1CONNTRACKD.CONF(5)            File Formats Manual           CONNTRACKD.CONF(5)
2
3
4

NAME

6       conntrackd.conf - configuration file for conntrackd daemon
7
8

DESCRIPTION

10       conntrackd.conf  is  the  main configuration file for the conntrackd(8)
11       daemon. It is loaded by calling `conntrackd -C conntrackd.conf'.
12
13       The format of this file is simple, using brackets for sections and key-
14       value pairs for concrete configuration directives:
15
16            section1 {
17                 option1 value1
18                 option2 value2
19            }
20            section2 {
21                 option3 value3
22                 subsection1 {
23                      option4 value4
24                 }
25            }
26
27       You should consider this file as case-sensitive.  Empty lines and lines
28       starting with the '#' character are ignored.
29
30       Before starting to develop a new configuration, you may want  to  learn
31       the  concepts  behind  this technlogy at http://conntrack-tools.netfil
32       ter.org/manual.html.
33
34       There are complete configuration examples at the end of this man page.
35
36

SYNC

38       This top-level section defines how conntrackd(8) should handle synchro‐
39       nization with other cluster nodes.
40
41       There are 3 main synchronization modes or protocols: NOTRACK, ALARM and
42       FTFW.
43
44       There are 3 transport protocols as well: TCP, Multicast and UDP.
45
46       You have to choose one synchronization mode and one transport protocol.
47
48       Also, there are some general options in this section.
49
50
51   Mode FTFW
52       This mode is based on a reliable protocol that performs message  track‐
53       ing.  Thus, the protocol can recover from message loss, re-ordering and
54       corruption.
55
56       In this synchronization mode you may configure ResendQueueSize, Commit‐
57       Timeout, PurgeTimeout, ACKWindowSize and DisableExternalCache.
58
59
60       ResendQueueSize <value>
61              Size  of the resend queue (in objects). This is the maximum num‐
62              ber of objects that can be stored waiting to  be  confirmed  via
63              acknoledgment.  If you keep this value low, the daemon will have
64              less chances to recover state-changes under message omission. On
65              the  other  hand,  if  you keep this value high, the daemon will
66              consume more memory to store dead objects.
67
68              Example: ResendQueueSize 131072
69
70              Default is 131072 objects.
71
72
73       CommitTimeout <seconds>
74              This parameter allows you to set an initial  fixed  timeout  for
75              the  committed  entries  when this node goes from backup to pri‐
76              mary. This mechanism provides a way to purge entries  that  were
77              not  recovered  appropriately after the specified fixed timeout.
78              If you set a low value, TCP entries in Established  states  with
79              no  traffic  may  hang.  For  example, an SSH connection without
80              KeepAlive enabled.
81
82              Example: CommitTimeout 180
83
84              By default, this option is not set (the daemon uses an  approxi‐
85              mate timeout value calculation mechanism).
86
87
88       PurgeTimeout <seconds>
89              If  the  firewall replica goes from primary to backup, the `con‐
90              ntrackd -t command' is  invoked  in  the  script.  This  command
91              schedules a flush of the table in N seconds.
92
93              This  is useful to purge the connection tracking table of zombie
94              entries and avoid clashes with old entries if you  trigger  sev‐
95              eral consecutive hand-overs.
96
97              Default is 60 seconds.
98
99
100       ACKWindowSize <value>
101              Set the acknowledgement window size. If you decrease this value,
102              the number of acknowlegdments  increases.  More  acknowledgments
103              means  more overhead as conntrackd(8) has to handle more control
104              messages. On the other hand, if you  increase  this  value,  the
105              resend  queue gets more populated. This results in more overhead
106              in the queue releasing.
107
108              Example: ACKWindowSize 300
109
110              If not set, default window size is 300 (value is based  on  some
111              practical experiments measuring the cycles spent by the acknowl‐
112              edgment handling with oprofile).
113
114
115       DisableExternalCache <on|off>
116              This clause allows you to disable the external cache. Thus,  the
117              state  entries  are  directly injected into the kernel conntrack
118              table. As a result, you save memory in user-space but  you  con‐
119              sume  slots  in  the  kernel  conntrack  table  for backup state
120              entries. Moreover, disabling the external cache means  more  CPU
121              consumption.  You need a Linux kernel >= 2.6.29 to use this fea‐
122              ture.
123
124              If you are installing conntrackd(8) for first time, please  read
125              the  user manual and I encourage you to consider using the fail-
126              over scripts instead of enabling this option!
127
128              By default, this clause is set off.
