1CONNTRACKD(8) CONNTRACKD(8)
2
6 conntrackd - netfilter connection tracking user-space daemon
7
9 conntrackd [options]
10
12 conntrackd is the user-space daemon for the netfilter connection track‐
13 ing system. This daemon synchronizes connection tracking states between
14 several replica firewalls. Thus, conntrackd can be used to deploy
15 highly available stateful firewalls. The daemon supports Primary-Backup
16 and Multiprimary setups. The daemon can also be used as statistics col‐
17 lector.
18
20 The options recognized by conntrackd can be divided into several dif‐
21 ferent groups.
22 MODES
24 These options specify the particular operation mode in which conntrackd
25 runs. Only one of them can be specified at any given time.
26 -d Run conntrackd in daemon mode.
28 CLIENT COMMANDS
30 conntrackd can be used in client mode to request several information
31 and operations to a running daemon
32 -i [ct|expect]
34 Dump the internal cache, i.e. show local states
35 -e [ct|expect]
37 Dump the external cache, i.e. show foreign states
38 -x Display output in XML format. This option is only valid in com‐
40 bination with "-i" and "-e" parameters.
41 -f [internal|external]
43 Flush the internal and/or external cache
44 -F [ct|expect]
46 Flush the kernel conntrack table (if you use a Linux kernel >=
47 2.6.29, this option will not flush your internal and external
48 cache).
49 -c Commit external cache to conntrack table.
51 -B Force a bulk send to other replica firewalls. With this command,
53 you will ask conntrackd to send the state-entries that it owns
54 to others.
55 -n Request resync with other node (only FT-FW and NOTRACK modes).
57 -k Kill the daemon
59 -s [network|cache|runtime|link|rsqueue|process|queue|ct|expect]
61 Dump statistics. If no parameter is passed, it displays the gen‐
62 eral statistics. If "network" is passed as parameter it dis‐
63 plays the networking statistics. If "cache" is passed as param‐
64 eter, it shows the extended cache statistics. If "runtime" is
65 passed as parameter, it shows the run-time statistics. If
66 "process" is passed as parameter, it shows existing child pro‐
67 cesses (if any). If "queue" is passed as parameter, it shows
68 queue statistics. If "ct" is passed, it displays the general
69 statistics. If "expect" is passed as parameter, it shows expec‐
70 tation statistics.
71 -R [ct|expect]
73 Force a resync against the kernel connection tracking table
74 -t Reset the in-kernel timers (See PurgeTimeout clause)
76 -v Display version information.
78 -h Display help information.
80 -C config file
82 Configuration file path. See conntrackd.conf(5) for details.
83 DIAGNOSTICS
86 The exit code is 0 for correct function. Errors cause an exit
87 code of 1.
88
90 The following example are illustrative, for a real use in a firewall
91 fail-over, check the primary-backup.sh script that comes with the
92 sources.
93 conntrackd -d
95 Runs conntrackd in daemon and synchronization mode
96 conntrackd -i
98 Dumps the states held in the internal cache, i.e. those handled
99 by this firewall
100 conntrackd -e
102 Dumps the states held in the external cache, i.e. those handled
103 by other replica firewalls
104 conntrackd -c
106 Commits the external cache into the kernel connection tracking
107 system. This is used to inject the state so that the connections
108 can be recovered during the failover.
109
111 This daemon requires a Linux kernel version >= 2.6.18. TCP window
112 tracking support requires >= 2.6.22, otherwise you have to disable it.
113 Helpers are fully supported since >= 2.6.25, however, if you use any
114 previous version, depending on the protocol helper and your setup (e.g.
115 if you setup performs NAT sequence adjustments or not), your help con‐
116 nection may be successfully recovered.
117 There are several unsupported stateful iptables matches such as recent,
119 connbytes and the quota matches which gather internal information to
120 operate. Since that information does not belong to the domain of the
121 connection tracking system, connections affected by those matches may
122 not be fully recovered during the takeover.
123 The daemon requires a Linux kernel version >= 2.6.26 to support kernel-
125 space event filtering. Otherwise, all the event filtering is done in
126 userspace with the corresponding extra overhead. If you are not using
127 the Filter clause in the configuration file, ignore this notice.
128
130 During the 0.9.9 development, some important changes in the replication
131 message format were introduced. Therefore, conntrackd >= 0.9.9 will not
132 work appropriately with conntrackd <= 0.9.8. This should not be a prob‐
133 lem if you use the same conntrackd version in all the firewall replica
134 nodes.
135
137 conntrack(8),iptables(8),conntrackd.conf(5)
138 See http://conntrack-tools.netfilter.org
139
141 Please, report them to netfilter-devel@vger.kernel.org or file a bug in
142 Netfilter's bugzilla (https://bugzilla.netfilter.org).
143
145 Pablo Neira Ayuso wrote and maintains the conntrackd tool
146 Please send bug reports to <netfilter-devel@lists.netfilter.org>. Sub‐
148 scription is required.
149 Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.
151 Nov 19, 2015 CONNTRACKD(8)