1CONNTRACKD.CONF(5) File Formats Manual CONNTRACKD.CONF(5)
2
6 conntrackd.conf - configuration file for conntrackd daemon
7
10 conntrackd.conf is the main configuration file for the conntrackd(8)
11 daemon. It is loaded by calling `conntrackd -C conntrackd.conf'.
12 The format of this file is simple, using brackets for sections and key-
14 value pairs for concrete configuration directives:
15 section1 {
17 option1 value1
18 option2 value2
19 }
20 section2 {
21 option3 value3
22 subsection1 {
23 option4 value4
24 }
25 }
26 You should consider this file as case-sensitive. Empty lines and lines
28 starting with the '#' character are ignored.
29 Before starting to develop a new configuration, you may want to learn
31 the concepts behind this technlogy at http://conntrack-tools.netfil‐
32 ter.org/manual.html.
33 There are complete configuration examples at the end of this man page.
35
38 This top-level section defines how conntrackd(8) should handle synchro‐
39 nization with other cluster nodes.
40 There are 3 main synchronization modes or protocols: NOTRACK, ALARM and
42 FTFW.
43 There are 3 transport protocols as well: TCP, Multicast and UDP.
45 You have to choose one synchronization mode and one transport protocol.
47 Also, there are some general options in this section.
49 Mode FTFW
52 This mode is based on a reliable protocol that performs message track‐
53 ing. Thus, the protocol can recover from message loss, re-ordering and
54 corruption.
55 In this synchronization mode you may configure ResendQueueSize, Commit‐
57 Timeout, PurgeTimeout, ACKWindowSize , DisableExternalCache and Star‐
58 tupResync.
59 ResendQueueSize <value>
62 Size of the resend queue (in objects). This is the maximum num‐
63 ber of objects that can be stored waiting to be confirmed via
64 acknoledgment. If you keep this value low, the daemon will have
65 less chances to recover state-changes under message omission. On
66 the other hand, if you keep this value high, the daemon will
67 consume more memory to store dead objects.
68 Example: ResendQueueSize 131072
70 Default is 131072 objects.
72 CommitTimeout <seconds>
75 This parameter allows you to set an initial fixed timeout for
76 the committed entries when this node goes from backup to pri‐
77 mary. This mechanism provides a way to purge entries that were
78 not recovered appropriately after the specified fixed timeout.
79 If you set a low value, TCP entries in Established states with
80 no traffic may hang. For example, an SSH connection without
81 KeepAlive enabled.
82 Example: CommitTimeout 180
84 By default, this option is not set (the daemon uses an approxi‐
86 mate timeout value calculation mechanism).
87 PurgeTimeout <seconds>
90 If the firewall replica goes from primary to backup, the `con‐
91 ntrackd -t command' is invoked in the script. This command
92 schedules a flush of the table in N seconds.
93 This is useful to purge the connection tracking table of zombie
95 entries and avoid clashes with old entries if you trigger sev‐
96 eral consecutive hand-overs.
97 Default is 60 seconds.
99 ACKWindowSize <value>
102 Set the acknowledgement window size. If you decrease this value,
103 the number of acknowlegdments increases. More acknowledgments
104 means more overhead as conntrackd(8) has to handle more control
105 messages. On the other hand, if you increase this value, the
106 resend queue gets more populated. This results in more overhead
107 in the queue releasing.
108 Example: ACKWindowSize 300
110 If not set, default window size is 300 (value is based on some
112 practical experiments measuring the cycles spent by the acknowl‐
113 edgment handling with oprofile).
114 DisableExternalCache <on|off>
117 This clause allows you to disable the external cache. Thus, the
118 state entries are directly injected into the kernel conntrack
119 table. As a result, you save memory in user-space but you con‐
120 sume slots in the kernel conntrack table for backup state
121 entries. Moreover, disabling the external cache means more CPU
122 consumption. You need a Linux kernel >= 2.6.29 to use this fea‐
123 ture.
124 If you are installing conntrackd(8) for first time, please read
126 the user manual and I encourage you to consider using the fail-
127 over scripts instead of enabling this option!