129
130
131   Mode ALARM
132       This mode is spamming. It is based on a alarm-based protocol that peri‐
133       odically  re-sends the flow state to the backup firewall replicas. This
134       protocol consumes a lot of bandwidth but  it  resolves  synchronization
135       problems fast.
136
137       In  this synchronization mode you may configure RefreshTime, CacheTime‐
138       out, CommitTimeout and PurgeTimeout.
139
140
141       RefreshTime <seconds>
142              If a conntrack entry is not modified in <=  N  seconds,  then  a
143              message  is broadcasted. For example, this mechanism may be used
144              to resynchronize nodes that just joined the multicast group.
145
146              Example: RefreshTime 15
147
148
149       CacheTimeout <seconds>
150              If we don't receive a notification about the state of  an  entry
151              in the external cache after N seconds, then remove it.
152
153              Example: CacheTimeout 180
154
155
156       CommitTimeout <seconds>
157              Same as in FTFW mode.
158
159
160       PurgeTimeout <seconds>
161              Same as in FTFW mode.
162
163
164   Mode NOTRACK
165       Is  the  most  simple  mode as it is based on a best effort replication
166       protocol, ie. unreliable protocol. This protocol sends and receives the
167       state information without performing any specific checking.
168
169       In  this  synchronization  mode you may configure DisableInternalCache,
170       DisableExternalCache, CommitTimeout and PurgeTimeout.
171
172
173       DisableInternalCache <on|off>
174              This clause allows you to disable the internal cache. Thus,  the
175              synchronization messages are directly sent through the dedicated
176              link.
177
178              This option is set off by default.
179
180
181       DisableExternalCache <on|off>
182              Same as in FTFW mode.
183
184
185       CommitTimeout <seconds>
186              Same as in FTFW mode.
187
188
189       PurgeTimeout <seconds>
190              Same as in FTFW mode.
191
192
193   MULTICAST
194       This section indicates to conntrackd(8) to use multicast  as  transport
195       mechanism between nodes of the firewall cluster.
196
197       Please  note you can specify more than one dedicated link. Thus, if one
198       dedicated link fails, the daemon can fail-over to  another.  Note  that
199       adding  more  than  one dedicated link does not mean that state-updates
200       will be sent to all of them. There is only one active dedicated link at
201       a given moment.
202
203       The  Default  keyword indicates that this interface will be selected as
204       the initial dedicated link. You can have up to  4  redundant  dedicated
205       links.
206
207       Note: use different multicast groups for every redundant link.
208
209       Example:
210            Multicast Default {
211                 IPv4_address 225.0.0.51
212                 Group 3781
213                 IPv4_interface 192.168.100.101
214                 Interface eth3
215                 SndSocketBuffer 1249280
216                 RcvSocketBuffer 1249280
217                 Checksum on
218            }
219            Multicast {
220                 IPv4_address 225.0.0.51
221                 Group 3782
222                 IPv4_interface 192.168.100.102
223                 Interface eth4
224                 SndSocketBuffer 1249280
225                 RcvSocketBuffer 1249280
226                 Checksum on
227            }
228
229
230       IPv4_address <address>
231              Multicast  address:  The  address that you use as destination in
232              the synchronization messages. You do not have to add this IP  to
233              any of your existing interfaces.
234
235              Example: IPv4_address 255.0.0.50
236
237
238       Group <number>
239              The multicast group that identifies the cluster.
240
241              Example: Group 3780
242
243              If any doubt, do not modify this value.
244
245
246       IPv4_interface <address>
247              IP  address  of  the interface that you are going to use to send
248              the synchronization messages. Remember that you must use a dedi‐
249              cated link for the synchronization messages.
250
251              Example:  IPv4_interface 192.168.100.100
252
253
254       Interface <name>
255              The  name of the interface that you are going to use to send the
256              synchronization messages.
257
258              Example: Interface eth2
259
260
261       SndSocketBuffer <number>
262              This transport protocol sender uses  a  buffer  to  enqueue  the
263              packets  that  are  going to be transmitted. The default size of
264              this       socket       buffer       is       available       at
265              /proc/sys/net/core/wmem_default.
266
267              This  value  determines  the  chances  to have an overrun in the
268              sender queue. The overrun results in packet loss,  thus,  losing
269              state  information  that  would have to be retransmitted. If you
270              notice some packet loss, you may want to increase  the  size  of
271              the  buffer.  The  system  default  size  is usually around ~100
272              KBytes which is fairly small for busy firewalls.
273
