Conntrack-sync and NFSv3

ArneO · March 3, 2015, 2:44pm

Hi,

In my setup with conntrack-sync things works nice except when I need NFSv3.

In /var/log/messages it’s logged:

Mar  3 15:25:39 vyos-01 conntrack-tools[4353]: no CT attached to this packet
Mar  3 15:25:39 vyos-01 conntrack-tools[4353]: failed to process message

I see the packet on the ingress interface but nothing comes on the egress interface. When I disable conntrack-sync it works, but then my failover will be broken.

ArneO · March 3, 2015, 4:17pm

Removing the following from iptables makes nfs work, but what does it break?

Chain VYATTA_CT_HELPER (2 references)
target     prot opt source               destination
CT         tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1525 CT helper tns
CT         tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1521 CT helper tns
CT         udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:111 CT helper rpc
CT         tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:111 CT helper rpc

Mystray · March 4, 2015, 11:21am

I got similar problem with oracle db.
Removing the following from iptables looks similar to

set system conntrack modules nfs 'disable' set system conntrack modules sqlnet 'disable'

ArneO · March 4, 2015, 1:23pm

But the conntrack works, but not together with conntrack-sync. So I wonder what will break when setting the conntrack to disable?

The best thing would probably be if we could find a way to get it work with conntrack, and not just disable it.

billytheczech · April 27, 2016, 7:38am

Any update on this? just hit this bug…

ArneO · April 28, 2016, 12:28pm

http://bugzilla.vyos.net/show_bug.cgi?id=412

look at the bug, there are the latest updates