1CONNTRACKD(8)                                                    CONNTRACKD(8)
2
3
4

NAME

6       conntrackd - netfilter connection tracking user-space daemon
7
8

SYNOPSIS

10       conntrackd [options]
11
12

DESCRIPTION

14       conntrackd is the user-space daemon for the netfilter connection track‐
15       ing system. This daemon synchronizes connection tracking states between
16       several  replica  firewalls.  Thus,  conntrackd  can  be used to deploy
17       highly available stateful firewalls.
18
19       The daemon supports Primary-Backup and Multiprimary setups and can also
20       be used as statistics collector.
21
22

OPTIONS

24       The  options recognized by conntrackd can be divided into two different
25       groups.
26
27
28   GEMERAL OPTIONS
29       General options for the conntrackd daemon.
30
31
32       -d     Run conntrackd in daemon mode (fork to background).
33
34
35       -C <path>
36              Load config file specified in path. See  conntrackd.conf(5)  for
37              details.
38
39
40       -v     Display version information.
41
42
43       -h     Display help information.
44
45
46   CLIENT COMMANDS
47       conntrackd  can  be  used in client mode to request several information
48       and operations to a running instance of the daemon.
49
50
51       -i [ct|expect]
52              Dump the internal cache, i.e. show local states
53
54
55       -e [ct|expect]
56              Dump the external cache, i.e. show foreign states
57
58
59       -x     Display output in XML format. This option is only valid in  com‐
60              bination with -i and -e parameters.
61
62
63       -f [internal|external]
64              Flush the internal and/or external cache
65
66
67       -F [ct|expect]
68              Flush  the  kernel conntrack table (if you use a Linux kernel >=
69              2.6.29, this option will not flush your  internal  and  external
70              cache).
71
72       -c     Commit external cache to conntrack table.
73
74       -B     Force a bulk send to other replica firewalls. With this command,
75              you will ask conntrackd to send the state-entries that  it  owns
76              to others.
77
78       -n     Request resync with other node (only FT-FW and NOTRACK modes).
79
80       -k     Kill the daemon
81
82       -s [network|cache|runtime|link|rsqueue|process|queue|ct|expect]
83              Dump statistics. If no parameter is passed, it displays the gen‐
84              eral statistics.
85              If "network" is passed as parameter it displays  the  networking
86              statistics.
87              If  "cache"  is passed as parameter, it shows the extended cache
88              statistics.
89              If "runtime" is passed as parameter, it shows the run-time  sta‐
90              tistics.
91              If  "process"  is  passed  as parameter, it shows existing child
92              processes (if any).
93              If "queue" is passed as parameter, it shows queue statistics.
94              If "ct" is passed, it displays the general statistics.
95              If "expect" is passed as parameter, it shows expectation statis‐
96              tics.
97
98       -R [ct|expect]
99              Force a resync against the kernel connection tracking table
100
101       -t     Reset the in-kernel timers (See PurgeTimeout clause)
102
103

DIAGNOSTICS

105       The  exit  code is 0 for correct function. Errors cause an exit code of
106       1.
107
108

EXAMPLES

110       The following example are illustrative, for a real use  in  a  firewall
111       fail-over,  check  the  primary-backup.sh  script  that  comes with the
112       sources.
113
114       conntrackd -d
115              Runs conntrackd in daemon and synchronization mode
116
117       conntrackd -i
118              Dumps the states held in the internal cache, i.e. those  handled
119              by this firewall
120
121       conntrackd -e
122              Dumps  the states held in the external cache, i.e. those handled
123              by other replica firewalls
124
125       conntrackd -c
126              Commits the external cache into the kernel  connection  tracking
127              system.   This  is  used to inject the state so that the connec‐
128              tions can be recovered during the failover.
129
130

DEPENDENCIES

132       This daemon requires a Linux  kernel  version  >=  2.6.18.  TCP  window
133       tracking  support requires >= 2.6.22, otherwise you have to disable it.
134       Helpers are fully supported since >= 2.6.25, however, if  you  use  any
135       previous version, depending on the protocol helper and your setup (e.g.
136       if you setup performs NAT sequence adjustments or not), your help  con‐
137       nection may be successfully recovered.
138
139       There are several unsupported stateful iptables matches such as recent,
140       connbytes and the quota matches which gather  internal  information  to
141       operate.  Since  that  information does not belong to the domain of the
142       connection tracking system, connections affected by those  matches  may
143       not be fully recovered during the takeover.
144
145       The daemon requires a Linux kernel version >= 2.6.26 to support kernel-
146       space event filtering. Otherwise, all the event filtering  is  done  in
147       userspace  with  the corresponding extra overhead. If you are not using
148       the Filter clause in the configuration file, ignore this notice.
149
150

SYSTEMD INTEGRATION

152       Starting with the 1.4.4 release, conntrackd includes  integration  with
153       systemd(1) to use an unit file of Type=notify and watchdog support.
154
155

INCOMPATIBILITIES

157       During the 0.9.9 development, some important changes in the replication
158       message format were introduced. Therefore, conntrackd >= 0.9.9 will not
159       work appropriately with conntrackd <= 0.9.8.
160
161       This  should not be a problem if you use the same conntrackd version in
162       all the firewall replica nodes.
163
164

SEE ALSO

166       conntrackd.conf(5) conntrack(8) iptables(8) nft(8)
167       http://conntrack-tools.netfilter.org
168
169

BUGS

171       Please, report them  to  netfilter-devel@vger.kernel.org  (subscription
172       required)  or file a bug in Netfilter's bugzilla (https://bugzilla.net
173       filter.org).
174
175

AUTHORS

177       Pablo Neira Ayuso wrote and maintains the conntrackd tool
178
179       Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.
180
181
182
183                                 Apr 16, 2018                    CONNTRACKD(8)
Impressum