Re: conntrackd "issue" in asymmetric scenario with TCP vs ICMP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for the clarification Pablo.

Regards,
-Martin


On Wed, Sep 7, 2022 at 10:52 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> On Fri, Sep 02, 2022 at 06:22:16PM -0400, Martin Gignac wrote:
> > Hi,
> >
> > (Apologies in advance if this is not the right place for this question).
> >
> > I am running conntrackd between two Linux firewalls running on Fedora
> > 35 using the following configuration:
> >
> >     Sync {
> >         Mode FTFW {
> >             ResendQueueSize 131072
> >             PurgeTimeout 60
> >             ACKWindowSize 300
> >             DisableExternalCache On
> >             StartupResync On
> >         }
> >         UDP {
> >             IPv4_address 172.16.1.1
> >             IPv4_Destination_Address 172.16.1.2
> >             Port 3781
> >             Interface bond0
> >             SndSocketBuffer 1249280
> >             RcvSocketBuffer 1249280
> >             Checksum on
> >         }
> >         Options {
> >             TCPWindowTracking Off
> >             ExpectationSync On
> >         }
> >     }
> >     General {
> >         Systemd on
> >         HashSize 32768
> >         HashLimit 131072
> >         LogFile on
> >         Syslog off
> >         LockFile /var/lock/conntrack.lock
> >         UNIX {
> >             Path /var/run/conntrackd.ctl
> >         }
> >         NetlinkBufferSize 2097152
> >         #NetlinkBufferSizeMaxGrowth 8388608
> >         NetlinkBufferSizeMaxGrowth 83886080
> >         NetlinkOverrunResync On
> >         NetlinkEventsReliable Off
> >         EventIterationLimit 100
> >         Filter From Userspace {
> >             Protocol Accept {
> >                 TCP
> >                 UDP
> >                 ICMP
> >             }
> >             Address Ignore {
> >                 IPv4_address 127.0.0.1
> >                 IPv4_address 172.16.1.0/29
> >                 IPv4_address 192.168.1.24/29
> >                 IPv6_address ::1
> >             }
> >         }
> >     }
> >
> > In an asymmetric scenario where incoming traffic flows through
> > firewall "A" and outgoing traffic through firewall "B", I've noticed
> > that pings work, but that SSH does not. In the case of pings, the
> > first ICMP echo reply flowing through firewall "B" sent in response to
> > the first ICMP echo request is dropped by "B" because the traffic is
> > "invalid" according to the nft trace, but subequent echo replies make
> > it through as they are recognized as being part of an existing state.
> > So far I assumed that the first packet was dropped because "B" hadn't
> > yet received the [NEW] conntrack state from "A" by the way it received
> > the echo reply.
> >
> > However, in the case of an SSH session establishment where the SYN
> > packet goes through "A" and the SYN-ACK packet goes through "B", nft
> > trace always shows the SYN-ACK (including retransmissions) as being
> > dropped because it is "invalid".
> >
> > Why does the ping reply eventually get recognized as being part of an
> > established state, but not the SYN-ACK? Is it a misconfiguration in my
> > conntrackd.conf? Are TCP 3-way handshakes supported by conntrackd in
> > asymmetric flows?
> >
> > I'm not sure exactly if I missed some deeper trace I can perform on
> > the states being sent/received by conntrackd between each firewall. I
> > thought if I could get more visibility in those that it might become
> > obvious why the scenario isn't working.
> >
> > If anyone has hints to help me troubleshoot, or can point to mistakes
> > in my configuration, my setup, or even my expectations, I would
> > appreciate it.
>
> Flow should be distributed evenly between routers, pure assymetric
> packet-based distribution is prone to race between internal state
> updates triggered by packets and the state synchronization itself.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux