1CONNTRACKD.CONF(5) File Formats Manual CONNTRACKD.CONF(5)
2
6 conntrackd.conf - configuration file for conntrackd daemon
7
10 conntrackd.conf is the main configuration file for the conntrackd(8)
11 daemon. It is loaded by calling `conntrackd -C conntrackd.conf'.
12 The format of this file is simple, using brackets for sections and key-
14 value pairs for concrete configuration directives:
15 section1 {
17 option1 value1
18 option2 value2
19 }
20 section2 {
21 option3 value3
22 subsection1 {
23 option4 value4
24 }
25 }
26 You should consider this file as case-sensitive. Empty lines and lines
28 starting with the '#' character are ignored.
29 Before starting to develop a new configuration, you may want to learn
31 the concepts behind this technlogy at http://conntrack-tools.netfil‐
32 ter.org/manual.html.
33 There are complete configuration examples at the end of this man page.
35
38 This top-level section defines how conntrackd(8) should handle synchro‐
39 nization with other cluster nodes.
40 There are 3 main synchronization modes or protocols: NOTRACK, ALARM and
42 FTFW.
43 There are 3 transport protocols as well: TCP, Multicast and UDP.
45 You have to choose one synchronization mode and one transport protocol.
47 Also, there are some general options in this section.
49 Mode FTFW
52 This mode is based on a reliable protocol that performs message track‐
53 ing. Thus, the protocol can recover from message loss, re-ordering and
54 corruption.
55 In this synchronization mode you may configure ResendQueueSize, Commit‐
57 Timeout, PurgeTimeout, ACKWindowSize and DisableExternalCache.
58 ResendQueueSize <value>
61 Size of the resend queue (in objects). This is the maximum num‐
62 ber of objects that can be stored waiting to be confirmed via
63 acknoledgment. If you keep this value low, the daemon will have
64 less chances to recover state-changes under message omission. On
65 the other hand, if you keep this value high, the daemon will
66 consume more memory to store dead objects.
67 Example: ResendQueueSize 131072
69 Default is 131072 objects.
71 CommitTimeout <seconds>
74 This parameter allows you to set an initial fixed timeout for
75 the committed entries when this node goes from backup to pri‐
76 mary. This mechanism provides a way to purge entries that were
77 not recovered appropriately after the specified fixed timeout.
78 If you set a low value, TCP entries in Established states with
79 no traffic may hang. For example, an SSH connection without
80 KeepAlive enabled.
81 Example: CommitTimeout 180
83 By default, this option is not set (the daemon uses an approxi‐
85 mate timeout value calculation mechanism).
86 PurgeTimeout <seconds>
89 If the firewall replica goes from primary to backup, the `con‐
90 ntrackd -t command' is invoked in the script. This command
91 schedules a flush of the table in N seconds.
92 This is useful to purge the connection tracking table of zombie
94 entries and avoid clashes with old entries if you trigger sev‐
95 eral consecutive hand-overs.
96 Default is 60 seconds.
98 ACKWindowSize <value>
101 Set the acknowledgement window size. If you decrease this value,
102 the number of acknowlegdments increases. More acknowledgments
103 means more overhead as conntrackd(8) has to handle more control
104 messages. On the other hand, if you increase this value, the
105 resend queue gets more populated. This results in more overhead
106 in the queue releasing.
107 Example: ACKWindowSize 300
109 If not set, default window size is 300 (value is based on some
111 practical experiments measuring the cycles spent by the acknowl‐
112 edgment handling with oprofile).
113 DisableExternalCache <on|off>
116 This clause allows you to disable the external cache. Thus, the
117 state entries are directly injected into the kernel conntrack
118 table. As a result, you save memory in user-space but you con‐
119 sume slots in the kernel conntrack table for backup state
120 entries. Moreover, disabling the external cache means more CPU
121 consumption. You need a Linux kernel >= 2.6.29 to use this fea‐
122 ture.
123 If you are installing conntrackd(8) for first time, please read
125 the user manual and I encourage you to consider using the fail-
126 over scripts instead of enabling this option!
