1CONNTRACKD(8) CONNTRACKD(8)
2
3
4
6 conntrackd - netfilter connection tracking user-space daemon
7
8
10 conntrackd [options]
11
12
14 conntrackd is the user-space daemon for the netfilter connection track‐
15 ing system. This daemon synchronizes connection tracking states between
16 several replica firewalls. Thus, conntrackd can be used to deploy
17 highly available stateful firewalls.
18
19 The daemon supports Primary-Backup and Multiprimary setups and can also
20 be used as statistics collector.
21
22
24 The options recognized by conntrackd can be divided into two different
25 groups.
26
27
28 GEMERAL OPTIONS
29 General options for the conntrackd daemon.
30
31
32 -d Run conntrackd in daemon mode (fork to background).
33
34
35 -C <path>
36 Load config file specified in path. See conntrackd.conf(5) for
37 details.
38
39
40 -v Display version information.
41
42
43 -h Display help information.
44
45
46 CLIENT COMMANDS
47 conntrackd can be used in client mode to request several information
48 and operations to a running instance of the daemon.
49
50
51 -i [ct|expect]
52 Dump the internal cache, i.e. show local states
53
54
55 -e [ct|expect]
56 Dump the external cache, i.e. show foreign states
57
58
59 -x Display output in XML format. This option is only valid in com‐
60 bination with -i and -e parameters.
61
62
63 -f [internal|external]
64 Flush the internal and/or external cache
65
66
67 -F [ct|expect]
68 Flush the kernel conntrack table (if you use a Linux kernel >=
69 2.6.29, this option will not flush your internal and external
70 cache).
71
72 -c Commit external cache to conntrack table.
73
74 -B Force a bulk send to other replica firewalls. With this command,
75 you will ask conntrackd to send the state-entries that it owns
76 to others.
77
78 -n Request resync with other node (only FT-FW and NOTRACK modes).
79
80 -k Kill the daemon
81
82 -s [network|cache|runtime|link|rsqueue|process|queue|ct|expect]
83 Dump statistics. If no parameter is passed, it displays the gen‐
84 eral statistics.
85 If "network" is passed as parameter it displays the networking
86 statistics.
87 If "cache" is passed as parameter, it shows the extended cache
88 statistics.
89 If "runtime" is passed as parameter, it shows the run-time sta‐
90 tistics.
91 If "process" is passed as parameter, it shows existing child
92 processes (if any).
93 If "queue" is passed as parameter, it shows queue statistics.
94 If "ct" is passed, it displays the general statistics.
95 If "expect" is passed as parameter, it shows expectation statis‐
96 tics.
97
98 -R [ct|expect]
99 Force a resync against the kernel connection tracking table
100
101 -t Reset the in-kernel timers (See PurgeTimeout clause)
102
103
105 The exit code is 0 for correct function. Errors cause an exit code of
106 1.
107
108
110 The following example are illustrative, for a real use in a firewall
111 fail-over, check the primary-backup.sh script that comes with the
112 sources.
113
114 conntrackd -d
115 Runs conntrackd in daemon and synchronization mode
116
117 conntrackd -i
118 Dumps the states held in the internal cache, i.e. those handled
119 by this firewall
120
121 conntrackd -e
122 Dumps the states held in the external cache, i.e. those handled
123 by other replica firewalls
124
125 conntrackd -c
126 Commits the external cache into the kernel connection tracking
127 system. This is used to inject the state so that the connec‐
128 tions can be recovered during the failover.
129
130
132 This daemon requires a Linux kernel version >= 2.6.18. TCP window
133 tracking support requires >= 2.6.22, otherwise you have to disable it.
134 Helpers are fully supported since >= 2.6.25, however, if you use any
135 previous version, depending on the protocol helper and your setup (e.g.
136 if you setup performs NAT sequence adjustments or not), your help con‐
137 nection may be successfully recovered.
138
139 There are several unsupported stateful iptables matches such as recent,
140 connbytes and the quota matches which gather internal information to
141 operate. Since that information does not belong to the domain of the
142 connection tracking system, connections affected by those matches may
143 not be fully recovered during the takeover.
144
145 The daemon requires a Linux kernel version >= 2.6.26 to support kernel-
146 space event filtering. Otherwise, all the event filtering is done in
147 userspace with the corresponding extra overhead. If you are not using
148 the Filter clause in the configuration file, ignore this notice.
149
150
152 Starting with the 1.4.4 release, conntrackd includes integration with
153 systemd(1) to use an unit file of Type=notify and watchdog support.
154
155
157 During the 0.9.9 development, some important changes in the replication
158 message format were introduced. Therefore, conntrackd >= 0.9.9 will not
159 work appropriately with conntrackd <= 0.9.8.
160
161 This should not be a problem if you use the same conntrackd version in
162 all the firewall replica nodes.
163
164
166 conntrackd.conf(5) conntrack(8) iptables(8) nft(8)
167 http://conntrack-tools.netfilter.org
168
169
171 Please, report them to netfilter-devel@vger.kernel.org (subscription
172 required) or file a bug in Netfilter's bugzilla (https://bugzilla.net‐
173 filter.org).
174
175
177 Pablo Neira Ayuso wrote and maintains the conntrackd tool
178
179 Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.
180
181
182
183 Apr 16, 2018 CONNTRACKD(8)