274              Note: The NOTRACK protocol is best effort, it is  really  recom‐
275              mended to increase the buffer size.
276
277              Example: SndSocketBuffer 1249280
278
279
280       RcvSocketBuffer <number>
281              This  transport  protocol  receiver uses a buffer to enqueue the
282              packets that the socket is pending to handle. The  default  size
283              of      this      socket      buffer     is     available     at
284              /proc/sys/net/core/rmem_default.
285
286              This value determines the chances to  have  an  overrun  in  the
287              receiver  queue.  The overrun results in packet loss, thus, los‐
288              ing state information that would have to  be  retransmitted.  If
289              you  notice  some packet loss, you may want to increase the size
290              of the buffer. The system default size is  usually  around  ~100
291              KBytes which is fairly small for busy firewalls.
292
293              Note:  The  NOTRACK protocol is best effort, it is really recom‐
294              mended to increase the buffer size.
295
296              Example: RcvSocketBuffer 1249280
297
298
299       Checksum <on|off>
300              Enable/Disable message checksumming. This is a good property  to
301              achieve fault-tolerance. In case of doubt, use it.
302
303
304   UDP
305       This  section indicates to conntrackd(8) to use UDP as transport mecha‐
306       nism between nodes of the firewall cluster.
307
308       As in the Multicast configuration, you may especify  several  fail-over
309       dedicated links using the Default keyword.
310
311       Example:
312            UDP {
313                 IPv4_address 172.16.0.1
314                 IPv4_Destination_Address 172.16.0.2
315                 Port 3781
316                 Interface eth3
317                 SndSocketBuffer 1249280
318                 RcvSocketBuffer 1249280
319                 Checksum on
320            }
321
322
323       IPv4_address <address>
324              UDP IPv4 address that this firewall uses to listen to events.
325
326              Example: IPv4_address 192.168.2.100
327
328
329       IPv6_address <address>
330              UDP IPv6 address that this firewall uses to listen to events.
331
332              Example: IPv6_address fe80::215:58ff:fe28:5a27
333
334
335       IPv4_Destination_Address <address>
336              Destination IPv4 UDP address that receives events, ie. the other
337              firewall's dedicated link address.
338
339              Example: IPv4_Destination_Address 192.168.2.101
340
341
342       IPv6_Destionation_Address <address>
343              Destination IPv6 UDP address that receives events, ie. the other
344              firewall's dedicated link address.
345
346              Example: IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
347
348
349       Port <number>
350              UDP port used
351
352              Example: Port 3780
353
354
355       Interface <name>
356              Same as in the Multicast transport protocol configuration.
357
358
359       SndSocketBuffer <number>
360              Same as in the Multicast transport protocol configuration.
361
362
363       RcvSocketBuffer <number>
364              Same as in the Multicast transport protocol configuration.
365
366
367       Checksum <on|off>
368              Same as in the Multicast transport protocol configuration.
369
370
371
372   TCP
373       You can also use Unicast TCP to propagate events.
374
375       If  you  combine this transport with the NOTRACK mode, it becomes reli‐
376       able.
377
378       The TCP transport protocol can be configured in exactly the same way as
379       the UDP transport protocol.
380
381       As  in  the Multicast configuration, you may especify several fail-over
382       dedicated links using the Default keyword.
383
384       Example:
385            TCP {
386                 IPv6_address fe80::215:58ff:fe28:5a27
387                 IPv6_Destination_Address fe80::215:58ff:fe28:5a27
388                 Port 3781
389                 Interface eth2
390                 SndSocketBuffer 1249280
391                 RcvSocketBuffer 1249280
392                 Checksum on
393            }
394
395
396   OPTIONS
397       Other unsorted options that are related to the synchronization protocol
398       or transport mechanism.
399
400
401       TCPWindowTracking <on|off>
402              TCP  state-entries have window tracking disabled by default, you
403              can enable it with this option. As said, default is  off.   This
404              feature requires a Linux kernel >= 2.6.36.
405
406
407       ExpectationSync <on|{ list }>
408              Set  this option on if you want to enable the synchronization of
409              expectations.  You have to specify the list of helpers that  you
410              want to enable.
411
412              This feature requires a Linux kernel >= 3.5.
413
414              Example, sync all expectations:
415                   ExpectationSync on
416
417              Example, sync given expectations:
418                   ExpectationSync {
419                        ftp
420                        ras
421                        q.931
422                        h.245
423                        sip
424                   }
425
426              By default, this option is disabled.
427
428