127 By default, this clause is set off.
129 Mode ALARM
132 This mode is spamming. It is based on a alarm-based protocol that peri‐
133 odically re-sends the flow state to the backup firewall replicas. This
134 protocol consumes a lot of bandwidth but it resolves synchronization
135 problems fast.
136 In this synchronization mode you may configure RefreshTime, CacheTime‐
138 out, CommitTimeout and PurgeTimeout.
139 RefreshTime <seconds>
142 If a conntrack entry is not modified in <= N seconds, then a
143 message is broadcasted. For example, this mechanism may be used
144 to resynchronize nodes that just joined the multicast group.
145 Example: RefreshTime 15
147 CacheTimeout <seconds>
150 If we don't receive a notification about the state of an entry
151 in the external cache after N seconds, then remove it.
152 Example: CacheTimeout 180
154 CommitTimeout <seconds>
157 Same as in FTFW mode.
158 PurgeTimeout <seconds>
161 Same as in FTFW mode.
162 Mode NOTRACK
165 Is the most simple mode as it is based on a best effort replication
166 protocol, ie. unreliable protocol. This protocol sends and receives the
167 state information without performing any specific checking.
168 In this synchronization mode you may configure DisableInternalCache,
170 DisableExternalCache, CommitTimeout and PurgeTimeout.
171 DisableInternalCache <on|off>
174 This clause allows you to disable the internal cache. Thus, the
175 synchronization messages are directly sent through the dedicated
176 link.
177 This option is set off by default.
179 DisableExternalCache <on|off>
182 Same as in FTFW mode.
183 CommitTimeout <seconds>
186 Same as in FTFW mode.
187 PurgeTimeout <seconds>
190 Same as in FTFW mode.
191 MULTICAST
194 This section indicates to conntrackd(8) to use multicast as transport
195 mechanism between nodes of the firewall cluster.
196 Please note you can specify more than one dedicated link. Thus, if one
198 dedicated link fails, the daemon can fail-over to another. Note that
199 adding more than one dedicated link does not mean that state-updates
200 will be sent to all of them. There is only one active dedicated link at
201 a given moment.
202 The Default keyword indicates that this interface will be selected as
204 the initial dedicated link. You can have up to 4 redundant dedicated
205 links.
206 Note: use different multicast groups for every redundant link.
208 Example:
210 Multicast Default {
211 IPv4_address 225.0.0.51
212 Group 3781
213 IPv4_interface 192.168.100.101
214 Interface eth3
215 SndSocketBuffer 1249280
216 RcvSocketBuffer 1249280
217 Checksum on
218 }
219 Multicast {
220 IPv4_address 225.0.0.51
221 Group 3782
222 IPv4_interface 192.168.100.102
223 Interface eth4
224 SndSocketBuffer 1249280
225 RcvSocketBuffer 1249280
226 Checksum on
227 }
228 IPv4_address <address>
231 Multicast address: The address that you use as destination in
232 the synchronization messages. You do not have to add this IP to
233 any of your existing interfaces.
234 Example: IPv4_address 255.0.0.50
236 Group <number>
239 The multicast group that identifies the cluster.
240 Example: Group 3780
242 If any doubt, do not modify this value.
244 IPv4_interface <address>
247 IP address of the interface that you are going to use to send
248 the synchronization messages. Remember that you must use a dedi‐
249 cated link for the synchronization messages.
250 Example: IPv4_interface 192.168.100.100
252 Interface <name>
255 The name of the interface that you are going to use to send the
256 synchronization messages.
257 Example: Interface eth2
259 SndSocketBuffer <number>
262 This transport protocol sender uses a buffer to enqueue the
263 packets that are going to be transmitted. The default size of
264 this socket buffer is available at
265 /proc/sys/net/core/wmem_default.
266 This value determines the chances to have an overrun in the
268 sender queue. The overrun results in packet loss, thus, losing
269 state information that would have to be retransmitted. If you
270 notice some packet loss, you may want to increase the size of
271 the buffer. The system default size is usually around ~100
272 KBytes which is fairly small for busy firewalls.
273 Note: The NOTRACK protocol is best effort, it is really recom‐
275 mended to increase the buffer size.
