1CONNTRACKD(8) CONNTRACKD(8)
2
3
4
6 conntrackd - netfilter connection tracking user-space daemon
7
9 conntrackd [options]
10
12 conntrackd is the user-space daemon for the netfilter connection track‐
13 ing system. This daemon synchronizes connection tracking states between
14 several replica firewalls. Thus, conntrackd can be used to deploy
15 highly available stateful firewalls. The daemon supports Primary-Backup
16 and Multiprimary setups. The daemon can also be used as statistics col‐
17 lector.
18
20 The options recognized by conntrackd can be divided into several dif‐
21 ferent groups.
22
23 MODES
24 These options specify the particular operation mode in which conntrackd
25 runs. Only one of them can be specified at any given time.
26
27 -d Run conntrackd in daemon mode.
28
29 CLIENT COMMANDS
30 conntrackd can be used in client mode to request several information
31 and operations to a running daemon
32
33 -i Dump the internal cache, i.e. show local states
34
35 -e Dump the external cache, i.e. show foreign states
36
37 -x Display output in XML format. This option is only valid in com‐
38 bination with "-i" and "-e" parameters.
39
40 -f [|internal|external]
41 Flush the internal and/or external cache
42
43 -F Flush the kernel conntrack table (if you use a Linux kernel >=
44 2.6.29, this option will not flush your internal and external
45 cache).
46
47 -B Force a bulk send to other replica firewalls. With this command,
48 you will ask conntrackd to send the state-entries that it owns
49 to others.
50
51 -k Kill the daemon
52
53 -s [|network|cache|runtime|link|rsqueue|process|queue]
54 Dump statistics. If no parameter is passed, it displays the gen‐
55 eral statistics. If "network" is passed as parameter it dis‐
56 plays the networking statistics. If "cache" is passed as param‐
57 eter, it shows the extended cache statistics. If "runtime" is
58 passed as parameter, it shows the run-time statistics. If
59 "process" is passed as parameter, it shows existing child pro‐
60 cesses (if any). If "queue" is passed as parameter, it shows
61 queue statistics.
62
63 -R Force a resync against the kernel connection tracking table
64
65 -t Reset the in-kernel timers (See PurgeTimeout clause)
66
67 -v Display version information.
68
69 -h Display help information.
70
72 The exit code is 0 for correct function. Errors cause an exit code of
73 1.
74
76 The following example are illustrative, for a real use in a firewall
77 fail-over, check the primary-backup.sh script that comes with the
78 sources.
79
80 conntrackd -d
81 Runs conntrackd in daemon and synchronization mode
82
83 conntrackd -i
84 Dumps the states held in the internal cache, i.e. those handled
85 by this firewall
86
87 conntrackd -e
88 Dumps the states held in the external cache, i.e. those handled
89 by other replica firewalls
90
91 conntrackd -c
92 Commits the external cache into the kernel connection tracking
93 system. This is used to inject the state so that the connections
94 can be recovered during the failover.
95
97 This daemon requires a Linux kernel version >= 2.6.18. TCP window
98 tracking support requires >= 2.6.22, otherwise you have to disable it.
99 Helpers are fully supported since >= 2.6.25, however, if you use any
100 previous version, depending on the protocol helper and your setup (e.g.
101 if you setup performs NAT sequence adjustments or not), your help con‐
102 nection may be successfully recovered.
103
104 There are several unsupported stateful iptables matches such as recent,
105 connbytes and the quota matches which gather internal information to
106 operate. Since that information does not belong to the domain of the
107 connection tracking system, connections affected by those matches may
108 not be fully recovered during the takeover.
109
110 The daemon requires a Linux kernel version >= 2.6.26 to support kernel-
111 space event filtering. Otherwise, all the event filtering is done in
112 userspace with the corresponding extra overhead. If you are not using
113 the Filter clause in the configuration file, ignore this notice.
114
116 During the 0.9.9 development, some important changes in the replication
117 message format were introduced. Therefore, conntrackd >= 0.9.9 will not
118 work appropriately with conntrackd <= 0.9.8. This should not be a prob‐
119 lem if you use the same conntrackd version in all the firewall replica
120 nodes.
121
123 conntrack(8),iptables(8)
124 See http://conntrack-tools.netfilter.org
125
127 Please, report them to netfilter-devel@vger.kernel.org or file a bug in
128 Netfilter's bugzilla (https://bugzilla.netfilter.org).
129
131 Pablo Neira Ayuso wrote and maintains the conntrackd tool
132
133 Please send bug reports to <netfilter-devel@lists.netfilter.org>. Sub‐
134 scription is required.
135
136 Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.
137
138
139
140 Oct 21, 2008 CONNTRACKD(8)