1CONNTRACKD.CONF(5)            File Formats Manual           CONNTRACKD.CONF(5)
2
3
4

NAME

6       conntrackd.conf - configuration file for conntrackd daemon
7
8

DESCRIPTION

10       conntrackd.conf  is  the  main configuration file for the conntrackd(8)
11       daemon. It is loaded by calling `conntrackd -C conntrackd.conf'.
12
13       The format of this file is simple, using brackets for sections and key-
14       value pairs for concrete configuration directives:
15
16            section1 {
17                 option1 value1
18                 option2 value2
19            }
20            section2 {
21                 option3 value3
22                 subsection1 {
23                      option4 value4
24                 }
25            }
26
27       You should consider this file as case-sensitive.  Empty lines and lines
28       starting with the '#' character are ignored.
29
30       Before starting to develop a new configuration, you may want  to  learn
31       the  concepts  behind  this technlogy at http://conntrack-tools.netfil
32       ter.org/manual.html.
33
34       There are complete configuration examples at the end of this man page.
35
36

SYNC

38       This top-level section defines how conntrackd(8) should handle synchro‐
39       nization with other cluster nodes.
40
41       There are 3 main synchronization modes or protocols: NOTRACK, ALARM and
42       FTFW.
43
44       There are 3 transport protocols as well: TCP, Multicast and UDP.
45
46       You have to choose one synchronization mode and one transport protocol.
47
48       Also, there are some general options in this section.
49
50
51   Mode FTFW
52       This mode is based on a reliable protocol that performs message  track‐
53       ing.  Thus, the protocol can recover from message loss, re-ordering and
54       corruption.
55
56       In this synchronization mode you may configure ResendQueueSize, Commit‐
57       Timeout,  PurgeTimeout,  ACKWindowSize , DisableExternalCache and Star‐
58       tupResync.
59
60
61       ResendQueueSize <value>
62              Size of the resend queue (in objects). This is the maximum  num‐
63              ber  of  objects  that can be stored waiting to be confirmed via
64              acknoledgment.  If you keep this value low, the daemon will have
65              less chances to recover state-changes under message omission. On
66              the other hand, if you keep this value  high,  the  daemon  will
67              consume more memory to store dead objects.
68
69              Example: ResendQueueSize 131072
70
71              Default is 131072 objects.
72
73
74       CommitTimeout <seconds>
75              This  parameter  allows  you to set an initial fixed timeout for
76              the committed entries when this node goes from  backup  to  pri‐
77              mary.  This  mechanism provides a way to purge entries that were
78              not recovered appropriately after the specified  fixed  timeout.
79              If  you  set a low value, TCP entries in Established states with
80              no traffic may hang. For  example,  an  SSH  connection  without
81              KeepAlive enabled.
82
83              Example: CommitTimeout 180
84
85              By  default, this option is not set (the daemon uses an approxi‐
86              mate timeout value calculation mechanism).
87
88
89       PurgeTimeout <seconds>
90              If the firewall replica goes from primary to backup,  the  `con‐
91              ntrackd  -t  command'  is  invoked  in  the script. This command
92              schedules a flush of the table in N seconds.
93
94              This is useful to purge the connection tracking table of  zombie
95              entries  and  avoid clashes with old entries if you trigger sev‐
96              eral consecutive hand-overs.
97
98              Default is 60 seconds.
99
100
101       ACKWindowSize <value>
102              Set the acknowledgement window size. If you decrease this value,
103              the  number  of  acknowlegdments increases. More acknowledgments
104              means more overhead as conntrackd(8) has to handle more  control
105              messages. On the other hand, if you increase this value, the re‐
