1CONNTRACKD.CONF(5) File Formats Manual CONNTRACKD.CONF(5)
2
6 conntrackd.conf - configuration file for conntrackd daemon
7
10 conntrackd.conf is the main configuration file for the conntrackd(8)
11 daemon. It is loaded by calling `conntrackd -C conntrackd.conf'.
12 The format of this file is simple, using brackets for sections and key-
14 value pairs for concrete configuration directives:
15 section1 {
17 option1 value1
18 option2 value2
19 }
20 section2 {
21 option3 value3
22 subsection1 {
23 option4 value4
24 }
25 }
26 You should consider this file as case-sensitive. Empty lines and lines
28 starting with the '#' character are ignored.
29 Before starting to develop a new configuration, you may want to learn
31 the concepts behind this technlogy at http://conntrack-tools.netfil‐
32 ter.org/manual.html.
33 There are complete configuration examples at the end of this man page.
35
38 This top-level section defines how conntrackd(8) should handle synchro‐
39 nization with other cluster nodes.
40 There are 3 main synchronization modes or protocols: NOTRACK, ALARM and
42 FTFW.
43 There are 3 transport protocols as well: TCP, Multicast and UDP.
45 You have to choose one synchronization mode and one transport protocol.
47 Also, there are some general options in this section.
49 Mode FTFW
52 This mode is based on a reliable protocol that performs message track‐
53 ing. Thus, the protocol can recover from message loss, re-ordering and
54 corruption.
55 In this synchronization mode you may configure ResendQueueSize, Commit‐
57 Timeout, PurgeTimeout, ACKWindowSize , DisableExternalCache and Star‐
58 tupResync.
59 ResendQueueSize <value>
62 Size of the resend queue (in objects). This is the maximum num‐
63 ber of objects that can be stored waiting to be confirmed via
64 acknoledgment. If you keep this value low, the daemon will have
65 less chances to recover state-changes under message omission. On
66 the other hand, if you keep this value high, the daemon will
67 consume more memory to store dead objects.
68 Example: ResendQueueSize 131072
70 Default is 131072 objects.
72 CommitTimeout <seconds>
75 This parameter allows you to set an initial fixed timeout for
76 the committed entries when this node goes from backup to pri‐
77 mary. This mechanism provides a way to purge entries that were
78 not recovered appropriately after the specified fixed timeout.
79 If you set a low value, TCP entries in Established states with
80 no traffic may hang. For example, an SSH connection without
81 KeepAlive enabled.
82 Example: CommitTimeout 180
84 By default, this option is not set (the daemon uses an approxi‐
86 mate timeout value calculation mechanism).
87 PurgeTimeout <seconds>
90 If the firewall replica goes from primary to backup, the `con‐
91 ntrackd -t command' is invoked in the script. This command
92 schedules a flush of the table in N seconds.
93 This is useful to purge the connection tracking table of zombie
95 entries and avoid clashes with old entries if you trigger sev‐
96 eral consecutive hand-overs.
97 Default is 60 seconds.
99 ACKWindowSize <value>
102 Set the acknowledgement window size. If you decrease this value,
103 the number of acknowlegdments increases. More acknowledgments
104 means more overhead as conntrackd(8) has to handle more control
105 messages. On the other hand, if you increase this value, the re‐
106 send queue gets more populated. This results in more overhead in
107 the queue releasing.
108 Example: ACKWindowSize 300
110 If not set, default window size is 300 (value is based on some
112 practical experiments measuring the cycles spent by the acknowl‐
113 edgment handling with oprofile).
114 DisableExternalCache <on|off>
117 This clause allows you to disable the external cache. Thus, the
118 state entries are directly injected into the kernel conntrack
119 table. As a result, you save memory in user-space but you con‐
120 sume slots in the kernel conntrack table for backup state en‐
121 tries. Moreover, disabling the external cache means more CPU
122 consumption. You need a Linux kernel >= 2.6.29 to use this fea‐
123 ture.
124 If you are installing conntrackd(8) for first time, please read
126 the user manual and I encourage you to consider using the fail-
127 over scripts instead of enabling this option!
128 By default, this clause is set off.
130 StartupResync <on|off>
133 Order conntrackd to request a complete conntrack table resync
134 against the other node at startup. A single request will be
135 made.
136 This is useful to get in sync with another node which has been
138 running while we were down.
139 Example: StartupResync on
141 By default, this clause is set off.
143 Mode ALARM
146 This mode is spamming. It is based on a alarm-based protocol that peri‐
147 odically re-sends the flow state to the backup firewall replicas. This
148 protocol consumes a lot of bandwidth but it resolves synchronization
149 problems fast.