276 Example: SndSocketBuffer 1249280
278 RcvSocketBuffer <number>
281 This transport protocol receiver uses a buffer to enqueue the
282 packets that the socket is pending to handle. The default size
283 of this socket buffer is available at
284 /proc/sys/net/core/rmem_default.
285 This value determines the chances to have an overrun in the
287 receiver queue. The overrun results in packet loss, thus, los‐
288 ing state information that would have to be retransmitted. If
289 you notice some packet loss, you may want to increase the size
290 of the buffer. The system default size is usually around ~100
291 KBytes which is fairly small for busy firewalls.
292 Note: The NOTRACK protocol is best effort, it is really recom‐
294 mended to increase the buffer size.
295 Example: RcvSocketBuffer 1249280
297 Checksum <on|off>
300 Enable/Disable message checksumming. This is a good property to
301 achieve fault-tolerance. In case of doubt, use it.
302 UDP
305 This section indicates to conntrackd(8) to use UDP as transport mecha‐
306 nism between nodes of the firewall cluster.
307 As in the Multicast configuration, you may especify several fail-over
309 dedicated links using the Default keyword.
310 Example:
312 UDP {
313 IPv4_address 172.16.0.1
314 IPv4_Destination_Address 172.16.0.2
315 Port 3781
316 Interface eth3
317 SndSocketBuffer 1249280
318 RcvSocketBuffer 1249280
319 Checksum on
320 }
321 IPv4_address <address>
324 UDP IPv4 address that this firewall uses to listen to events.
325 Example: IPv4_address 192.168.2.100
327 IPv6_address <address>
330 UDP IPv6 address that this firewall uses to listen to events.
331 Example: IPv6_address fe80::215:58ff:fe28:5a27
333 IPv4_Destination_Address <address>
336 Destination IPv4 UDP address that receives events, ie. the other
337 firewall's dedicated link address.
338 Example: IPv4_Destination_Address 192.168.2.101
340 IPv6_Destionation_Address <address>
343 Destination IPv6 UDP address that receives events, ie. the other
344 firewall's dedicated link address.
345 Example: IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
347 Port <number>
350 UDP port used
351 Example: Port 3780
353 Interface <name>
356 Same as in the Multicast transport protocol configuration.
357 SndSocketBuffer <number>
360 Same as in the Multicast transport protocol configuration.
361 RcvSocketBuffer <number>
364 Same as in the Multicast transport protocol configuration.
365 Checksum <on|off>
368 Same as in the Multicast transport protocol configuration.
369 TCP
373 You can also use Unicast TCP to propagate events.
374 If you combine this transport with the NOTRACK mode, it becomes reli‐
376 able.
377 The TCP transport protocol can be configured in exactly the same way as
379 the UDP transport protocol.
380 As in the Multicast configuration, you may especify several fail-over
382 dedicated links using the Default keyword.
383 Example:
385 TCP {
386 IPv6_address fe80::215:58ff:fe28:5a27
387 IPv6_Destination_Address fe80::215:58ff:fe28:5a27
388 Port 3781
389 Interface eth2
390 SndSocketBuffer 1249280
391 RcvSocketBuffer 1249280
392 Checksum on
393 }
394 OPTIONS
397 Other unsorted options that are related to the synchronization protocol
398 or transport mechanism.
399 TCPWindowTracking <on|off>
402 TCP state-entries have window tracking disabled by default, you
403 can enable it with this option. As said, default is off. This
404 feature requires a Linux kernel >= 2.6.36.
405 ExpectationSync <on|{ list }>
408 Set this option on if you want to enable the synchronization of
409 expectations. You have to specify the list of helpers that you
410 want to enable.
411 This feature requires a Linux kernel >= 3.5.
413 Example, sync all expectations:
415 ExpectationSync on
416 Example, sync given expectations:
418 ExpectationSync {
419 ftp
420 ras
421 q.931
422 h.245
423 sip
424 }
425 By default, this option is disabled.
427
430 This top-level section contains generic configuration directives for
431 the conntrackd(8) daemon.
432 Systemd <on|off>
435 Enable systemd(1) runtime support if conntrackd(8) is compiled
436 with the proper configuration. Then you can use a service unit
437 of Type=notify.