GENERAL

430       This  top-level  section  contains generic configuration directives for
431       the conntrackd(8) daemon.
432
433
434       Systemd <on|off>
435              Enable systemd(1) runtime support if conntrackd(8)  is  compiled
436              with  the  proper configuration. Then you can use a service unit
437              of Type=notify.
438
439              Obviusly, this requires the init systemd of your  system  to  be
440              systemd(1).
441
442              Note: systemd(1) watchdog is supported as well.
443
444              Example: Systemd on
445
446              By default runtime support is disabled.
447
448
449       Nice <value>
450              Set  the  nice(1)  value of the daemon, this value goes from -20
451              (most favorable scheduling) to 19  (least  favorable).  Using  a
452              very low value reduces the chances to lose state-change events.
453
454              Example: Nice -20
455
456              Default  is 0 but this example sets it to most favourable sched‐
457              uling as this is generally a good idea.
458
459
460       HashSize <value>
461              Number of buckets in the cache hashtable. The bigger it is,  the
462              closer  it  gets  to  O(1) at the cost of consuming more memory.
463              Read some documents about tuning hashtables for  further  refer‐
464              ence.
465
466              Example: HashSize 32768
467
468
469       HashLimit <value>
470              Maximum   number   of   conntracks,   it  should  be  double  of
471              /proc/sys/net/netfilter/nf_conntrack_max since  the  daemon  may
472              keep some dead entries cached for possible retransmission during
473              state synchronization.
474
475              Example: HashLimit 131072
476
477
478       LogFile <on|off|filename>
479              Enable conntrackd(8) to log to a file.
480
481              Example: LogFile on
482
483              Default is off. The default logfile is /var/log/conntrackd.log.
484
485
486       Syslog <on|off|facility>
487              Enable connection logging via Syslog. If you set  the  facility,
488              use  the  same  as  in the Stats section, otherwise you'll get a
489              warning message.
490
491              Example: Syslog local0
492
493              Default is off.
494
495
496       Lockfile <filename>
497              Lockfile to be used by conntrackd(8) (absolute path).
498
499              Example: LockFile /var/lock/conntrack.lock
500
501              Default is /var/lock/conntrack.lock.
502
503
504       NetlinkBufferSize <value>
505              Netlink event socket buffer size. If you  do  not  specify  this
506              clause,     the     default     buffer     size     value     in
507              /proc/net/core/rmem_default is used. This default value is  usu‐
508              ally around 100 Kbytes which is fairly small for busy firewalls.
509              This leads to event message dropping and high CPU consumption.
510
511              Example: NetlinkBufferSize 2097152
512
513
514       NetlinkBufferSizeMaxGrowth <value>
515              The daemon doubles the size of the netlink event  socket  buffer
516              size  if  it detects netlink event message dropping. This clause
517              sets the maximum buffer size growth that can be reached.
518
519              Example:  NetlinkBufferSizeMaxGrowth 8388608
520
521
522       NetlinkOverrunResync <on|off|value>
523              If the daemon detects  that  Netlink  is  dropping  state-change
524              events,  it  automatically schedules a resynchronization against
525              the Kernel after 30 seconds (default value).  Resynchronizations
526              are  expensive  in terms of CPU consumption since the daemon has
527              to get the full kernel state-table and purge state-entries  that
528              do not exist anymore.
529
530              Note: Be careful of setting a very small value here.
531
532              Example: NetlinkOverrunResync on
533
534              The  default  value is 30 seconds.  If not specified, the daemon
535              assumes that this option is enabled and uses the default value.
536
537
538       NetlinkEventsReliable <on|off>
539              If you want reliable event reporting over Netlink, set  on  this
540              option.  If you set on this clause, it is a good idea to set off
541              NetlinkOverrunResync.
542
543              You need Linux Kernel >= 2.6.31 for this option to work.
544
545              Example: NetlinkEventsReliable on
546
547              This option is off by default.
548
549
550       PollSecs <seconds>
551              By default, the  daemon  receives  state  updates  following  an
552              event-driven  model.  You can modify this behaviour by switching
553              to polling mode with this clause.
554
555              This clause tells conntrackd(8) to dump the states in the kernel
556              every  N  seconds.  With  regards  to  synchronization mode, the
557              polling mode can only guarantee that  long-lifetime  states  are
558              recovered. The main advantage of this method is the reduction in
559              the state replication at the cost of  reducing  the  chances  of
560              recovering connections.
561
562              Example: PollSecs 15
563
564
565       EventIterationLimit <value>
566              The  daemon prioritizes the handling of state-change events com‐
567              ing from the core. With this clause, you  can  set  the  maximum