150 In this synchronization mode you may configure RefreshTime, CacheTime‐
152 out, CommitTimeout and PurgeTimeout.
153 RefreshTime <seconds>
156 If a conntrack entry is not modified in <= N seconds, then a
157 message is broadcasted. For example, this mechanism may be used
158 to resynchronize nodes that just joined the multicast group.
159 Example: RefreshTime 15
161 CacheTimeout <seconds>
164 If we don't receive a notification about the state of an entry
165 in the external cache after N seconds, then remove it.
166 Example: CacheTimeout 180
168 CommitTimeout <seconds>
171 Same as in FTFW mode.
172 PurgeTimeout <seconds>
175 Same as in FTFW mode.
176 Mode NOTRACK
179 Is the most simple mode as it is based on a best effort replication
180 protocol, ie. unreliable protocol. This protocol sends and receives the
181 state information without performing any specific checking.
182 In this synchronization mode you may configure DisableInternalCache,
184 DisableExternalCache, CommitTimeout, PurgeTimeout and StartupResync.
185 DisableInternalCache <on|off>
188 This clause allows you to disable the internal cache. Thus, the
189 synchronization messages are directly sent through the dedicated
190 link.
191 This option is set off by default.
193 DisableExternalCache <on|off>
196 Same as in FTFW mode.
197 CommitTimeout <seconds>
200 Same as in FTFW mode.
201 PurgeTimeout <seconds>
204 Same as in FTFW mode.
205 StartupResync <on|off>
208 Same as in FTFW mode.
209 MULTICAST
212 This section indicates to conntrackd(8) to use multicast as transport
213 mechanism between nodes of the firewall cluster.
214 Please note you can specify more than one dedicated link. Thus, if one
216 dedicated link fails, the daemon can fail-over to another. Note that
217 adding more than one dedicated link does not mean that state-updates
218 will be sent to all of them. There is only one active dedicated link at
219 a given moment.
220 The Default keyword indicates that this interface will be selected as
222 the initial dedicated link. You can have up to 4 redundant dedicated
223 links.
224 Note: use different multicast groups for every redundant link.
226 Example:
228 Multicast Default {
229 IPv4_address 225.0.0.51
230 Group 3781
231 IPv4_interface 192.168.100.101
232 Interface eth3
233 SndSocketBuffer 1249280
234 RcvSocketBuffer 1249280
235 Checksum on
236 }
237 Multicast {
238 IPv4_address 225.0.0.51
239 Group 3782
240 IPv4_interface 192.168.100.102
241 Interface eth4
242 SndSocketBuffer 1249280
243 RcvSocketBuffer 1249280
244 Checksum on
245 }
246 IPv4_address <address>
249 Multicast address: The address that you use as destination in
250 the synchronization messages. You do not have to add this IP to
251 any of your existing interfaces.
252 Example: IPv4_address 255.0.0.50
254 Group <number>
257 The multicast group that identifies the cluster.
258 Example: Group 3780
260 If any doubt, do not modify this value.
262 IPv4_interface <address>
265 IP address of the interface that you are going to use to send
266 the synchronization messages. Remember that you must use a dedi‐
267 cated link for the synchronization messages.
268 Example: IPv4_interface 192.168.100.100
270 Interface <name>
273 The name of the interface that you are going to use to send the
274 synchronization messages.
275 Example: Interface eth2
277 SndSocketBuffer <number>
280 This transport protocol sender uses a buffer to enqueue the
281 packets that are going to be transmitted. The default size of
282 this socket buffer is available at /proc/sys/net/core/wmem_de‐
283 fault.
284 This value determines the chances to have an overrun in the
286 sender queue. The overrun results in packet loss, thus, losing
287 state information that would have to be retransmitted. If you
288 notice some packet loss, you may want to increase the size of
289 the buffer. The system default size is usually around ~100
290 KBytes which is fairly small for busy firewalls.
291 Note: The NOTRACK protocol is best effort, it is really recom‐
293 mended to increase the buffer size.
294 Example: SndSocketBuffer 1249280
296 RcvSocketBuffer <number>
299 This transport protocol receiver uses a buffer to enqueue the
300 packets that the socket is pending to handle. The default size
301 of this socket buffer is available at
302 /proc/sys/net/core/rmem_default.
303 This value determines the chances to have an overrun in the re‐
305 ceiver queue. The overrun results in packet loss, thus, losing
306 state information that would have to be retransmitted. If you
307 notice some packet loss, you may want to increase the size of
308 the buffer. The system default size is usually around ~100
309 KBytes which is fairly small for busy firewalls.
310 Note: The NOTRACK protocol is best effort, it is really recom‐
312 mended to increase the buffer size.