128 By default, this clause is set off.
130 StartupResync <on|off>
133 Order conntrackd to request a complete conntrack table resync
134 against the other node at startup. A single request will be
135 made.
136 This is useful to get in sync with another node which has been
138 running while we were down.
139 Example: StartupResync on
141 By default, this clause is set off.
143 Mode ALARM
146 This mode is spamming. It is based on a alarm-based protocol that peri‐
147 odically re-sends the flow state to the backup firewall replicas. This
148 protocol consumes a lot of bandwidth but it resolves synchronization
149 problems fast.
150 In this synchronization mode you may configure RefreshTime, CacheTime‐
152 out, CommitTimeout and PurgeTimeout.
153 RefreshTime <seconds>
156 If a conntrack entry is not modified in <= N seconds, then a
157 message is broadcasted. For example, this mechanism may be used
158 to resynchronize nodes that just joined the multicast group.
159 Example: RefreshTime 15
161 CacheTimeout <seconds>
164 If we don't receive a notification about the state of an entry
165 in the external cache after N seconds, then remove it.
166 Example: CacheTimeout 180
168 CommitTimeout <seconds>
171 Same as in FTFW mode.
172 PurgeTimeout <seconds>
175 Same as in FTFW mode.
176 Mode NOTRACK
179 Is the most simple mode as it is based on a best effort replication
180 protocol, ie. unreliable protocol. This protocol sends and receives the
181 state information without performing any specific checking.
182 In this synchronization mode you may configure DisableInternalCache,
184 DisableExternalCache, CommitTimeout, PurgeTimeout and StartupResync.
185 DisableInternalCache <on|off>
188 This clause allows you to disable the internal cache. Thus, the
189 synchronization messages are directly sent through the dedicated
190 link.
191 This option is set off by default.
193 DisableExternalCache <on|off>
196 Same as in FTFW mode.
197 CommitTimeout <seconds>
200 Same as in FTFW mode.
201 PurgeTimeout <seconds>
204 Same as in FTFW mode.
205 StartupResync <on|off>
208 Same as in FTFW mode.
209 MULTICAST
212 This section indicates to conntrackd(8) to use multicast as transport
213 mechanism between nodes of the firewall cluster.
214 Please note you can specify more than one dedicated link. Thus, if one
216 dedicated link fails, the daemon can fail-over to another. Note that
217 adding more than one dedicated link does not mean that state-updates
218 will be sent to all of them. There is only one active dedicated link at
219 a given moment.
220 The Default keyword indicates that this interface will be selected as
222 the initial dedicated link. You can have up to 4 redundant dedicated
223 links.
224 Note: use different multicast groups for every redundant link.
226 Example:
228 Multicast Default {
229 IPv4_address 225.0.0.51
230 Group 3781
231 IPv4_interface 192.168.100.101
232 Interface eth3
233 SndSocketBuffer 1249280
234 RcvSocketBuffer 1249280
235 Checksum on
236 }
237 Multicast {
238 IPv4_address 225.0.0.51
239 Group 3782
240 IPv4_interface 192.168.100.102
241 Interface eth4
242 SndSocketBuffer 1249280
243 RcvSocketBuffer 1249280
244 Checksum on
245 }
246 IPv4_address <address>
249 Multicast address: The address that you use as destination in
250 the synchronization messages. You do not have to add this IP to
251 any of your existing interfaces.
252 Example: IPv4_address 255.0.0.50
254 Group <number>
257 The multicast group that identifies the cluster.
258 Example: Group 3780
260 If any doubt, do not modify this value.
262 IPv4_interface <address>
265 IP address of the interface that you are going to use to send
266 the synchronization messages. Remember that you must use a dedi‐
267 cated link for the synchronization messages.
268 Example: IPv4_interface 192.168.100.100
270 Interface <name>
273 The name of the interface that you are going to use to send the
274 synchronization messages.
275 Example: Interface eth2
277 SndSocketBuffer <number>
280 This transport protocol sender uses a buffer to enqueue the
281 packets that are going to be transmitted. The default size of
282 this socket buffer is available at
283 /proc/sys/net/core/wmem_default.
