Re: Conntrackd issue with bonding

Arturo Borrero <aborrero@xxxxxxx> · Fri, 10 Aug 2012 12:02:54 +0200

On 10/08/12 11:19, Pablo Neira Ayuso wrote:
On Fri, Aug 10, 2012 at 09:09:02AM +0200, Arturo Borrero wrote:
Hi there!

It's seem that there is a issue with Conntrackd using a bonding as
dedicated interface.

The log:

[Thu Aug  9 14:14:23 2012] (pid=3819) [notice] -- starting in daemon mode --
[Thu Aug  9 14:14:23 2012] (pid=3819) [ERROR] no dedicated links available!
[Thu Aug  9 14:14:23 2012] (pid=3819) [ERROR] no dedicated links available!
[Thu Aug  9 14:14:23 2012] (pid=3819) [ERROR] no dedicated links available!
[Thu Aug  9 14:19:54 2012] (pid=3819) [notice] ---- shutdown received ----

Or maybe i'm missing something important in the configuration:

/etc/conntrackd/conntrackd.conf

Sync {
         Mode ALARM {
                 RefreshTime 15
                 CacheTimeout 180
         }
         Multicast {
                 IPv4_address 225.0.0.50
                 Group 3780
                 IPv4_interface 172.16.0.1
                 Interface bond2
                 SndSocketBuffer 1249280
                 RcvSocketBuffer 1249280
                 Checksum on
         }
}
General {
     HashSize 8192
     HashLimit 65535
     LogFile on
     Syslog on
     LockFile /var/lock/conntrackd.lock
     UNIX {
         Path /var/run/conntrackd.sock
         Backlog 20
     }
     SocketBufferSize 262142
     SocketBufferSizeMaxGrown 655355
     Filter {
         Protocol Accept {
             TCP
         }
         Address Ignore
         {
             IPv4_address 127.0.0.1 # loopback
             IPv4_address 172.16.0.1 # cluster link
             IPv4_address 172.16.0.2 # cluster link
             IPv4_address xx.40
             IPv4_address xx.41
             IPv6_address xx::40
             IPv6_address xx::41
             IPv6_address xx::41
         }
     }
}

Bond2 is up and running:

bond2     Link encap:Ethernet  HWaddr 00:xx:xx:57:b8:xx
           inet addr:172.16.0.1  Bcast:172.16.255.255  Mask:255.255.0.0
           inet6 addr: fe80::215:xx::/64 Scope:Link
           UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
           RX packets:7405527 errors:0 dropped:0 overruns:0 frame:0
           TX packets:3935915 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:7812500663 (7.2 GiB)  TX bytes:651422232 (621.2 MiB)

Any idea?
Somoething is wrong with the link state checking.

Please, get a working copy of libnfnetlink:

git clone git://git.netfilter.org/libnfnetlink
autoreconf -fi
./configure --prefix=/usr
make
make check

[no need to make install]

Then go to utils/ directory, run ./iftest and get back to the list to
report what it says.

I'm using this version (Debian amd64)
You didn't mention kernel version, I guess it is standalone Linux
kernel in Debian? (2.6.32). Using a recent Linux kernel version of the
3.x branch is really recommended to run conntrackd.

:~$ conntrackd -v
Connection tracking userspace daemon v1.2.1. Licensed under GPLv2.
BTW, it's a good idea if you upgrade to 1.2.2. There was a bug in the
commit operation that is resolved in lastest version.

This is the result of iftest:

root@debian:~/git/libnfnetlink/utils# ./iftest
index (1) is lo (RUNNING) (UP)
index (2) is eth5 (NOT RUNNING) (DOWN)
index (3) is eth2 (RUNNING) (UP)

This is the list of interfaces:
root@debian:~/git/libnfnetlink/utils# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN mode 
DEFAULT
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode 
DEFAULT qlen 1000
    link/ether 00:asdasd brd ff:ff:ff:ff:ff:ff
3: eth2: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq 
master bond0 state UP mode DEFAULT qlen 1000
    link/ether 00:asdasd brd ff:ff:ff:ff:ff:ff
4: eth4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode 
DEFAULT qlen 1000
    link/ether 00:asdasd brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq 
master bond0 state UP mode DEFAULT qlen 1000
    link/ether 00:asdasd brd ff:ff:ff:ff:ff:ff
6: eth6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode 
DEFAULT qlen 1000
    link/ether 00:asdasd brd ff:ff:ff:ff:ff:ff
7: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq 
master bond0 state UP mode DEFAULT qlen 1000
    link/ether 00:asdasd brd ff:ff:ff:ff:ff:ff
8: eth7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode 
DEFAULT qlen 1000
    link/ether 00:asdasd brd ff:ff:ff:ff:ff:ff
9: eth1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq 
master bond0 state UP mode DEFAULT qlen 1000
    link/ether 00:asdasd brd ff:ff:ff:ff:ff:ff
10: eth8: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc 
pfifo_fast master bond2 state UP mode DEFAULT qlen 1000
    link/ether 00:asdasd brd ff:ff:ff:ff:ff:ff
11: eth9: <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc 
pfifo_fast master bond2 state DOWN mode DEFAULT qlen 1000
    link/ether 00:asdasd brd ff:ff:ff:ff:ff:ff
12: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc 
noqueue state UP mode DEFAULT
    link/ether 00:asdasd brd ff:ff:ff:ff:ff:ff
13: bond1: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc 
noqueue state DOWN mode DEFAULT
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
14: bond2: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc 
noqueue state UP mode DEFAULT
    link/ether 00:asdasd brd ff:ff:ff:ff:ff:ff

The kernel version is:
# uname -r
3.2.0-3-amd64

Regards

--
Arturo Borrero González
Departamento de Seguridad Informática
Centro Informático Científico de Andalucía (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía

Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature