conntrackd(8)

1CONNTRACKD(8)                                                    CONNTRACKD(8)
2
3
4

NAME

6       conntrackd - netfilter connection tracking user-space daemon
7

SYNOPSIS

9       conntrackd [options]
10

DESCRIPTION

12       conntrackd is the user-space daemon for the netfilter connection track‐
13       ing system. This daemon synchronizes connection tracking states between
14       several  replica  firewalls.  Thus,  conntrackd  can  be used to deploy
15       highly available stateful firewalls. The daemon supports Primary-Backup
16       and Multiprimary setups. The daemon can also be used as statistics col‐
17       lector.
18

OPTIONS

20       The options recognized by conntrackd can be divided into  several  dif‐
21       ferent groups.
22
23   MODES
24       These options specify the particular operation mode in which conntrackd
25       runs. Only one of them can be specified at any given time.
26
27       -d     Run conntrackd in daemon mode.
28
29   CLIENT COMMANDS
30       conntrackd can be used in client mode to  request  several  information
31       and operations to a running daemon
32
33       -i     Dump the internal cache, i.e. show local states
34
35       -e     Dump the external cache, i.e. show foreign states
36
37       -x     Display  output in XML format. This option is only valid in com‐
38              bination with "-i" and "-e" parameters.
39
40       -f [|internal|external]
41              Flush the internal and/or external cache
42
43       -F     Flush the kernel conntrack table (if you use a Linux  kernel  >=
44              2.6.29,  this  option  will not flush your internal and external
45              cache).
46
47       -B     Force a bulk send to other replica firewalls. With this command,
48              you  will  ask conntrackd to send the state-entries that it owns
49              to others.
50
51       -k     Kill the daemon
52
53       -s [|network|cache|runtime|link|rsqueue|process|queue]
54              Dump statistics. If no parameter is passed, it displays the gen‐
55              eral  statistics.   If  "network" is passed as parameter it dis‐
56              plays the networking statistics.  If "cache" is passed as param‐
57              eter,  it  shows the extended cache statistics.  If "runtime" is
58              passed as parameter,  it  shows  the  run-time  statistics.   If
59              "process"  is  passed as parameter, it shows existing child pro‐
60              cesses (if any).  If "queue" is passed as  parameter,  it  shows
61              queue statistics.
62
63       -R     Force a resync against the kernel connection tracking table
64
65       -t     Reset the in-kernel timers (See PurgeTimeout clause)
66
67       -v     Display version information.
68
69       -h     Display help information.
70

DIAGNOSTICS

72       The  exit  code is 0 for correct function. Errors cause an exit code of
73       1.
74

EXAMPLES

76       The following example are illustrative, for a real use  in  a  firewall
77       fail-over,  check  the  primary-backup.sh  script  that  comes with the
78       sources.
79
80       conntrackd -d
81              Runs conntrackd in daemon and synchronization mode
82
83       conntrackd -i
84              Dumps the states held in the internal cache, i.e. those  handled
85              by this firewall
86
87       conntrackd -e
88              Dumps  the states held in the external cache, i.e. those handled
89              by other replica firewalls
90
91       conntrackd -c
92              Commits the external cache into the kernel  connection  tracking
93              system. This is used to inject the state so that the connections
94              can be recovered during the failover.
95

DEPENDENCIES

97       This daemon requires a Linux  kernel  version  >=  2.6.18.  TCP  window
98       tracking  support requires >= 2.6.22, otherwise you have to disable it.
99       Helpers are fully supported since >= 2.6.25, however, if  you  use  any
100       previous version, depending on the protocol helper and your setup (e.g.
101       if you setup performs NAT sequence adjustments or not), your help  con‐
102       nection may be successfully recovered.
103
104       There are several unsupported stateful iptables matches such as recent,
105       connbytes and the quota matches which gather  internal  information  to
106       operate.  Since  that  information does not belong to the domain of the
107       connection tracking system, connections affected by those  matches  may
108       not be fully recovered during the takeover.
109
110       The daemon requires a Linux kernel version >= 2.6.26 to support kernel-
111       space event filtering. Otherwise, all the event filtering  is  done  in
112       userspace  with  the corresponding extra overhead. If you are not using
113       the Filter clause in the configuration file, ignore this notice.
114

INCOMPATIBILITIES

116       During the 0.9.9 development, some important changes in the replication
117       message format were introduced. Therefore, conntrackd >= 0.9.9 will not
118       work appropriately with conntrackd <= 0.9.8. This should not be a prob‐
119       lem  if you use the same conntrackd version in all the firewall replica
120       nodes.
121

BUGS

127       Please, report them to netfilter-devel@vger.kernel.org or file a bug in
128       Netfilter's bugzilla (https://bugzilla.netfilter.org).
129

AUTHORS

131       Pablo Neira Ayuso wrote and maintains the conntrackd tool
132
133       Please  send bug reports to <netfilter-devel@lists.netfilter.org>. Sub‐
134       scription is required.
135
136       Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.
137
138
139
140                                 Oct 21, 2008                    CONNTRACKD(8)