Page MenuHomeVyOS Platform

Changes to Conntrack-Sync don't apply correctly (Mutlicast->UDP)
Backport candidate, NormalPublicBUG


I just found out it was possible to use UDP Unicast for Conntrack-Sync instead of the Multicast I was using.

I changed my configuration from Multicast to Unicast and committed the changes. Removed the mcast-group command and added "peer <x.x.x.x>" to the end of the Interface command.

However this didn't make "show conntrack-sync" show Unicast, it still showed Multicast.

So I did a "restart conntrack-sync" but this didn't work either. Doing a "ps afux" showed still a very early (boot) PID for /usr/sbin/conntrackd

Only a "sudo kill <pid of conntrackd>" killed it (so it wasn't running at all)
Then I had to manually restart it with "restart conntrack-sync"

This changed Conntrack Sync to actually use UDP instead of Multicast.

I verified this both with

a) Taking TCP dumps on other hosts and still seeing Multicast traffic
b) The "show conntrack-sync statistics" command was saying it was Multicast traffic, but now I've fix it it states UDP Traffic.

I think that any changes to the conntrack-sync section should result in a proper restart of conntrack-sync, or at the very minimum "restart conntrack-sync" should properly restart it, not require me to kill the existing conntrackd before issuing it.



Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

To reproduce (VyOS 1.3-beta-202106271614):

set service conntrack-sync accept-protocol 'tcp,udp,icmp'
set service conntrack-sync event-listen-queue-size '8'
set service conntrack-sync failover-mechanism vrrp sync-group 'FOO'
set service conntrack-sync interface eth1 peer ''

If we compare the config, wi can see an unexpected multicast group

[email protected]# compare 
[edit service]
+conntrack-sync {
+    accept-protocol tcp,udp,icmp
+    event-listen-queue-size 8
+    failover-mechanism {
+        vrrp {
+            sync-group FOO
+        }
+    }
+    interface eth1 {
+        peer
+    }
+    mcast-group
+    sync-queue-size 1

So if we reboot the router, we don't see any configuration related "service conntrack-sync"

[email protected]:~$ show conf com | match conntrack
[email protected]:~$

but we found conntrackd PID
So the next commit (re-adding conntrack-sync config) will be with fail

[email protected]# commit
[ service conntrack-sync ]
conntrack-sync error: /etc/init.d/conntrackd failed to start /usr/sbin/conntrackd!

[[service conntrack-sync]] failed
Commit failed
[email protected]# 
[email protected]# ps ax | grep conntr
 2881 ?        Ss     0:00 /usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.conf -d
 3559 ttyS0    S+     0:00 grep conntr
[email protected]#
erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 12:20 PM
erkin removed a subscriber: Active contributors.
syncer changed the task status from Open to Backport candidate.Oct 17 2021, 12:22 PM
syncer triaged this task as Normal priority.