568              number  of  state-change events (those coming from kernel-space)
569              that the daemon will handle after which  it  will  handle  other
570              events coming from the network or userspace.
571
572              A low value improves interactivity (in terms of real-time behav‐
573              iour) at the cost of extra CPU consumption.
574
575              Example: EventIterationLimit 100
576
577              Default (if not set) is 100.
578
579
580   UNIX
581       Unix socket configuration. This socket is used by conntrackd(8) to lis‐
582       ten to external commands like `conntrackd -k' or `conntrackd -n'.
583
584       Example:
585            UNIX {
586                 Path /var/run/conntrackd.ctl
587                 Backlog 20
588            }
589
590
591       Path <filename>
592              Absolute path to the Unix socket.
593
594              Example: Path /var/run/conntrackd.ctl
595
596
597       Backlog <value>
598              Number of items in the backlog.
599
600              Example: Backlog 20
601
602
603   FILTER
604       Event filtering. This clause allows you to filter certain traffic.
605
606       There are currently three filter-sets: Protocol, Address and State. The
607       filter is attached to an action that can be: Accept  or  Ignore.  Thus,
608       you  can  define the event filtering policy of the filter-sets in posi‐
609       tive or negative logic depending on your needs.
610
611       You can select if conntrackd(8) filters the event messages  from  user-
612       space  or kernel-space. The kernel-space event filtering saves some CPU
613       cycles by avoiding the copy of the event message from  kernel-space  to
614       user-space.  The kernel-space event filtering is prefered, however, you
615       require a Linux kernel >= 2.6.29 to filter from kernel-space.
616
617       The syntax for this section is: Filter From <from> { }.
618
619       If you want to select kernel-space event  filtering,  use  the  keyword
620       Kernelspace instead of Userspace.
621
622       Example:
623            Filter From Userspace {
624                 Protocol Accept {
625                      TCP
626                      SCTP
627                      DCCP
628                 }
629                 Address Ignore {
630                      IPv4_address 127.0.0.1
631                      IPv6_address ::1
632                 }
633                 State Accept {
634                      ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT
635                 }
636            }
637
638
639       Protocol <policy> { <protocols list> }
640              Accept  only  certain  protocols:  You may want to replicate the
641              state of flows depending on their layer 4 protocol.
642
643              Policy is one of Accept or Ignore.
644
645              Protocols are: TCP, SCTP, DCCP, UDP, ICMP and IPv6-ICMP.
646
647              The ICMP and IPv6-ICMP  protocols  require  a  Linux  kernel  >=
648              2.6.31.
649
650              Example:
651                   Protocol Accept {
652                        TCP
653                        SCTP
654                        DCCP
655                   }
656
657
658       Address <policy> { <addresses list> }
659              Ignore  traffic  for  a  certain set of IP's: Usually all the IP
660              assigned to the firewall since local traffic  must  be  ignored,
661              only forwarded connections are worth to replicate.
662
663              Note  that  these  values  depends  on  the  local  IPs that are
664              assigned to the firewall.
665
666              You may specify several IPv4_address and/or IPv6_address  direc‐
667              tives. You can also specify networks in CIDR format.
668
669              Policy is one of Accept or Ignore.
670
671              Example:
672                   Address Ignore {
673                        IPv4_address 127.0.0.1 # loopback
674                        IPv4_address 192.168.0.100 # virtual IP 1
675                        IPv4_address 192.168.1.100 # virtual IP 2
676                        IPv4_address 192.168.100.100 # dedicated link ip
677                        IPv4_address 192.168.0.0/24
678                        IPv6_address ::1
679                   }
680
681
682       State <policy> { <states list> }
683              Filter by flow state.  This option introduces a trade-off in the
684              replication: it reduces CPU consumption at the  cost  of  having
685              lazy backup firewall replicas.
686
687              Note: only affects TCP flows.
688
689              The  existing  TCP  states are: SYN_SENT, SYN_RECV, ESTABLISHED,
690              FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED and LISTEN.
691
692              Policy is one of Accept or Ignore.
693
694              Example:
695                   State Accept {
696                        ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT
697                   }
698
699
700   SCHEDULER
701       Select a different scheduler for the daemon, you can select between  RR
702       and FIFO and the process priority.
703
704       See  sched_setscheduler(2)  for  more information. Using a RT scheduler
705       reduces the chances to overrun the Netlink buffer.
706
707       Example:
708            Scheduler {
709                 Type FIFO
710                 Priority 99
711            }
712
713
714       Type <type>
715              Supported values are RR or FIFO.
716
717
718       Priority <value>
719              Value of the scheduler priority.
720
721              Minimum is 0, maximum is 99.
722
723