313 Example: RcvSocketBuffer 1249280
315 Checksum <on|off>
318 Enable/Disable message checksumming. This is a good property to
319 achieve fault-tolerance. In case of doubt, use it.
320 UDP
323 This section indicates to conntrackd(8) to use UDP as transport mecha‐
324 nism between nodes of the firewall cluster.
325 As in the Multicast configuration, you may especify several fail-over
327 dedicated links using the Default keyword.
328 Example:
330 UDP {
331 IPv4_address 172.16.0.1
332 IPv4_Destination_Address 172.16.0.2
333 Port 3781
334 Interface eth3
335 SndSocketBuffer 1249280
336 RcvSocketBuffer 1249280
337 Checksum on
338 }
339 IPv4_address <address>
342 UDP IPv4 address that this firewall uses to listen to events.
343 Example: IPv4_address 192.168.2.100
345 IPv6_address <address>
348 UDP IPv6 address that this firewall uses to listen to events.
349 Example: IPv6_address fe80::215:58ff:fe28:5a27
351 IPv4_Destination_Address <address>
354 Destination IPv4 UDP address that receives events, ie. the other
355 firewall's dedicated link address.
356 Example: IPv4_Destination_Address 192.168.2.101
358 IPv6_Destionation_Address <address>
361 Destination IPv6 UDP address that receives events, ie. the other
362 firewall's dedicated link address.
363 Example: IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
365 Port <number>
368 UDP port used
369 Example: Port 3780
371 Interface <name>
374 Same as in the Multicast transport protocol configuration.
375 SndSocketBuffer <number>
378 Same as in the Multicast transport protocol configuration.
379 RcvSocketBuffer <number>
382 Same as in the Multicast transport protocol configuration.
383 Checksum <on|off>
386 Same as in the Multicast transport protocol configuration.
387 TCP
391 You can also use Unicast TCP to propagate events.
392 If you combine this transport with the NOTRACK mode, it becomes reli‐
394 able.
395 The TCP transport protocol can be configured in exactly the same way as
397 the UDP transport protocol.
398 As in the Multicast configuration, you may especify several fail-over
400 dedicated links using the Default keyword.
401 Example:
403 TCP {
404 IPv6_address fe80::215:58ff:fe28:5a27
405 IPv6_Destination_Address fe80::215:58ff:fe28:5a27
406 Port 3781
407 Interface eth2
408 SndSocketBuffer 1249280
409 RcvSocketBuffer 1249280
410 Checksum on
411 }
412 OPTIONS
415 Other unsorted options that are related to the synchronization protocol
416 or transport mechanism.
417 TCPWindowTracking <on|off>
420 TCP state-entries have window tracking disabled by default, you
421 can enable it with this option. As said, default is off. This
422 feature requires a Linux kernel >= 2.6.36.
423 ExpectationSync <on|{ list }>
426 Set this option on if you want to enable the synchronization of
427 expectations. You have to specify the list of helpers that you
428 want to enable.
429 This feature requires a Linux kernel >= 3.5.
431 Example, sync all expectations:
433 ExpectationSync on
434 Example, sync given expectations:
436 ExpectationSync {
437 ftp
438 ras
439 q.931
440 h.245
441 sip
442 }
443 By default, this option is disabled.
445
448 This top-level section contains generic configuration directives for
449 the conntrackd(8) daemon.
450 Systemd <on|off>
453 Enable systemd(1) runtime support if conntrackd(8) is compiled
454 with the proper configuration. Then you can use a service unit
455 of Type=notify.
456 Obviously, this requires the init of your system to be sys‐
458 temd(1).
459 Note: systemd(1) watchdog is supported as well.
461 Example: Systemd on
463 By default runtime support is enabled if conntrackd was built
465 with the systemd feature. Otherwise is off.
466 Nice <value>
469 Deprecated. Conntrackd ignores this option and it will be re‐
470 moved in the future. Please note that you can run nice(1) and
471 renice(1) externally. Also note that conntrackd(8) now uses by
472 default a RT scheduler.
473 HashSize <value>
476 Number of buckets in the cache hashtable. The bigger it is, the
477 closer it gets to O(1) at the cost of consuming more memory.
478 Read some documents about tuning hashtables for further refer‐
479 ence.
480 Example: HashSize 32768
482 HashLimit <value>
485 Maximum number of conntracks, it should be double of
486 /proc/sys/net/netfilter/nf_conntrack_max since the daemon may
487 keep some dead entries cached for possible retransmission during
488 state synchronization.