284 This value determines the chances to have an overrun in the
286 sender queue. The overrun results in packet loss, thus, losing
287 state information that would have to be retransmitted. If you
288 notice some packet loss, you may want to increase the size of
289 the buffer. The system default size is usually around ~100
290 KBytes which is fairly small for busy firewalls.
291 Note: The NOTRACK protocol is best effort, it is really recom‐
293 mended to increase the buffer size.
294 Example: SndSocketBuffer 1249280
296 RcvSocketBuffer <number>
299 This transport protocol receiver uses a buffer to enqueue the
300 packets that the socket is pending to handle. The default size
301 of this socket buffer is available at
302 /proc/sys/net/core/rmem_default.
303 This value determines the chances to have an overrun in the
305 receiver queue. The overrun results in packet loss, thus, los‐
306 ing state information that would have to be retransmitted. If
307 you notice some packet loss, you may want to increase the size
308 of the buffer. The system default size is usually around ~100
309 KBytes which is fairly small for busy firewalls.
310 Note: The NOTRACK protocol is best effort, it is really recom‐
312 mended to increase the buffer size.
313 Example: RcvSocketBuffer 1249280
315 Checksum <on|off>
318 Enable/Disable message checksumming. This is a good property to
319 achieve fault-tolerance. In case of doubt, use it.
320 UDP
323 This section indicates to conntrackd(8) to use UDP as transport mecha‐
324 nism between nodes of the firewall cluster.
325 As in the Multicast configuration, you may especify several fail-over
327 dedicated links using the Default keyword.
328 Example:
330 UDP {
331 IPv4_address 172.16.0.1
332 IPv4_Destination_Address 172.16.0.2
333 Port 3781
334 Interface eth3
335 SndSocketBuffer 1249280
336 RcvSocketBuffer 1249280
337 Checksum on
338 }
339 IPv4_address <address>
342 UDP IPv4 address that this firewall uses to listen to events.
343 Example: IPv4_address 192.168.2.100
345 IPv6_address <address>
348 UDP IPv6 address that this firewall uses to listen to events.
349 Example: IPv6_address fe80::215:58ff:fe28:5a27
351 IPv4_Destination_Address <address>
354 Destination IPv4 UDP address that receives events, ie. the other
355 firewall's dedicated link address.
356 Example: IPv4_Destination_Address 192.168.2.101
358 IPv6_Destionation_Address <address>
361 Destination IPv6 UDP address that receives events, ie. the other
362 firewall's dedicated link address.
363 Example: IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
365 Port <number>
368 UDP port used
369 Example: Port 3780
371 Interface <name>
374 Same as in the Multicast transport protocol configuration.
375 SndSocketBuffer <number>
378 Same as in the Multicast transport protocol configuration.
379 RcvSocketBuffer <number>
382 Same as in the Multicast transport protocol configuration.
383 Checksum <on|off>
386 Same as in the Multicast transport protocol configuration.
387 TCP
391 You can also use Unicast TCP to propagate events.
392 If you combine this transport with the NOTRACK mode, it becomes reli‐
394 able.
395 The TCP transport protocol can be configured in exactly the same way as
397 the UDP transport protocol.
398 As in the Multicast configuration, you may especify several fail-over
400 dedicated links using the Default keyword.
401 Example:
403 TCP {
404 IPv6_address fe80::215:58ff:fe28:5a27
405 IPv6_Destination_Address fe80::215:58ff:fe28:5a27
406 Port 3781
407 Interface eth2
408 SndSocketBuffer 1249280
409 RcvSocketBuffer 1249280
410 Checksum on
411 }
412 OPTIONS
415 Other unsorted options that are related to the synchronization protocol
416 or transport mechanism.
417 TCPWindowTracking <on|off>
420 TCP state-entries have window tracking disabled by default, you
421 can enable it with this option. As said, default is off. This
422 feature requires a Linux kernel >= 2.6.36.
423 ExpectationSync <on|{ list }>
426 Set this option on if you want to enable the synchronization of
427 expectations. You have to specify the list of helpers that you
428 want to enable.