438 Obviusly, this requires the init systemd of your system to be
440 systemd(1).
441 Note: systemd(1) watchdog is supported as well.
443 Example: Systemd on
445 By default runtime support is disabled.
447 Nice <value>
450 Set the nice(1) value of the daemon, this value goes from -20
451 (most favorable scheduling) to 19 (least favorable). Using a
452 very low value reduces the chances to lose state-change events.
453 Example: Nice -20
455 Default is 0 but this example sets it to most favourable sched‐
457 uling as this is generally a good idea.
458 HashSize <value>
461 Number of buckets in the cache hashtable. The bigger it is, the
462 closer it gets to O(1) at the cost of consuming more memory.
463 Read some documents about tuning hashtables for further refer‐
464 ence.
465 Example: HashSize 32768
467 HashLimit <value>
470 Maximum number of conntracks, it should be double of
471 /proc/sys/net/netfilter/nf_conntrack_max since the daemon may
472 keep some dead entries cached for possible retransmission during
473 state synchronization.
474 Example: HashLimit 131072
476 LogFile <on|off|filename>
479 Enable conntrackd(8) to log to a file.
480 Example: LogFile on
482 Default is off. The default logfile is /var/log/conntrackd.log.
484 Syslog <on|off|facility>
487 Enable connection logging via Syslog. If you set the facility,
488 use the same as in the Stats section, otherwise you'll get a
489 warning message.
490 Example: Syslog local0
492 Default is off.
494 Lockfile <filename>
497 Lockfile to be used by conntrackd(8) (absolute path).
498 Example: LockFile /var/lock/conntrack.lock
500 Default is /var/lock/conntrack.lock.
502 NetlinkBufferSize <value>
505 Netlink event socket buffer size. If you do not specify this
506 clause, the default buffer size value in
507 /proc/net/core/rmem_default is used. This default value is usu‐
508 ally around 100 Kbytes which is fairly small for busy firewalls.
509 This leads to event message dropping and high CPU consumption.
510 Example: NetlinkBufferSize 2097152
512 NetlinkBufferSizeMaxGrowth <value>
515 The daemon doubles the size of the netlink event socket buffer
516 size if it detects netlink event message dropping. This clause
517 sets the maximum buffer size growth that can be reached.
518 Example: NetlinkBufferSizeMaxGrowth 8388608
520 NetlinkOverrunResync <on|off|value>
523 If the daemon detects that Netlink is dropping state-change
524 events, it automatically schedules a resynchronization against
525 the Kernel after 30 seconds (default value). Resynchronizations
526 are expensive in terms of CPU consumption since the daemon has
527 to get the full kernel state-table and purge state-entries that
528 do not exist anymore.
529 Note: Be careful of setting a very small value here.
531 Example: NetlinkOverrunResync on
533 The default value is 30 seconds. If not specified, the daemon
535 assumes that this option is enabled and uses the default value.
536 NetlinkEventsReliable <on|off>
539 If you want reliable event reporting over Netlink, set on this
540 option. If you set on this clause, it is a good idea to set off
541 NetlinkOverrunResync.
542 You need Linux Kernel >= 2.6.31 for this option to work.
544 Example: NetlinkEventsReliable on
546 This option is off by default.
548 PollSecs <seconds>
551 By default, the daemon receives state updates following an
552 event-driven model. You can modify this behaviour by switching
553 to polling mode with this clause.
554 This clause tells conntrackd(8) to dump the states in the kernel
556 every N seconds. With regards to synchronization mode, the
557 polling mode can only guarantee that long-lifetime states are
558 recovered. The main advantage of this method is the reduction in
559 the state replication at the cost of reducing the chances of
560 recovering connections.
561 Example: PollSecs 15
563 EventIterationLimit <value>
566 The daemon prioritizes the handling of state-change events com‐
567 ing from the core. With this clause, you can set the maximum
568 number of state-change events (those coming from kernel-space)
569 that the daemon will handle after which it will handle other
570 events coming from the network or userspace.
571 A low value improves interactivity (in terms of real-time behav‐
573 iour) at the cost of extra CPU consumption.
574 Example: EventIterationLimit 100
576 Default (if not set) is 100.
578 UNIX
581 Unix socket configuration. This socket is used by conntrackd(8) to lis‐
582 ten to external commands like `conntrackd -k' or `conntrackd -n'.
583 Example:
585 UNIX {
586 Path /var/run/conntrackd.ctl
587 Backlog 20
588 }
589 Path <filename>
592 Absolute path to the Unix socket.
593 Example: Path /var/run/conntrackd.ctl
595 Backlog <value>
598 Number of items in the backlog.
599 Example: Backlog 20
601 FILTER
604 Event filtering. This clause allows you to filter certain traffic.
605 There are currently three filter-sets: Protocol, Address and State. The
607 filter is attached to an action that can be: Accept or Ignore. Thus,
608 you can define the event filtering policy of the filter-sets in posi‐
609 tive or negative logic depending on your needs.
610 You can select if conntrackd(8) filters the event messages from user-
612 space or kernel-space. The kernel-space event filtering saves some CPU
613 cycles by avoiding the copy of the event message from kernel-space to
614 user-space. The kernel-space event filtering is prefered, however, you
615 require a Linux kernel >= 2.6.29 to filter from kernel-space.
616 The syntax for this section is: Filter From <from> { }.
618 If you want to select kernel-space event filtering, use the keyword
620 Kernelspace instead of Userspace.
621 Example:
623 Filter From Userspace {
624 Protocol Accept {
625 TCP
626 SCTP
627 DCCP
628 }
629 Address Ignore {
630 IPv4_address 127.0.0.1
631 IPv6_address ::1
632 }
633 State Accept {
634 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT
635 }
636 }
637 Protocol <policy> { <protocols list> }
640 Accept only certain protocols: You may want to replicate the
641 state of flows depending on their layer 4 protocol.
642 Policy is one of Accept or Ignore.
644 Protocols are: TCP, SCTP, DCCP, UDP, ICMP and IPv6-ICMP.
646 The ICMP and IPv6-ICMP protocols require a Linux kernel >=
648 2.6.31.
649 Example:
651 Protocol Accept {
652 TCP
653 SCTP
654 DCCP
655 }
656 Address <policy> { <addresses list> }
659 Ignore traffic for a certain set of IP's: Usually all the IP
660 assigned to the firewall since local traffic must be ignored,
661 only forwarded connections are worth to replicate.
662 Note that these values depends on the local IPs that are
664 assigned to the firewall.
665 You may specify several IPv4_address and/or IPv6_address direc‐
667 tives. You can also specify networks in CIDR format.
668 Policy is one of Accept or Ignore.
670 Example:
672 Address Ignore {
673 IPv4_address 127.0.0.1 # loopback
674 IPv4_address 192.168.0.100 # virtual IP 1
675 IPv4_address 192.168.1.100 # virtual IP 2
676 IPv4_address 192.168.100.100 # dedicated link ip
677 IPv4_address 192.168.0.0/24
678 IPv6_address ::1
679 }
680 State <policy> { <states list> }
683 Filter by flow state. This option introduces a trade-off in the
684 replication: it reduces CPU consumption at the cost of having
685 lazy backup firewall replicas.
686 Note: only affects TCP flows.
688 The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
690 FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED and LISTEN.
691 Policy is one of Accept or Ignore.
693 Example:
695 State Accept {
696 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT
697 }
698 SCHEDULER
701 Select a different scheduler for the daemon, you can select between RR
702 and FIFO and the process priority.
703 See sched_setscheduler(2) for more information. Using a RT scheduler
705 reduces the chances to overrun the Netlink buffer.
706 Example:
708 Scheduler {
709 Type FIFO
710 Priority 99
711 }
712 Type <type>
715 Supported values are RR or FIFO.
716 Priority <value>
719 Value of the scheduler priority.
720 Minimum is 0, maximum is 99.
722
725 This top-level section indicates conntrackd(8) to work as a statistic
726 collector for the nf_conntrack linux kernel subsystem.