106              send queue gets more populated. This results in more overhead in
107              the queue releasing.
108
109              Example: ACKWindowSize 300
110
111              If  not  set, default window size is 300 (value is based on some
112              practical experiments measuring the cycles spent by the acknowl‐
113              edgment handling with oprofile).
114
115
116       DisableExternalCache <on|off>
117              This  clause allows you to disable the external cache. Thus, the
118              state entries are directly injected into  the  kernel  conntrack
119              table.  As  a result, you save memory in user-space but you con‐
120              sume slots in the kernel conntrack table for  backup  state  en‐
121              tries.  Moreover,  disabling  the  external cache means more CPU
122              consumption. You need a Linux kernel >= 2.6.29 to use this  fea‐
123              ture.
124
125              If  you are installing conntrackd(8) for first time, please read
126              the user manual and I encourage you to consider using the  fail-
127              over scripts instead of enabling this option!
128
129              By default, this clause is set off.
130
131
132       StartupResync <on|off>
133              Order  conntrackd  to  request a complete conntrack table resync
134              against the other node at startup.  A  single  request  will  be
135              made.
136
137              This  is  useful to get in sync with another node which has been
138              running while we were down.
139
140              Example: StartupResync on
141
142              By default, this clause is set off.
143
144
145   Mode ALARM
146       This mode is spamming. It is based on a alarm-based protocol that peri‐
147       odically  re-sends the flow state to the backup firewall replicas. This
148       protocol consumes a lot of bandwidth but  it  resolves  synchronization
149       problems fast.
150
151       In  this synchronization mode you may configure RefreshTime, CacheTime‐
152       out, CommitTimeout and PurgeTimeout.
153
154
155       RefreshTime <seconds>
156              If a conntrack entry is not modified in <=  N  seconds,  then  a
157              message  is broadcasted. For example, this mechanism may be used
158              to resynchronize nodes that just joined the multicast group.
159
160              Example: RefreshTime 15
161
162
163       CacheTimeout <seconds>
164              If we don't receive a notification about the state of  an  entry
165              in the external cache after N seconds, then remove it.
166
167              Example: CacheTimeout 180
168
169
170       CommitTimeout <seconds>
171              Same as in FTFW mode.
172
173
174       PurgeTimeout <seconds>
175              Same as in FTFW mode.
176
177
178   Mode NOTRACK
179       Is  the  most  simple  mode as it is based on a best effort replication
180       protocol, ie. unreliable protocol. This protocol sends and receives the
181       state information without performing any specific checking.
182
183       In  this  synchronization  mode you may configure DisableInternalCache,
184       DisableExternalCache, CommitTimeout, PurgeTimeout and StartupResync.
185
186
187       DisableInternalCache <on|off>
188              This clause allows you to disable the internal cache. Thus,  the
189              synchronization messages are directly sent through the dedicated
190              link.
191
192              This option is set off by default.
193
194
195       DisableExternalCache <on|off>
196              Same as in FTFW mode.
197
198
199       CommitTimeout <seconds>
200              Same as in FTFW mode.
201
202
203       PurgeTimeout <seconds>
204              Same as in FTFW mode.
205
206
207       StartupResync <on|off>
208              Same as in FTFW mode.
209
210
211   MULTICAST
212       This section indicates to conntrackd(8) to use multicast  as  transport
213       mechanism between nodes of the firewall cluster.
214
215       Please  note you can specify more than one dedicated link. Thus, if one
216       dedicated link fails, the daemon can fail-over to  another.  Note  that
217       adding  more  than  one dedicated link does not mean that state-updates
218       will be sent to all of them. There is only one active dedicated link at
219       a given moment.
220
221       The  Default  keyword indicates that this interface will be selected as
222       the initial dedicated link. You can have up to  4  redundant  dedicated
223       links.
224
225       Note: use different multicast groups for every redundant link.
226
227       Example:
228            Multicast Default {
229                 IPv4_address 225.0.0.51
230                 Group 3781
231                 IPv4_interface 192.168.100.101
232                 Interface eth3
233                 SndSocketBuffer 1249280
234                 RcvSocketBuffer 1249280
235                 Checksum on
236            }
237            Multicast {
238                 IPv4_address 225.0.0.51
239                 Group 3782
240                 IPv4_interface 192.168.100.102
241                 Interface eth4
242                 SndSocketBuffer 1249280
243                 RcvSocketBuffer 1249280
244                 Checksum on
245            }
246
247
248       IPv4_address <address>
249              Multicast  address:  The  address that you use as destination in
250              the synchronization messages. You do not have to add this IP  to
251              any of your existing interfaces.
252
253              Example: IPv4_address 255.0.0.50
254
255
256       Group <number>
257              The multicast group that identifies the cluster.
258
259              Example: Group 3780
260
261              If any doubt, do not modify this value.
262
263
264       IPv4_interface <address>
265              IP  address  of  the interface that you are going to use to send
266              the synchronization messages. Remember that you must use a dedi‐
267              cated link for the synchronization messages.
268
269              Example:  IPv4_interface 192.168.100.100
270
271
272       Interface <name>
273              The  name of the interface that you are going to use to send the
274              synchronization messages.
275
276              Example: Interface eth2
277
278
279       SndSocketBuffer <number>
280              This transport protocol sender uses  a  buffer  to  enqueue  the
281              packets  that  are  going to be transmitted. The default size of
282              this socket buffer is available  at  /proc/sys/net/core/wmem_de‐
283              fault.
284
285              This  value  determines  the  chances  to have an overrun in the
286              sender queue. The overrun results in packet loss,  thus,  losing
287              state  information  that  would have to be retransmitted. If you
288              notice some packet loss, you may want to increase  the  size  of
289              the  buffer.  The  system  default  size  is usually around ~100
290              KBytes which is fairly small for busy firewalls.
291
292              Note: The NOTRACK protocol is best effort, it is  really  recom‐
293              mended to increase the buffer size.
294
295              Example: SndSocketBuffer 1249280
296
297
298       RcvSocketBuffer <number>
299              This  transport  protocol  receiver uses a buffer to enqueue the
300              packets that the socket is pending to handle. The  default  size
301              of      this      socket      buffer     is     available     at
302              /proc/sys/net/core/rmem_default.
303
304              This value determines the chances to have an overrun in the  re‐
305              ceiver  queue.  The overrun results in packet loss, thus, losing
306              state information that would have to be  retransmitted.  If  you
307              notice  some  packet  loss, you may want to increase the size of
308              the buffer. The system  default  size  is  usually  around  ~100
309              KBytes which is fairly small for busy firewalls.
310
311              Note:  The  NOTRACK protocol is best effort, it is really recom‐
312              mended to increase the buffer size.
313
314              Example: RcvSocketBuffer 1249280
315
316
317       Checksum <on|off>
