compilation of conntrack 0.9.9 works on the
> > same machine.
> >
> > Regards,
> >
> > Pablo Neira Ayuso wrote:
> > > Hi Yoann,
> > >
> > > Yoann Juet wrote:
> > > > > Could you try latest conntrack-tools 0.9.10? I released them yesterday
> > > > > along with accumulated updates/fixes. Thanks!
> > > > I experience right now some difficulties to compile version 0.9.10 on
> > > > lenny. I keep you in touch with test results.
> > > Any update? I'm interested in your setup.
>
> Damn. I forgot to update library dependencies. conntrack-tools-0.9.10
> requires libnfnetlink-0.0.40. I'm going to fix this now in the git tree.

I'm still facing the same difficulties with conntrack-tools 0.9.10 and 
kernel 2.6.28.

Log on FW1 after the second failover:

Feb  6 09:55:46 FW-DSI-1-IRT kernel: [ 1352.601798] RULE -1 -- DENY 
IN=eth0 OUT=eth1 SRC=193.52.101.32 DST=172.18.244.10 LEN=255 TOS=0x00 
PREC=0x00 TTL=62 ID=8698 DF PROTO=TCP SPT=5222 DPT=34189 WINDOW=501 
RES=0x00 ACK PSH URGP=0

As you can see, this TCP connection is present:

root@fw1-irt:~# conntrack -L  |grep 34189
conntrack v0.9.10 (conntrack-tools): 14 flow entries has been shown.
tcp      6 10581 ESTABLISHED src=172.18.244.10 dst=193.52.101.32 
sport=34189 dport=5222 packets=63 bytes=12039 src=193.52.101.32 
dst=172.18.244.10 sport=5222 dport=34189 packets=58 bytes=22146 
[ASSURED] mark=0 secmark=0 use=1

begin:vcard
fn:Yoann Juet
n:Juet;Yoann
org;quoted-printable:;DSI Universit=C3=A9 de Nantes
adr;quoted-printable:BP92208;;2, rue de la Houssini=C3=A8re;Nantes;;44322;France
email;internet:yoann.juet@xxxxxxxxxxxxxx
title;quoted-printable:Ing=C3=A9nieur s=C3=A9curit=C3=A9 & r=C3=A9seau
tel;work:02.51.12.53.93
tel;fax:02.51.12.58.60
x-mozilla-html:FALSE
version:2.1
end:vcard