1CONNTRACKD(8) CONNTRACKD(8)
2
6 conntrackd - netfilter connection tracking user-space daemon
7
10 conntrackd [options]
11
14 conntrackd is the user-space daemon for the netfilter connection track‐
15 ing system. This daemon synchronizes connection tracking states between
16 several replica firewalls. Thus, conntrackd can be used to deploy
17 highly available stateful firewalls.
18 The daemon supports Primary-Backup and Multiprimary setups and can also
20 be used as statistics collector.
21
24 The options recognized by conntrackd can be divided into two different
25 groups.
26 GEMERAL OPTIONS
29 General options for the conntrackd daemon.
30 -d Run conntrackd in daemon mode (fork to background).
33 -C <path>
36 Load config file specified in path. See conntrackd.conf(5) for
37 details.
38 -v Display version information.
41 -h Display help information.
44 CLIENT COMMANDS
47 conntrackd can be used in client mode to request several information
48 and operations to a running instance of the daemon.
49 -i [ct|expect]
52 Dump the internal cache, i.e. show local states
53 -e [ct|expect]
56 Dump the external cache, i.e. show foreign states
57 -x Display output in XML format. This option is only valid in com‐
60 bination with -i and -e parameters.
61 -f [internal|external]
64 Flush the internal and/or external cache
65 -F [ct|expect]
68 Flush the kernel conntrack table (if you use a Linux kernel >=
69 2.6.29, this option will not flush your internal and external
70 cache).
71 -c Commit external cache to conntrack table.
73 -B Force a bulk send to other replica firewalls. With this command,
75 you will ask conntrackd to send the state-entries that it owns
76 to others.
77 -n Request resync with other node (only FT-FW and NOTRACK modes).
79 -k Kill the daemon
81 -s [network|cache|runtime|link|rsqueue|process|queue|ct|expect]
83 Dump statistics. If no parameter is passed, it displays the gen‐
84 eral statistics.
85 If "network" is passed as parameter it displays the networking
86 statistics.
87 If "cache" is passed as parameter, it shows the extended cache
88 statistics.
89 If "runtime" is passed as parameter, it shows the run-time sta‐
90 tistics.
91 If "process" is passed as parameter, it shows existing child
92 processes (if any).
93 If "queue" is passed as parameter, it shows queue statistics.
94 If "ct" is passed, it displays the general statistics.
95 If "expect" is passed as parameter, it shows expectation statis‐
96 tics.
97 -R [ct|expect]
99 Force a resync against the kernel connection tracking table
100 -t Reset the in-kernel timers (See PurgeTimeout clause)
102
105 The exit code is 0 for correct function. Errors cause an exit code of
106 1.
107
110 The following example are illustrative, for a real use in a firewall
111 fail-over, check the primary-backup.sh script that comes with the
112 sources.
113 conntrackd -d
115 Runs conntrackd in daemon and synchronization mode
116 conntrackd -i
118 Dumps the states held in the internal cache, i.e. those handled
119 by this firewall
120 conntrackd -e
122 Dumps the states held in the external cache, i.e. those handled
123 by other replica firewalls
124 conntrackd -c
126 Commits the external cache into the kernel connection tracking
127 system. This is used to inject the state so that the connec‐
128 tions can be recovered during the failover.
129
132 This daemon requires a Linux kernel version >= 2.6.18. TCP window
133 tracking support requires >= 2.6.22, otherwise you have to disable it.
134 Helpers are fully supported since >= 2.6.25, however, if you use any
135 previous version, depending on the protocol helper and your setup (e.g.
136 if you setup performs NAT sequence adjustments or not), your help con‐
137 nection may be successfully recovered.
138 There are several unsupported stateful iptables matches such as recent,
140 connbytes and the quota matches which gather internal information to
141 operate. Since that information does not belong to the domain of the
142 connection tracking system, connections affected by those matches may
143 not be fully recovered during the takeover.
144 The daemon requires a Linux kernel version >= 2.6.26 to support kernel-
146 space event filtering. Otherwise, all the event filtering is done in
147 userspace with the corresponding extra overhead. If you are not using
148 the Filter clause in the configuration file, ignore this notice.
149
152 Starting with the 1.4.4 release, conntrackd includes integration with
153 systemd(1) to use an unit file of Type=notify and watchdog support.
154
157 During the 0.9.9 development, some important changes in the replication
158 message format were introduced. Therefore, conntrackd >= 0.9.9 will not
159 work appropriately with conntrackd <= 0.9.8.
160 This should not be a problem if you use the same conntrackd version in
162 all the firewall replica nodes.
163
166 conntrackd.conf(5) conntrack(8) iptables(8) nft(8)
167 http://conntrack-tools.netfilter.org
168
171 Please, report them to netfilter-devel@vger.kernel.org (subscription
172 required) or file a bug in Netfilter's bugzilla (https://bugzilla.net‐
173 filter.org).
174
177 Pablo Neira Ayuso wrote and maintains the conntrackd tool
178 Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.
180 Apr 16, 2018 CONNTRACKD(8)