318              Enable/Disable message checksumming. This is a good property  to
319              achieve fault-tolerance. In case of doubt, use it.
320
321
322   UDP
323       This  section indicates to conntrackd(8) to use UDP as transport mecha‐
324       nism between nodes of the firewall cluster.
325
326       As in the Multicast configuration, you may especify  several  fail-over
327       dedicated links using the Default keyword.
328
329       Example:
330            UDP {
331                 IPv4_address 172.16.0.1
332                 IPv4_Destination_Address 172.16.0.2
333                 Port 3781
334                 Interface eth3
335                 SndSocketBuffer 1249280
336                 RcvSocketBuffer 1249280
337                 Checksum on
338            }
339
340
341       IPv4_address <address>
342              UDP IPv4 address that this firewall uses to listen to events.
343
344              Example: IPv4_address 192.168.2.100
345
346
347       IPv6_address <address>
348              UDP IPv6 address that this firewall uses to listen to events.
349
350              Example: IPv6_address fe80::215:58ff:fe28:5a27
351
352
353       IPv4_Destination_Address <address>
354              Destination IPv4 UDP address that receives events, ie. the other
355              firewall's dedicated link address.
356
357              Example: IPv4_Destination_Address 192.168.2.101
358
359
360       IPv6_Destionation_Address <address>
361              Destination IPv6 UDP address that receives events, ie. the other
362              firewall's dedicated link address.
363
364              Example: IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
365
366
367       Port <number>
368              UDP port used
369
370              Example: Port 3780
371
372
373       Interface <name>
374              Same as in the Multicast transport protocol configuration.
375
376
377       SndSocketBuffer <number>
378              Same as in the Multicast transport protocol configuration.
379
380
381       RcvSocketBuffer <number>
382              Same as in the Multicast transport protocol configuration.
383
384
385       Checksum <on|off>
386              Same as in the Multicast transport protocol configuration.
387
388
389
390   TCP
391       You can also use Unicast TCP to propagate events.
392
393       If  you  combine this transport with the NOTRACK mode, it becomes reli‐
394       able.
395
396       The TCP transport protocol can be configured in exactly the same way as
397       the UDP transport protocol.
398
399       As  in  the Multicast configuration, you may especify several fail-over
400       dedicated links using the Default keyword.
401
402       Example:
403            TCP {
404                 IPv6_address fe80::215:58ff:fe28:5a27
405                 IPv6_Destination_Address fe80::215:58ff:fe28:5a27
406                 Port 3781
407                 Interface eth2
408                 SndSocketBuffer 1249280
409                 RcvSocketBuffer 1249280
410                 Checksum on
411            }
412
413
414   OPTIONS
415       Other unsorted options that are related to the synchronization protocol
416       or transport mechanism.
417
418
419       TCPWindowTracking <on|off>
420              TCP  state-entries have window tracking disabled by default, you
421              can enable it with this option. As said, default is  off.   This
422              feature requires a Linux kernel >= 2.6.36.
423
424
425       ExpectationSync <on|{ list }>
426              Set  this option on if you want to enable the synchronization of
427              expectations.  You have to specify the list of helpers that  you
428              want to enable.
429
430              This feature requires a Linux kernel >= 3.5.
431
432              Example, sync all expectations:
433                   ExpectationSync on
434
435              Example, sync given expectations:
436                   ExpectationSync {
437                        ftp
438                        ras
439                        q.931
440                        h.245
441                        sip
442                   }
443
444              By default, this option is disabled.
445
446