727 LogFile <on|off|filename>
730 If you enable this option, the daemon writes the information
731 about destroyed connections to a logfile.
732 Default is off. Default filename is /var/log/conntrackd-
734 stats.log.
735 NetlinkEventsReliable <on|off>
738 If you want reliable event reporting over Netlink, set on this
739 option. If you set on this clause, it is a good idea to set off
740 NetlinkOverrunResync. This requires Linux kernel >= 2.6.31.
741 Default is off.
743 Syslog <on|off|facility>
746 Enable connection logging via Syslog. If you set the facility,
747 use the same as in the General section, otherwise you'll get a
748 warning message.
749 Example: Syslog local0
751 Default is off.
753
756 Note: this configuration is very advanced and has nothing to do with
757 synchronization or stats collection.
758 This top-level section indicates conntrackd(8) to inject user-space
760 helpers into the nf_conntrack linux kernel subsystem. It will result
761 in the nf_conntrack engine sending connections to userspace for further
762 processing.
763 Before this, you have to make sure you have registered the given user-
765 space helper stub.
766 Example:
768 % nfct add helper ftp inet tcp
769 Each user-space helper should be registered using a Type section, which
771 are named this way:
772 Type <name> <af> <transport>
773 Examples:
775 Helper {
777 Type ftp inet tcp {
778 QueueNum 0
779 QueueLen 10240
780 Policy ftp {
781 ExpectMax 1
782 ExpectTimeout 300
783 }
784 }
785 Type rpc inet tcp {
786 QueueNum 1
787 QueueLen 10240
788 Policy rpc {
789 ExpectMax 1
790 ExpectTimeout 300
791 }
792 }
793 Type rpc inet udp {
794 QueueNum 2
795 QueueLen 10240
796 Policy rpc {
797 ExpectMax 1
798 ExpectTimeout 300
799 }
800 }
801 Type tns inet tcp {
802 QueueNum 3
803 QueueLen 10240
804 Policy tns {
805 ExpectMax 1
806 ExpectTimeout 300
807 }
808 }
809 Type dhcpv6 inet6 udp {
810 QueueNum 4
811 QueueLen 10240
812 Policy dhcpv6 {
813 ExpectMax 1
814 ExpectTimeout 300
815 }
816 }
817 Type ssdp inet udp {
818 QueueNum 5
819 QueueLen 10240
820 Policy ssdp {
821 ExpectMax 1
822 ExpectTimeout 300
823 }
824 }
825 }
826 Parameters inside the Type section:
828 QueueNum <number>
831 Set NFQUEUE number you want to use to receive traffic from the
832 kernel.
833 Example: QueueNum 0
835 QueueLen <number>
838 Maximum number of packets waiting in the queue to receive a ver‐
839 dict from user-space.
840 Rise value if you hit the following error message:
842 "nf_queue: full at X entries, dropping packet(s)"
843 Default is 1024.
845 Example: QueueLen 10240
847 Policy <name> { }
850 Set the expectation policy for the given helper.
851 This sub-section contains 2 directives: ExpectMax <number> (max‐
853 imum number of simultaneous expectations) and ExpecTimeout <sec‐
854 onds> (maximum living time for one expectation).
855
858 Find below some real-life working examples.
859 STATS EXAMPLE
862 This configuration example tells conntrackd(8) to work as a stats col‐
863 lector.
864 Stats {
866 LogFile on
867 NetlinkEventsReliable Off
868 Syslog off
869 }
870 General {
871 Systemd on
872 Nice -1
873 HashSize 8192
874 HashLimit 65535
875 Syslog on
876 LockFile /var/lock/conntrack.lock
877 UNIX {
878 Path /var/run/conntrackd.ctl
879 Backlog 20
880 }
881 NetlinkBufferSize 262142
882 NetlinkBufferSizeMaxGrowth 655355
883 Filter {
884 Protocol Accept {
885 TCP
886 UDP
887 }
888 Address Ignore {
889 IPv4_address 127.0.0.1
890 IPv6_address ::1
891 }
892 }
893 }
894 SYNC EXAMPLE 1
897 This example configures synchronization in FTFW mode with Multicast
898 transport.