429 This feature requires a Linux kernel >= 3.5.
431 Example, sync all expectations:
433 ExpectationSync on
434 Example, sync given expectations:
436 ExpectationSync {
437 ftp
438 ras
439 q.931
440 h.245
441 sip
442 }
443 By default, this option is disabled.
445
448 This top-level section contains generic configuration directives for
449 the conntrackd(8) daemon.
450 Systemd <on|off>
453 Enable systemd(1) runtime support if conntrackd(8) is compiled
454 with the proper configuration. Then you can use a service unit
455 of Type=notify.
456 Obviously, this requires the init of your system to be sys‐
458 temd(1).
459 Note: systemd(1) watchdog is supported as well.
461 Example: Systemd on
463 By default runtime support is enabled if conntrackd was built
465 with the systemd feature. Otherwise is off.
466 Nice <value>
469 Deprecated. Conntrackd ignores this option and it will be
470 removed in the future. Please note that you can run nice(1) and
471 renice(1) externally. Also note that conntrackd(8) now uses by
472 default a RT scheduler.
473 HashSize <value>
476 Number of buckets in the cache hashtable. The bigger it is, the
477 closer it gets to O(1) at the cost of consuming more memory.
478 Read some documents about tuning hashtables for further refer‐
479 ence.
480 Example: HashSize 32768
482 HashLimit <value>
485 Maximum number of conntracks, it should be double of
486 /proc/sys/net/netfilter/nf_conntrack_max since the daemon may
487 keep some dead entries cached for possible retransmission during
488 state synchronization.
489 Example: HashLimit 131072
491 LogFile <on|off|filename>
494 Enable conntrackd(8) to log to a file.
495 Example: LogFile on
497 Default is off. The default logfile is /var/log/conntrackd.log.
499 Syslog <on|off|facility>
502 Enable connection logging via Syslog. If you set the facility,
503 use the same as in the Stats section, otherwise you'll get a
504 warning message.
505 Example: Syslog local0
507 Default is off.
509 Lockfile <filename>
512 Lockfile to be used by conntrackd(8) (absolute path).
513 Example: LockFile /var/lock/conntrack.lock
515 Default is /var/lock/conntrack.lock.
517 NetlinkBufferSize <value>
520 Netlink event socket buffer size. If you do not specify this
521 clause, the default buffer size value in
522 /proc/net/core/rmem_default is used. This default value is usu‐
523 ally around 100 Kbytes which is fairly small for busy firewalls.
524 This leads to event message dropping and high CPU consumption.
525 Example: NetlinkBufferSize 2097152
527 NetlinkBufferSizeMaxGrowth <value>
530 The daemon doubles the size of the netlink event socket buffer
531 size if it detects netlink event message dropping. This clause
532 sets the maximum buffer size growth that can be reached.
533 Example: NetlinkBufferSizeMaxGrowth 8388608
535 NetlinkOverrunResync <on|off|value>
538 If the daemon detects that Netlink is dropping state-change
539 events, it automatically schedules a resynchronization against
540 the Kernel after 30 seconds (default value). Resynchronizations
541 are expensive in terms of CPU consumption since the daemon has
542 to get the full kernel state-table and purge state-entries that
543 do not exist anymore.
544 Note: Be careful of setting a very small value here.
546 Example: NetlinkOverrunResync on
548 The default value is 30 seconds. If not specified, the daemon
550 assumes that this option is enabled and uses the default value.
551 NetlinkEventsReliable <on|off>
554 If you want reliable event reporting over Netlink, set on this
555 option. If you set on this clause, it is a good idea to set off
556 NetlinkOverrunResync.
557 You need Linux Kernel >= 2.6.31 for this option to work.
559 Example: NetlinkEventsReliable on
561 This option is off by default.
563 PollSecs <seconds>
566 By default, the daemon receives state updates following an
567 event-driven model. You can modify this behaviour by switching
568 to polling mode with this clause.
569 This clause tells conntrackd(8) to dump the states in the kernel
571 every N seconds. With regards to synchronization mode, the
572 polling mode can only guarantee that long-lifetime states are
573 recovered. The main advantage of this method is the reduction in
574 the state replication at the cost of reducing the chances of
575 recovering connections.