GENERAL

448       This  top-level  section  contains generic configuration directives for
449       the conntrackd(8) daemon.
450
451
452       Systemd <on|off>
453              Enable systemd(1) runtime support if conntrackd(8)  is  compiled
454              with  the  proper configuration. Then you can use a service unit
455              of Type=notify.
456
457              Obviously, this requires the init of  your  system  to  be  sys‐
458              temd(1).
459
460              Note: systemd(1) watchdog is supported as well.
461
462              Example: Systemd on
463
464              By  default  runtime  support is enabled if conntrackd was built
465              with the systemd feature. Otherwise is off.
466
467
468       Nice <value>
469              Deprecated. Conntrackd ignores this option and it  will  be  re‐
470              moved  in  the  future. Please note that you can run nice(1) and
471              renice(1) externally. Also note that conntrackd(8) now  uses  by
472              default a RT scheduler.
473
474
475       HashSize <value>
476              Number  of buckets in the cache hashtable. The bigger it is, the
477              closer it gets to O(1) at the cost  of  consuming  more  memory.
478              Read  some  documents about tuning hashtables for further refer‐
479              ence.
480
481              Example: HashSize 32768
482
483
484       HashLimit <value>
485              Maximum  number  of  conntracks,  it   should   be   double   of
486              /proc/sys/net/netfilter/nf_conntrack_max  since  the  daemon may
487              keep some dead entries cached for possible retransmission during
488              state synchronization.
489
490              Example: HashLimit 131072
491
492
493       LogFile <on|off|filename>
494              Enable conntrackd(8) to log to a file.
495
496              Example: LogFile on
497
498              Default is off. The default logfile is /var/log/conntrackd.log.
499
500
501       Syslog <on|off|facility>
502              Enable  connection  logging via Syslog. If you set the facility,
503              use the same as in the Stats section,  otherwise  you'll  get  a
504              warning message.
505
506              Example: Syslog local0
507
508              Default is off.
509
510
511       Lockfile <filename>
512              Lockfile to be used by conntrackd(8) (absolute path).
513
514              Example: LockFile /var/lock/conntrack.lock
515
516              Default is /var/lock/conntrack.lock.
517
518
519       NetlinkBufferSize <value>
520              Netlink  event  socket  buffer  size. If you do not specify this
521              clause,     the     default     buffer     size     value     in
522              /proc/sys/net/core/rmem_default  is  used. This default value is
523              usually around 100 Kbytes which is fairly small for  busy  fire‐
524              walls.  This  leads  to event message dropping and high CPU con‐
525              sumption.
526
527              Example: NetlinkBufferSize 2097152
528
529
530       NetlinkBufferSizeMaxGrowth <value>
531              The daemon doubles the size of the netlink event  socket  buffer
532              size  if  it detects netlink event message dropping. This clause
533              sets the maximum buffer size growth that can be reached.
534
535              Example:  NetlinkBufferSizeMaxGrowth 8388608
536
537
538       NetlinkOverrunResync <on|off|value>
539              If the daemon detects  that  Netlink  is  dropping  state-change
540              events,  it  automatically schedules a resynchronization against
541              the Kernel after 30 seconds (default value).  Resynchronizations
542              are  expensive  in terms of CPU consumption since the daemon has
543              to get the full kernel state-table and purge state-entries  that
544              do not exist anymore.
545
546              Note: Be careful of setting a very small value here.
547
548              Example: NetlinkOverrunResync on
549
550              The  default  value is 30 seconds.  If not specified, the daemon
551              assumes that this option is enabled and uses the default value.
552
553
554       NetlinkEventsReliable <on|off>
555              If you want reliable event reporting over Netlink, set  on  this
556              option.  If you set on this clause, it is a good idea to set off
557              NetlinkOverrunResync.
558
559              You need Linux Kernel >= 2.6.31 for this option to work.
560
561              Example: NetlinkEventsReliable on
562
563              This option is off by default.
564
565
566       PollSecs <seconds>
567              By default, the  daemon  receives  state  updates  following  an
568              event-driven  model.  You can modify this behaviour by switching
569              to polling mode with this clause.
570
571              This clause tells conntrackd(8) to dump the states in the kernel
572              every  N  seconds.  With  regards  to  synchronization mode, the
573              polling mode can only guarantee that  long-lifetime  states  are
574              recovered. The main advantage of this method is the reduction in
575              the state replication at the cost of reducing the chances of re‐
576              covering connections.
577
578              Example: PollSecs 15
579
580
581       EventIterationLimit <value>
582              The  daemon prioritizes the handling of state-change events com‐
583              ing from the core. With this clause, you  can  set  the  maximum
584              number  of  state-change events (those coming from kernel-space)