899 It includes common general configuration as well.
901 Note: this is one of the recommended setups for conntrackd(8) in a
903 firewall cluster environment.
904 Sync {
906 Mode FTFW {
907 ResendQueueSize 131072
908 PurgeTimeout 60
909 ACKWindowSize 300
910 DisableExternalCache Off
911 }
912 Multicast {
913 IPv4_address 225.0.0.50
914 Group 3780
915 IPv4_interface 192.168.100.100
916 Interface eth2
917 SndSocketBuffer 1249280
918 RcvSocketBuffer 1249280
919 Checksum on
920 }
921 Multicast Default {
922 IPv4_address 225.0.0.51
923 Group 3781
924 IPv4_interface 192.168.100.101
925 Interface eth3
926 SndSocketBuffer 1249280
927 RcvSocketBuffer 1249280
928 Checksum on
929 }
930 Options {
931 TCPWindowTracking Off
932 ExpectationSync On
933 }
934 }
935 General {
936 Systemd on
937 Nice -20
938 Scheduler {
939 Type FIFO
940 Priority 99
941 }
942 HashSize 32768
943 HashLimit 131072
944 LogFile on
945 Syslog off
946 LockFile /var/lock/conntrack.lock
947 UNIX {
948 Path /var/run/conntrackd.ctl
949 Backlog 20
950 }
951 NetlinkBufferSize 2097152
952 NetlinkBufferSizeMaxGrowth 8388608
953 NetlinkOverrunResync On
954 NetlinkEventsReliable Off
955 EventIterationLimit 100
956 Filter From Userspace {
957 Protocol Accept {
958 TCP
959 SCTP
960 DCCP
961 }
962 Address Ignore {
963 IPv4_address 127.0.0.1
964 IPv4_address 192.168.100.0/24
965 IPv6_address ::1
966 }
967 }
968 }
969 SYNC EXAMPLE 2
972 This example configures synchronization in NOTRACK mode with TCP trans‐
973 port.
974 It includes common general configuration as well.
976 Sync {
978 Mode NOTRACK {
979 DisableInternalCache on
980 DisableExternalCache on
981 }
982 TCP {
983 IPv4_address 192.168.2.100
984 IPv4_Destination_Address 192.168.2.101
985 Port 3780
986 Interface eth2
987 SndSocketBuffer 1249280
988 RcvSocketBuffer 1249280
989 Checksum on
990 }
991 Options {
992 TCPWindowTracking Off
993 ExpectationSync On
994 }
995 }
996 General {
997 Systemd on
998 Nice -20
999 Scheduler {
1000 Type FIFO
1001 Priority 99
1002 }
1003 HashSize 32768
1004 HashLimit 131072
1005 LogFile on
1006 Syslog off
1007 LockFile /var/lock/conntrack.lock
1008 UNIX {
1009 Path /var/run/conntrackd.ctl
1010 Backlog 20
1011 }
1012 NetlinkBufferSize 2097152
1013 NetlinkBufferSizeMaxGrowth 8388608
1014 NetlinkOverrunResync On
1015 NetlinkEventsReliable Off
1016 EventIterationLimit 100
1017 Filter From Userspace {
1018 Protocol Accept {
1019 TCP
1020 SCTP
1021 DCCP
1022 }
1023 Address Ignore {
1024 IPv4_address 127.0.0.1
1025 IPv4_address 192.168.0.0/16
1026 IPv6_address ::1
1027 }
1028 State Accept {
1029 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT
1030 }
1031 }
1032 }
1033
1037 conntrackd(8), conntrack(8), nfct(8), http://conntrack-tools.netfil‐
1038 ter.org/manual.html
1039
1042 Pablo Neira Ayuso wrote and maintains the conntrackd tool.
1043 This manual page was written by Arturo Borrero González <arturo.bor‐
1045 rero.glez@gmail.com> based on the conntrackd tarball config examples.
1046 Please send bug reports to <netfilter-devel@lists.netfilter.org>. Sub‐
1048 scription is required.
1049 This documentation is free/libre under the terms of the GPLv2+.
1051 Nov 19, 2015 CONNTRACKD.CONF(5)