Page MenuHomeVyOS Platform

Changes to Conntrack-Sync don't apply correctly (Mutlicast->UDP)
Open, Requires assessmentPublicBUG

Description

I just found out it was possible to use UDP Unicast for Conntrack-Sync instead of the Multicast I was using.

I changed my configuration from Multicast to Unicast and committed the changes. Removed the mcast-group command and added "peer <x.x.x.x>" to the end of the Interface command.

However this didn't make "show conntrack-sync" show Unicast, it still showed Multicast.

So I did a "restart conntrack-sync" but this didn't work either. Doing a "ps afux" showed still a very early (boot) PID for /usr/sbin/conntrackd

Only a "sudo kill <pid of conntrackd>" killed it (so it wasn't running at all)
Then I had to manually restart it with "restart conntrack-sync"

This changed Conntrack Sync to actually use UDP instead of Multicast.

I verified this both with

a) Taking TCP dumps on other hosts and still seeing Multicast traffic
b) The "show conntrack-sync statistics" command was saying it was Multicast traffic, but now I've fix it it states UDP Traffic.

I think that any changes to the conntrack-sync section should result in a proper restart of conntrack-sync, or at the very minimum "restart conntrack-sync" should properly restart it, not require me to kill the existing conntrackd before issuing it.

Thanks!

Details

Difficulty level
Unknown (require assessment)
Version
1.2.6-S1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

To reproduce (VyOS 1.3-beta-202106271614):

set service conntrack-sync accept-protocol 'tcp,udp,icmp'
set service conntrack-sync event-listen-queue-size '8'
set service conntrack-sync failover-mechanism vrrp sync-group 'FOO'
set service conntrack-sync interface eth1 peer '192.0.2.2'

If we compare the config, wi can see an unexpected multicast group

vyos@r2# compare 
[edit service]
+conntrack-sync {
+    accept-protocol tcp,udp,icmp
+    event-listen-queue-size 8
+    failover-mechanism {
+        vrrp {
+            sync-group FOO
+        }
+    }
+    interface eth1 {
+        peer 192.0.2.2
+    }
+    mcast-group 225.0.0.50
+    sync-queue-size 1
+}

So if we reboot the router, we don't see any configuration related "service conntrack-sync"

vyos@r4-1.3:~$ show conf com | match conntrack
vyos@r4-1.3:~$

but we found conntrackd PID
So the next commit (re-adding conntrack-sync config) will be with fail

vyos@r2# commit
[ service conntrack-sync ]
conntrack-sync error: /etc/init.d/conntrackd failed to start /usr/sbin/conntrackd!

[[service conntrack-sync]] failed
Commit failed
[edit]
vyos@r2# 
[edit]
vyos@r2# ps ax | grep conntr
 2881 ?        Ss     0:00 /usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.conf -d
 3559 ttyS0    S+     0:00 grep conntr
[edit]
vyos@r2#