585              that the daemon will handle after which  it  will  handle  other
586              events coming from the network or userspace.
587
588              A low value improves interactivity (in terms of real-time behav‐
589              iour) at the cost of extra CPU consumption.
590
591              Example: EventIterationLimit 100
592
593              Default (if not set) is 100.
594
595
596   UNIX
597       Unix socket configuration. This socket is used by conntrackd(8) to lis‐
598       ten to external commands like `conntrackd -k' or `conntrackd -n'.
599
600       Example:
601            UNIX {
602                 Path /var/run/conntrackd.ctl
603            }
604
605
606       Path <filename>
607              Absolute path to the Unix socket.
608
609              Example: Path /var/run/conntrackd.ctl
610
611
612       Backlog <value>
613              Deprecated option.
614
615
616   FILTER
617       Event filtering. This clause allows you to filter certain traffic.
618
619       There are currently three filter-sets: Protocol, Address and State. The
620       filter is attached to an action that can be: Accept  or  Ignore.  Thus,
621       you  can  define the event filtering policy of the filter-sets in posi‐
622       tive or negative logic depending on your needs.
623
624       You can select if conntrackd(8) filters the event messages  from  user-
625       space  or kernel-space. The kernel-space event filtering saves some CPU
626       cycles by avoiding the copy of the event message from  kernel-space  to
627       user-space.  The kernel-space event filtering is prefered, however, you
628       require a Linux kernel >= 2.6.29 to filter from kernel-space.
629
630       The syntax for this section is: Filter From <from> { }.
631
632       If you want to select kernel-space event  filtering,  use  the  keyword
633       Kernelspace instead of Userspace.
634
635       Example:
636            Filter From Userspace {
637                 Protocol Accept {
638                      TCP
639                      SCTP
640                      DCCP
641                 }
642                 Address Ignore {
643                      IPv4_address 127.0.0.1
644                      IPv6_address ::1
645                 }
646                 State Accept {
647                      ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
648                 }
649            }
650
651
652       Protocol <policy> { <protocols list> }
653              Accept  only  certain  protocols:  You may want to replicate the
654              state of flows depending on their layer 4 protocol.
655
656              Policy is one of Accept or Ignore.
657
658              Protocols are: TCP, SCTP, DCCP, UDP, ICMP and IPv6-ICMP.
659
660              The ICMP and IPv6-ICMP  protocols  require  a  Linux  kernel  >=
661              2.6.31.
662
663              Example:
664                   Protocol Accept {
665                        TCP
666                        SCTP
667                        DCCP
668                   }
669
670
671       Address <policy> { <addresses list> }
672              Ignore traffic for a certain set of IP's: Usually all the IP as‐
673              signed to the firewall since local traffic must be ignored, only
674              forwarded connections are worth to replicate.
675
676              Note  that  these  values  depends on the local IPs that are as‐
677              signed to the firewall.
678
679              You may specify several IPv4_address and/or IPv6_address  direc‐
680              tives. You can also specify networks in CIDR format.
681
682              Policy is one of Accept or Ignore.
683
684              Example:
685                   Address Ignore {
686                        IPv4_address 127.0.0.1 # loopback
687                        IPv4_address 192.168.0.100 # virtual IP 1
688                        IPv4_address 192.168.1.100 # virtual IP 2
689                        IPv4_address 192.168.100.100 # dedicated link ip
690                        IPv4_address 192.168.0.0/24
691                        IPv6_address ::1
692                   }
693
694
695       State <policy> { <states list> for TCP }
696              Filter by flow state.  This option introduces a trade-off in the
697              replication: it reduces CPU consumption at the  cost  of  having
698              lazy backup firewall replicas.
699
700              Note: only affects TCP flows.
701
702              The  existing  TCP  states are: SYN_SENT, SYN_RECV, ESTABLISHED,
703              FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED and LISTEN.
704
705              Policy is one of Accept or Ignore.
706
707              Example:
708                   State Accept {
709                        ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
710                   }
711
712
713   SCHEDULER
714       Select a different scheduler for the daemon, you can select between  RR
715       and FIFO and the process priority.
716
717       Using  a RT scheduler reduces the chances to overrun the Netlink buffer
718       and conntrackd(8) uses by default RR  unless  FIFO  is  selected.   See
719       sched_setscheduler(2) for more information.
720
721       Example:
722            Scheduler {
723                 Type FIFO
724                 Priority 99
725            }
726
727
728       Type <type>
729              Supported values are RR or FIFO.
730
731              Default: RR
732
733
734       Priority <value>
735              Value of the scheduler priority.  Minimum is 0, maximum is 99.
736
737              Default:   99  (as  returned  by  sched_get_priority_max(2)  for
738              SCHED_RR)
739
740