STATS

725       This top-level section indicates conntrackd(8) to work as  a  statistic
726       collector for the nf_conntrack linux kernel subsystem.
727
728
729       LogFile <on|off|filename>
730              If  you  enable  this  option, the daemon writes the information
731              about destroyed connections to a logfile.
732
733              Default  is  off.  Default  filename   is   /var/log/conntrackd-
734              stats.log.
735
736
737       NetlinkEventsReliable <on|off>
738              If  you  want reliable event reporting over Netlink, set on this
739              option. If you set on this clause, it is a good idea to set  off
740              NetlinkOverrunResync. This requires Linux kernel >= 2.6.31.
741
742              Default is off.
743
744
745       Syslog <on|off|facility>
746              Enable  connection logging via Syslog.  If you set the facility,
747              use the same as in the General section, otherwise you'll  get  a
748              warning message.
749
750              Example: Syslog local0
751
752              Default is off.
753
754

HELPER

756       Note:  this  configuration  is very advanced and has nothing to do with
757       synchronization or stats collection.
758
759       This top-level section indicates  conntrackd(8)  to  inject  user-space
760       helpers  into  the nf_conntrack linux kernel subsystem.  It will result
761       in the nf_conntrack engine sending connections to userspace for further
762       processing.
763
764       Before  this, you have to make sure you have registered the given user-
765       space helper stub.
766
767       Example:
768            % nfct add helper ftp inet tcp
769
770       Each user-space helper should be registered using a Type section, which
771       are named this way:
772            Type <name> <af> <transport>
773
774       Examples:
775
776       Helper {
777            Type ftp inet tcp {
778                 QueueNum 0
779                 QueueLen 10240
780                 Policy ftp {
781                      ExpectMax 1
782                      ExpectTimeout 300
783                 }
784            }
785            Type rpc inet tcp {
786                 QueueNum 1
787                 QueueLen 10240
788                 Policy rpc {
789                      ExpectMax 1
790                      ExpectTimeout 300
791                 }
792            }
793            Type rpc inet udp {
794                 QueueNum 2
795                 QueueLen 10240
796                 Policy rpc {
797                      ExpectMax 1
798                      ExpectTimeout 300
799                 }
800            }
801            Type tns inet tcp {
802                 QueueNum 3
803                 QueueLen 10240
804                 Policy tns {
805                      ExpectMax 1
806                      ExpectTimeout 300
807                 }
808            }
809            Type dhcpv6 inet6 udp {
810                 QueueNum 4
811                 QueueLen 10240
812                 Policy dhcpv6 {
813                      ExpectMax 1
814                      ExpectTimeout 300
815                 }
816            }
817            Type ssdp inet udp {
818                 QueueNum 5
819                 QueueLen 10240
820                 Policy ssdp {
821                      ExpectMax 1
822                      ExpectTimeout 300
823                 }
824            }
825       }
826
827       Parameters inside the Type section:
828
829
830       QueueNum <number>
831              Set  NFQUEUE  number you want to use to receive traffic from the
832              kernel.
833
834              Example: QueueNum 0
835
836
837       QueueLen <number>
838              Maximum number of packets waiting in the queue to receive a ver‐
839              dict from user-space.
840
841              Rise value if you hit the following error message:
842                   "nf_queue: full at X entries, dropping packet(s)"
843
844              Default is 1024.
845
846              Example: QueueLen 10240
847
848
849       Policy <name> { }
850              Set the expectation policy for the given helper.
851
852              This sub-section contains 2 directives: ExpectMax <number> (max‐
853              imum number of simultaneous expectations) and ExpecTimeout <sec‐
854              onds> (maximum living time for one expectation).
855
856

