Page MenuHomeVyOS Platform

Changes to Conntrack-Sync don't apply correctly (Mutlicast->UDP)
Open, Requires assessmentPublicBUG


I just found out it was possible to use UDP Unicast for Conntrack-Sync instead of the Multicast I was using.

I changed my configuration from Multicast to Unicast and committed the changes. Removed the mcast-group command and added "peer <x.x.x.x>" to the end of the Interface command.

However this didn't make "show conntrack-sync" show Unicast, it still showed Multicast.

So I did a "restart conntrack-sync" but this didn't work either. Doing a "ps afux" showed still a very early (boot) PID for /usr/sbin/conntrackd

Only a "sudo kill <pid of conntrackd>" killed it (so it wasn't running at all)
Then I had to manually restart it with "restart conntrack-sync"

This changed Conntrack Sync to actually use UDP instead of Multicast.

I verified this both with

a) Taking TCP dumps on other hosts and still seeing Multicast traffic
b) The "show conntrack-sync statistics" command was saying it was Multicast traffic, but now I've fix it it states UDP Traffic.

I think that any changes to the conntrack-sync section should result in a proper restart of conntrack-sync, or at the very minimum "restart conntrack-sync" should properly restart it, not require me to kill the existing conntrackd before issuing it.



Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

To reproduce (VyOS 1.3-beta-202106271614):

set service conntrack-sync accept-protocol 'tcp,udp,icmp'
set service conntrack-sync event-listen-queue-size '8'
set service conntrack-sync failover-mechanism vrrp sync-group 'FOO'
set service conntrack-sync interface eth1 peer ''

If we compare the config, wi can see an unexpected multicast group

vyos@r2# compare 
[edit service]
+conntrack-sync {
+    accept-protocol tcp,udp,icmp
+    event-listen-queue-size 8
+    failover-mechanism {
+        vrrp {
+            sync-group FOO
+        }
+    }
+    interface eth1 {
+        peer
+    }
+    mcast-group
+    sync-queue-size 1

So if we reboot the router, we don't see any configuration related "service conntrack-sync"

vyos@r4-1.3:~$ show conf com | match conntrack

but we found conntrackd PID
So the next commit (re-adding conntrack-sync config) will be with fail

vyos@r2# commit
[ service conntrack-sync ]
conntrack-sync error: /etc/init.d/conntrackd failed to start /usr/sbin/conntrackd!

[[service conntrack-sync]] failed
Commit failed
vyos@r2# ps ax | grep conntr
 2881 ?        Ss     0:00 /usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.conf -d
 3559 ttyS0    S+     0:00 grep conntr