STATS

742       This top-level section indicates conntrackd(8) to work as  a  statistic
743       collector for the nf_conntrack linux kernel subsystem.
744
745
746       LogFile <on|off|filename>
747              If  you  enable  this  option, the daemon writes the information
748              about destroyed connections to a logfile.
749
750              Default  is  off.  Default  filename   is   /var/log/conntrackd-
751              stats.log.
752
753
754       NetlinkEventsReliable <on|off>
755              If  you  want reliable event reporting over Netlink, set on this
756              option. If you set on this clause, it is a good idea to set  off
757              NetlinkOverrunResync. This requires Linux kernel >= 2.6.31.
758
759              Default is off.
760
761
762       Syslog <on|off|facility>
763              Enable  connection logging via Syslog.  If you set the facility,
764              use the same as in the General section, otherwise you'll  get  a
765              warning message.
766
767              Example: Syslog local0
768
769              Default is off.
770
771

HELPER

773       Note:  this  configuration  is very advanced and has nothing to do with
774       synchronization or stats collection.
775
776       This top-level section indicates  conntrackd(8)  to  inject  user-space
777       helpers  into  the nf_conntrack linux kernel subsystem.  It will result
778       in the nf_conntrack engine sending connections to userspace for further
779       processing.
780
781       Before  this, you have to make sure you have registered the given user-
782       space helper stub.
783
784       Example:
785            % nfct add helper ftp inet tcp
786
787       Each user-space helper should be registered using a Type section, which
788       are named this way:
789            Type <name> <af> <transport>
790
791       Examples:
792
793       Helper {
794            Type ftp inet tcp {
795                 QueueNum 0
796                 QueueLen 10240
797                 Policy ftp {
798                      ExpectMax 1
799                      ExpectTimeout 300
800                 }
801            }
802            Type rpc inet tcp {
803                 QueueNum 1
804                 QueueLen 10240
805                 Policy rpc {
806                      ExpectMax 1
807                      ExpectTimeout 300
808                 }
809            }
810            Type rpc inet udp {
811                 QueueNum 2
812                 QueueLen 10240
813                 Policy rpc {
814                      ExpectMax 1
815                      ExpectTimeout 300
816                 }
817            }
818            Type tns inet tcp {
819                 QueueNum 3
820                 QueueLen 10240
821                 Policy tns {
822                      ExpectMax 1
823                      ExpectTimeout 300
824                 }
825            }
826            Type dhcpv6 inet6 udp {
827                 QueueNum 4
828                 QueueLen 10240
829                 Policy dhcpv6 {
830                      ExpectMax 1
831                      ExpectTimeout 300
832                 }
833            }
834            Type ssdp inet udp {
835                 QueueNum 5
836                 QueueLen 10240
837                 Policy ssdp {
838                      ExpectMax 1
839                      ExpectTimeout 300
840                 }
841            }
842       }
843
844       Parameters inside the Type section:
845
846
847       QueueNum <number>
848              Set  NFQUEUE  number you want to use to receive traffic from the
849              kernel.
850
851              Example: QueueNum 0
852
853
854       QueueLen <number>
855              Maximum number of packets waiting in the queue to receive a ver‐
856              dict from user-space.
857
858              Rise value if you hit the following error message:
859                   "nf_queue: full at X entries, dropping packet(s)"
860
861              Default is 1024.
862
863              Example: QueueLen 10240
864
865
866       Policy <name> { }
867              Set the expectation policy for the given helper.
868
869              This sub-section contains 2 directives: ExpectMax <number> (max‐
870              imum number of simultaneous expectations) and ExpecTimeout <sec‐
871              onds> (maximum living time for one expectation).
872
873