COMPLETE EXAMPLES

858       Find below some real-life working examples.
859
860
861   STATS EXAMPLE
862       This  configuration example tells conntrackd(8) to work as a stats col‐
863       lector.
864
865       Stats {
866            LogFile on
867            NetlinkEventsReliable Off
868            Syslog off
869       }
870       General {
871            Systemd on
872            Nice -1
873            HashSize 8192
874            HashLimit 65535
875            Syslog on
876            LockFile /var/lock/conntrack.lock
877            UNIX {
878                 Path /var/run/conntrackd.ctl
879                 Backlog 20
880            }
881            NetlinkBufferSize 262142
882            NetlinkBufferSizeMaxGrowth 655355
883            Filter {
884                 Protocol Accept {
885                      TCP
886                      UDP
887                 }
888                 Address Ignore {
889                      IPv4_address 127.0.0.1
890                      IPv6_address ::1
891                 }
892            }
893       }
894
895
896   SYNC EXAMPLE 1
897       This example configures synchronization in  FTFW  mode  with  Multicast
898       transport.
899
900       It includes common general configuration as well.
901
902       Note:  this  is  one  of  the recommended setups for conntrackd(8) in a
903       firewall cluster environment.
904
905       Sync {
906            Mode FTFW {
907                 ResendQueueSize 131072
908                 PurgeTimeout 60
909                 ACKWindowSize 300
910                 DisableExternalCache Off
911            }
912            Multicast {
913                 IPv4_address 225.0.0.50
914                 Group 3780
915                 IPv4_interface 192.168.100.100
916                 Interface eth2
917                 SndSocketBuffer 1249280
918                 RcvSocketBuffer 1249280
919                 Checksum on
920            }
921            Multicast Default {
922                 IPv4_address 225.0.0.51
923                 Group 3781
924                 IPv4_interface 192.168.100.101
925                 Interface eth3
926                 SndSocketBuffer 1249280
927                 RcvSocketBuffer 1249280
928                 Checksum on
929            }
930            Options {
931                 TCPWindowTracking Off
932                 ExpectationSync On
933            }
934       }
935       General {
936            Systemd on
937            Nice -20
938            Scheduler {
939                 Type FIFO
940                 Priority 99
941            }
942            HashSize 32768
943            HashLimit 131072
944            LogFile on
945            Syslog off
946            LockFile /var/lock/conntrack.lock
947            UNIX {
948                 Path /var/run/conntrackd.ctl
949                 Backlog 20
950            }
951            NetlinkBufferSize 2097152
952            NetlinkBufferSizeMaxGrowth 8388608
953            NetlinkOverrunResync On
954            NetlinkEventsReliable Off
955            EventIterationLimit 100
956            Filter From Userspace {
957                 Protocol Accept {