576 Example: PollSecs 15
578 EventIterationLimit <value>
581 The daemon prioritizes the handling of state-change events com‐
582 ing from the core. With this clause, you can set the maximum
583 number of state-change events (those coming from kernel-space)
584 that the daemon will handle after which it will handle other
585 events coming from the network or userspace.
586 A low value improves interactivity (in terms of real-time behav‐
588 iour) at the cost of extra CPU consumption.
589 Example: EventIterationLimit 100
591 Default (if not set) is 100.
593 UNIX
596 Unix socket configuration. This socket is used by conntrackd(8) to lis‐
597 ten to external commands like `conntrackd -k' or `conntrackd -n'.
598 Example:
600 UNIX {
601 Path /var/run/conntrackd.ctl
602 }
603 Path <filename>
606 Absolute path to the Unix socket.
607 Example: Path /var/run/conntrackd.ctl
609 Backlog <value>
612 Deprecated option.
613 FILTER
616 Event filtering. This clause allows you to filter certain traffic.
617 There are currently three filter-sets: Protocol, Address and State. The
619 filter is attached to an action that can be: Accept or Ignore. Thus,
620 you can define the event filtering policy of the filter-sets in posi‐
621 tive or negative logic depending on your needs.
622 You can select if conntrackd(8) filters the event messages from user-
624 space or kernel-space. The kernel-space event filtering saves some CPU
625 cycles by avoiding the copy of the event message from kernel-space to
626 user-space. The kernel-space event filtering is prefered, however, you
627 require a Linux kernel >= 2.6.29 to filter from kernel-space.
628 The syntax for this section is: Filter From <from> { }.
630 If you want to select kernel-space event filtering, use the keyword
632 Kernelspace instead of Userspace.
633 Example:
635 Filter From Userspace {
636 Protocol Accept {
637 TCP
638 SCTP
639 DCCP
640 }
641 Address Ignore {
642 IPv4_address 127.0.0.1
643 IPv6_address ::1
644 }
645 State Accept {
646 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT
647 }
648 }
649 Protocol <policy> { <protocols list> }
652 Accept only certain protocols: You may want to replicate the
653 state of flows depending on their layer 4 protocol.
654 Policy is one of Accept or Ignore.
656 Protocols are: TCP, SCTP, DCCP, UDP, ICMP and IPv6-ICMP.
658 The ICMP and IPv6-ICMP protocols require a Linux kernel >=
660 2.6.31.
661 Example:
663 Protocol Accept {
664 TCP
665 SCTP
666 DCCP
667 }
668 Address <policy> { <addresses list> }
671 Ignore traffic for a certain set of IP's: Usually all the IP
672 assigned to the firewall since local traffic must be ignored,
673 only forwarded connections are worth to replicate.
674 Note that these values depends on the local IPs that are
676 assigned to the firewall.
677 You may specify several IPv4_address and/or IPv6_address direc‐
679 tives. You can also specify networks in CIDR format.
680 Policy is one of Accept or Ignore.
682 Example:
684 Address Ignore {
685 IPv4_address 127.0.0.1 # loopback
686 IPv4_address 192.168.0.100 # virtual IP 1
687 IPv4_address 192.168.1.100 # virtual IP 2
688 IPv4_address 192.168.100.100 # dedicated link ip
689 IPv4_address 192.168.0.0/24
690 IPv6_address ::1
691 }
692 State <policy> { <states list> }
695 Filter by flow state. This option introduces a trade-off in the
696 replication: it reduces CPU consumption at the cost of having
697 lazy backup firewall replicas.
698 Note: only affects TCP flows.
700 The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
702 FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED and LISTEN.
703 Policy is one of Accept or Ignore.
705 Example:
707 State Accept {
708 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT
709 }
710 SCHEDULER
713 Select a different scheduler for the daemon, you can select between RR
714 and FIFO and the process priority.
715 Using a RT scheduler reduces the chances to overrun the Netlink buffer
717 and conntrackd(8) uses by default RR unless FIFO is selected. See
718 sched_setscheduler(2) for more information.