COMPLETE EXAMPLES

875       Find below some real-life working examples.
876
877
878   STATS EXAMPLE
879       This  configuration example tells conntrackd(8) to work as a stats col‐
880       lector.
881
882       Stats {
883            LogFile on
884            NetlinkEventsReliable Off
885            Syslog off
886       }
887       General {
888            Systemd on
889            HashSize 8192
890            HashLimit 65535
891            Syslog on
892            LockFile /var/lock/conntrack.lock
893            UNIX {
894                 Path /var/run/conntrackd.ctl
895            }
896            NetlinkBufferSize 262142
897            NetlinkBufferSizeMaxGrowth 655355
898            Filter {
899                 Protocol Accept {
900                      TCP
901                      UDP
902                 }
903                 Address Ignore {
904                      IPv4_address 127.0.0.1
905                      IPv6_address ::1
906                 }
907            }
908       }
909
910
911   SYNC EXAMPLE 1
912       This example configures synchronization in  FTFW  mode  with  Multicast
913       transport.
914
915       It includes common general configuration as well.
916
917       Note:  this  is  one  of  the recommended setups for conntrackd(8) in a
918       firewall cluster environment.
919
920       Sync {
921            Mode FTFW {
922                 ResendQueueSize 131072
923                 PurgeTimeout 60
924                 ACKWindowSize 300
925                 DisableExternalCache Off
926            }
927            Multicast {
928                 IPv4_address 225.0.0.50
929                 Group 3780
930                 IPv4_interface 192.168.100.100
931                 Interface eth2
932                 SndSocketBuffer 1249280
933                 RcvSocketBuffer 1249280
934                 Checksum on
935            }
936            Multicast Default {
937                 IPv4_address 225.0.0.51
938                 Group 3781
939                 IPv4_interface 192.168.100.101
940                 Interface eth3
941                 SndSocketBuffer 1249280
942                 RcvSocketBuffer 1249280
943                 Checksum on
944            }
945            Options {
946                 TCPWindowTracking Off
947                 ExpectationSync On
948            }
949       }
950       General {
951            Systemd on
952            HashSize 32768
953            HashLimit 131072
954            LogFile on
955            Syslog off
956            LockFile /var/lock/conntrack.lock
957            UNIX {
958                 Path /var/run/conntrackd.ctl
959            }
960            NetlinkBufferSize 2097152
961            NetlinkBufferSizeMaxGrowth 8388608
962            NetlinkOverrunResync On
963            NetlinkEventsReliable Off
964            EventIterationLimit 100
965            Filter From Userspace {
966                 Protocol Accept {
967                      TCP
968                      SCTP
969                      DCCP
970                 }
971                 Address Ignore {
972                      IPv4_address 127.0.0.1
973                      IPv4_address 192.168.100.0/24
974                      IPv6_address ::1
975                 }
976            }
977       }
978
979
980   SYNC EXAMPLE 2
981       This example configures synchronization in NOTRACK mode with TCP trans‐
982       port.
983
984       It includes common general configuration as well.
985
986       Sync {
987            Mode NOTRACK {
988                 DisableInternalCache on
989                 DisableExternalCache on
990            }
991            TCP {
992                 IPv4_address 192.168.2.100
993                 IPv4_Destination_Address 192.168.2.101
994                 Port 3780
995                 Interface eth2
996                 SndSocketBuffer 1249280
997                 RcvSocketBuffer 1249280
998                 Checksum on
999            }
1000            Options {
1001                 TCPWindowTracking Off
1002                 ExpectationSync On
1003            }
1004       }
1005       General {
1006            Systemd on
1007            HashSize 32768
1008            HashLimit 131072
1009            LogFile on
1010            Syslog off
1011            LockFile /var/lock/conntrack.lock
1012            UNIX {
1013                 Path /var/run/conntrackd.ctl
1014            }
1015            NetlinkBufferSize 2097152
1016            NetlinkBufferSizeMaxGrowth 8388608
1017            NetlinkOverrunResync On
1018            NetlinkEventsReliable Off
1019            EventIterationLimit 100
1020            Filter From Userspace {
1021                 Protocol Accept {
1022                      TCP
1023                      SCTP
1024                      DCCP
1025                 }
1026                 Address Ignore {
1027                      IPv4_address 127.0.0.1
1028                      IPv4_address 192.168.0.0/16
1029                      IPv6_address ::1
1030                 }
1031                 State Accept {
1032                      ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
1033                 }
1034            }
1035       }
1036
1037
1038

SEE ALSO

1040       conntrackd(8),  conntrack(8),  nfct(8),  http://conntrack-tools.netfil
1041       ter.org/manual.html
1042
1043

AUTHOR

1045       Pablo Neira Ayuso wrote and maintains the conntrackd tool.
1046
1047       This manual page was written by  Arturo  Borrero  Gonzalez  <arturo@de‐
1048       bian.org> based on the conntrackd tarball config examples.
1049
1050       Please  send bug reports to <netfilter-devel@lists.netfilter.org>. Sub‐
1051       scription is required.
1052
1053       This documentation is free/libre under the terms of the GPLv2+.
1054
1055
1056
1057                                 Jan 27, 2019               CONNTRACKD.CONF(5)
Impressum