958                      TCP
959                      SCTP
960                      DCCP
961                 }
962                 Address Ignore {
963                      IPv4_address 127.0.0.1
964                      IPv4_address 192.168.100.0/24
965                      IPv6_address ::1
966                 }
967            }
968       }
969
970
971   SYNC EXAMPLE 2
972       This example configures synchronization in NOTRACK mode with TCP trans‐
973       port.
974
975       It includes common general configuration as well.
976
977       Sync {
978            Mode NOTRACK {
979                 DisableInternalCache on
980                 DisableExternalCache on
981            }
982            TCP {
983                 IPv4_address 192.168.2.100
984                 IPv4_Destination_Address 192.168.2.101
985                 Port 3780
986                 Interface eth2
987                 SndSocketBuffer 1249280
988                 RcvSocketBuffer 1249280
989                 Checksum on
990            }
991            Options {
992                 TCPWindowTracking Off
993                 ExpectationSync On
994            }
995       }
996       General {
997            Systemd on
998            Nice -20
999            Scheduler {
1000                 Type FIFO
1001                 Priority 99
1002            }
1003            HashSize 32768
1004            HashLimit 131072
1005            LogFile on
1006            Syslog off
1007            LockFile /var/lock/conntrack.lock
1008            UNIX {
1009                 Path /var/run/conntrackd.ctl
1010                 Backlog 20
1011            }
1012            NetlinkBufferSize 2097152
1013            NetlinkBufferSizeMaxGrowth 8388608
1014            NetlinkOverrunResync On
1015            NetlinkEventsReliable Off
1016            EventIterationLimit 100
1017            Filter From Userspace {
1018                 Protocol Accept {
1019                      TCP
1020                      SCTP
1021                      DCCP
1022                 }
1023                 Address Ignore {
1024                      IPv4_address 127.0.0.1
1025                      IPv4_address 192.168.0.0/16
1026                      IPv6_address ::1
1027                 }
1028                 State Accept {
1029                      ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT
1030                 }
1031            }
1032       }
1033
1034
1035

SEE ALSO

1037       conntrackd(8),  conntrack(8),  nfct(8),  http://conntrack-tools.netfil
1038       ter.org/manual.html
1039
1040

AUTHOR

1042       Pablo Neira Ayuso wrote and maintains the conntrackd tool.
1043
1044       This manual page was written by Arturo  Borrero  González  <arturo.bor‐
1045       rero.glez@gmail.com> based on the conntrackd tarball config examples.
1046
1047       Please  send bug reports to <netfilter-devel@lists.netfilter.org>. Sub‐
1048       scription is required.
1049
1050       This documentation is free/libre under the terms of the GPLv2+.
1051
1052
1053
1054                                 Nov 19, 2015               CONNTRACKD.CONF(5)
Impressum