719 Example:
721 Scheduler {
722 Type FIFO
723 Priority 99
724 }
725 Type <type>
728 Supported values are RR or FIFO.
729 Default: RR
731 Priority <value>
734 Value of the scheduler priority. Minimum is 0, maximum is 99.
735 Default: 99 (as returned by sched_get_priority_max(2) for
737 SCHED_RR)
738
741 This top-level section indicates conntrackd(8) to work as a statistic
742 collector for the nf_conntrack linux kernel subsystem.
743 LogFile <on|off|filename>
746 If you enable this option, the daemon writes the information
747 about destroyed connections to a logfile.
748 Default is off. Default filename is /var/log/conntrackd-
750 stats.log.
751 NetlinkEventsReliable <on|off>
754 If you want reliable event reporting over Netlink, set on this
755 option. If you set on this clause, it is a good idea to set off
756 NetlinkOverrunResync. This requires Linux kernel >= 2.6.31.
757 Default is off.
759 Syslog <on|off|facility>
762 Enable connection logging via Syslog. If you set the facility,
763 use the same as in the General section, otherwise you'll get a
764 warning message.
765 Example: Syslog local0
767 Default is off.
769
772 Note: this configuration is very advanced and has nothing to do with
773 synchronization or stats collection.
774 This top-level section indicates conntrackd(8) to inject user-space
776 helpers into the nf_conntrack linux kernel subsystem. It will result
777 in the nf_conntrack engine sending connections to userspace for further
778 processing.
779 Before this, you have to make sure you have registered the given user-
781 space helper stub.
782 Example:
784 % nfct add helper ftp inet tcp
785 Each user-space helper should be registered using a Type section, which
787 are named this way:
788 Type <name> <af> <transport>
789 Examples:
791 Helper {
793 Type ftp inet tcp {
794 QueueNum 0
795 QueueLen 10240
796 Policy ftp {
797 ExpectMax 1
798 ExpectTimeout 300
799 }
800 }
801 Type rpc inet tcp {
802 QueueNum 1
803 QueueLen 10240
804 Policy rpc {
805 ExpectMax 1
806 ExpectTimeout 300
807 }
808 }
809 Type rpc inet udp {
810 QueueNum 2
811 QueueLen 10240
812 Policy rpc {
813 ExpectMax 1
814 ExpectTimeout 300
815 }
816 }
817 Type tns inet tcp {
818 QueueNum 3
819 QueueLen 10240
820 Policy tns {
821 ExpectMax 1
822 ExpectTimeout 300
823 }
824 }
825 Type dhcpv6 inet6 udp {
826 QueueNum 4
827 QueueLen 10240
828 Policy dhcpv6 {
829 ExpectMax 1
830 ExpectTimeout 300
831 }
832 }
833 Type ssdp inet udp {
834 QueueNum 5
835 QueueLen 10240
836 Policy ssdp {
837 ExpectMax 1
838 ExpectTimeout 300
839 }
840 }
841 }
842 Parameters inside the Type section:
844 QueueNum <number>
847 Set NFQUEUE number you want to use to receive traffic from the
848 kernel.
849 Example: QueueNum 0
851 QueueLen <number>
854 Maximum number of packets waiting in the queue to receive a ver‐
855 dict from user-space.
856 Rise value if you hit the following error message:
858 "nf_queue: full at X entries, dropping packet(s)"
859 Default is 1024.
861 Example: QueueLen 10240
863 Policy <name> { }
866 Set the expectation policy for the given helper.
867 This sub-section contains 2 directives: ExpectMax <number> (max‐
869 imum number of simultaneous expectations) and ExpecTimeout <sec‐
870 onds> (maximum living time for one expectation).
871
874 Find below some real-life working examples.
875 STATS EXAMPLE
878 This configuration example tells conntrackd(8) to work as a stats col‐
879 lector.
880 Stats {
882 LogFile on
883 NetlinkEventsReliable Off
884 Syslog off
885 }
886 General {
887 Systemd on
888 HashSize 8192
889 HashLimit 65535
890 Syslog on
891 LockFile /var/lock/conntrack.lock
892 UNIX {
893 Path /var/run/conntrackd.ctl
894 }
895 NetlinkBufferSize 262142
896 NetlinkBufferSizeMaxGrowth 655355
897 Filter {
898 Protocol Accept {
899 TCP
900 UDP
901 }
902 Address Ignore {
903 IPv4_address 127.0.0.1
904 IPv6_address ::1
905 }
906 }
907 }
908 SYNC EXAMPLE 1
911 This example configures synchronization in FTFW mode with Multicast
912 transport.
