Hi. I'm trying to set-up an HA firewall with Debian, ucarp and conntrackd in a testbed. Debian is version 5.0.7 (stock kernel 2.6.26). I have two hosts in active/passive configuration. At the moment i don't have any particular firewall rule in place, only a couple of iptables statements to nat clients ips and let them connect to internet: iptables -t nat -A POSTROUTING -s state --state NEW,ESTABLISHED,RELATED -p TCP -s $internal_lan -d 0/0 -j SNAT --to source $ext_fw_ip iptables -t nat -A POSTROUTING -s state --state NEW,ESTABLISHED,RELATED -p UDP -s $internal_lan -d 0/0 -j SNAT --to source $ext_fw_ip Conntrackd is installed and conntrackd -s report no error in multicast traffic. Anyway i'm not able to keep the sessions active between failovers. I can see connections in cache external, but it seems that such connections are not committed. [Mon Dec 27 02:01:19 2010] (pid=2032) [notice] initialization completed [Mon Dec 27 02:01:19 2010] (pid=2041) [notice] -- starting in daemon mode -- [Mon Dec 27 02:08:39 2010] (pid=2481) [notice] committing external cache [Mon Dec 27 02:08:39 2010] (pid=2481) [notice] Committed 1 new entries [Mon Dec 27 02:08:39 2010] (pid=2483) [notice] committing external cache [Mon Dec 27 02:08:39 2010] (pid=2483) [notice] Committed 0 new entries [Mon Dec 27 02:08:39 2010] (pid=2483) [notice] 1 entries can't be committed [Mon Dec 27 02:08:39 2010] (pid=2041) [notice] flushing caches [Mon Dec 27 02:08:39 2010] (pid=2041) [notice] resync with master table [Mon Dec 27 02:08:39 2010] (pid=2041) [notice] flushing caches [Mon Dec 27 02:08:39 2010] (pid=2041) [notice] resync with master table As far as i understood, with this sequence of commands: in master conntrackd -n in backup conntrackd -c conntrackd -f conntrackd -R i should have the same sessions in master and backup (listed with conntrack -L) or am i totally wrong? Is there any way to increment log verbosity to understand what's going on? I really don't know well the internals of conntrackd: am i missing something? Kernel parameters? sysctl settings? Many thanks in advance Regards Simone Zaffalon -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