913 It includes common general configuration as well.
915 Note: this is one of the recommended setups for conntrackd(8) in a
917 firewall cluster environment.
918 Sync {
920 Mode FTFW {
921 ResendQueueSize 131072
922 PurgeTimeout 60
923 ACKWindowSize 300
924 DisableExternalCache Off
925 }
926 Multicast {
927 IPv4_address 225.0.0.50
928 Group 3780
929 IPv4_interface 192.168.100.100
930 Interface eth2
931 SndSocketBuffer 1249280
932 RcvSocketBuffer 1249280
933 Checksum on
934 }
935 Multicast Default {
936 IPv4_address 225.0.0.51
937 Group 3781
938 IPv4_interface 192.168.100.101
939 Interface eth3
940 SndSocketBuffer 1249280
941 RcvSocketBuffer 1249280
942 Checksum on
943 }
944 Options {
945 TCPWindowTracking Off
946 ExpectationSync On
947 }
948 }
949 General {
950 Systemd on
951 HashSize 32768
952 HashLimit 131072
953 LogFile on
954 Syslog off
955 LockFile /var/lock/conntrack.lock
956 UNIX {
957 Path /var/run/conntrackd.ctl
958 }
959 NetlinkBufferSize 2097152
960 NetlinkBufferSizeMaxGrowth 8388608
961 NetlinkOverrunResync On
962 NetlinkEventsReliable Off
963 EventIterationLimit 100
964 Filter From Userspace {
965 Protocol Accept {
966 TCP
967 SCTP
968 DCCP
969 }
970 Address Ignore {
971 IPv4_address 127.0.0.1
972 IPv4_address 192.168.100.0/24
973 IPv6_address ::1
974 }
975 }
976 }
977 SYNC EXAMPLE 2
980 This example configures synchronization in NOTRACK mode with TCP trans‐
981 port.
982 It includes common general configuration as well.
984 Sync {
986 Mode NOTRACK {
987 DisableInternalCache on
988 DisableExternalCache on
989 }
990 TCP {
991 IPv4_address 192.168.2.100
992 IPv4_Destination_Address 192.168.2.101
993 Port 3780
994 Interface eth2
995 SndSocketBuffer 1249280
996 RcvSocketBuffer 1249280
997 Checksum on
998 }
999 Options {
1000 TCPWindowTracking Off
1001 ExpectationSync On
1002 }
1003 }
1004 General {
1005 Systemd on
1006 HashSize 32768
1007 HashLimit 131072
1008 LogFile on
1009 Syslog off
1010 LockFile /var/lock/conntrack.lock
1011 UNIX {
1012 Path /var/run/conntrackd.ctl
1013 }
1014 NetlinkBufferSize 2097152
1015 NetlinkBufferSizeMaxGrowth 8388608
1016 NetlinkOverrunResync On
1017 NetlinkEventsReliable Off
1018 EventIterationLimit 100
1019 Filter From Userspace {
1020 Protocol Accept {
1021 TCP
1022 SCTP
1023 DCCP
1024 }
1025 Address Ignore {
1026 IPv4_address 127.0.0.1
1027 IPv4_address 192.168.0.0/16
1028 IPv6_address ::1
1029 }
1030 State Accept {
1031 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT
1032 }
1033 }
1034 }
1035
1039 conntrackd(8), conntrack(8), nfct(8), http://conntrack-tools.netfil‐
1040 ter.org/manual.html
1041
1044 Pablo Neira Ayuso wrote and maintains the conntrackd tool.
1045 This manual page was written by Arturo Borrero Gonzalez
1047 <arturo@debian.org> based on the conntrackd tarball config examples.
1048 Please send bug reports to <netfilter-devel@lists.netfilter.org>. Sub‐
1050 scription is required.
1051 This documentation is free/libre under the terms of the GPLv2+.
1053 Apr 16, 2018 CONNTRACKD.CONF(5)