489 Example: HashLimit 131072
491 LogFile <on|off|filename>
494 Enable conntrackd(8) to log to a file.
495 Example: LogFile on
497 Default is off. The default logfile is /var/log/conntrackd.log.
499 Syslog <on|off|facility>
502 Enable connection logging via Syslog. If you set the facility,
503 use the same as in the Stats section, otherwise you'll get a
504 warning message.
505 Example: Syslog local0
507 Default is off.
509 Lockfile <filename>
512 Lockfile to be used by conntrackd(8) (absolute path).
513 Example: LockFile /var/lock/conntrack.lock
515 Default is /var/lock/conntrack.lock.
517 NetlinkBufferSize <value>
520 Netlink event socket buffer size. If you do not specify this
521 clause, the default buffer size value in
522 /proc/sys/net/core/rmem_default is used. This default value is
523 usually around 100 Kbytes which is fairly small for busy fire‐
524 walls. This leads to event message dropping and high CPU con‐
525 sumption.
526 Example: NetlinkBufferSize 2097152
528 NetlinkBufferSizeMaxGrowth <value>
531 The daemon doubles the size of the netlink event socket buffer
532 size if it detects netlink event message dropping. This clause
533 sets the maximum buffer size growth that can be reached.
534 Example: NetlinkBufferSizeMaxGrowth 8388608
536 NetlinkOverrunResync <on|off|value>
539 If the daemon detects that Netlink is dropping state-change
540 events, it automatically schedules a resynchronization against
541 the Kernel after 30 seconds (default value). Resynchronizations
542 are expensive in terms of CPU consumption since the daemon has
543 to get the full kernel state-table and purge state-entries that
544 do not exist anymore.
545 Note: Be careful of setting a very small value here.
547 Example: NetlinkOverrunResync on
549 The default value is 30 seconds. If not specified, the daemon
551 assumes that this option is enabled and uses the default value.
552 NetlinkEventsReliable <on|off>
555 If you want reliable event reporting over Netlink, set on this
556 option. If you set on this clause, it is a good idea to set off
557 NetlinkOverrunResync.
558 You need Linux Kernel >= 2.6.31 for this option to work.
560 Example: NetlinkEventsReliable on
562 This option is off by default.
564 PollSecs <seconds>
567 By default, the daemon receives state updates following an
568 event-driven model. You can modify this behaviour by switching
569 to polling mode with this clause.
570 This clause tells conntrackd(8) to dump the states in the kernel
572 every N seconds. With regards to synchronization mode, the
573 polling mode can only guarantee that long-lifetime states are
574 recovered. The main advantage of this method is the reduction in
575 the state replication at the cost of reducing the chances of re‐
576 covering connections.
577 Example: PollSecs 15
579 EventIterationLimit <value>
582 The daemon prioritizes the handling of state-change events com‐
583 ing from the core. With this clause, you can set the maximum
584 number of state-change events (those coming from kernel-space)
585 that the daemon will handle after which it will handle other
586 events coming from the network or userspace.
587 A low value improves interactivity (in terms of real-time behav‐
589 iour) at the cost of extra CPU consumption.
590 Example: EventIterationLimit 100
592 Default (if not set) is 100.
594 UNIX
597 Unix socket configuration. This socket is used by conntrackd(8) to lis‐
598 ten to external commands like `conntrackd -k' or `conntrackd -n'.
599 Example:
601 UNIX {
602 Path /var/run/conntrackd.ctl
603 }
604 Path <filename>
607 Absolute path to the Unix socket.
608 Example: Path /var/run/conntrackd.ctl
610 Backlog <value>
613 Deprecated option.
614 FILTER
617 Event filtering. This clause allows you to filter certain traffic.
618 There are currently three filter-sets: Protocol, Address and State. The
620 filter is attached to an action that can be: Accept or Ignore. Thus,
621 you can define the event filtering policy of the filter-sets in posi‐
622 tive or negative logic depending on your needs.
623 You can select if conntrackd(8) filters the event messages from user-
625 space or kernel-space. The kernel-space event filtering saves some CPU
626 cycles by avoiding the copy of the event message from kernel-space to
627 user-space. The kernel-space event filtering is prefered, however, you
628 require a Linux kernel >= 2.6.29 to filter from kernel-space.
629 The syntax for this section is: Filter From <from> { }.
631 If you want to select kernel-space event filtering, use the keyword
633 Kernelspace instead of Userspace.
634 Example:
636 Filter From Userspace {
637 Protocol Accept {
638 TCP
639 SCTP
640 DCCP
641 }
642 Address Ignore {
643 IPv4_address 127.0.0.1
644 IPv6_address ::1
645 }
646 State Accept {
647 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
648 }
649 }
650 Protocol <policy> { <protocols list> }
653 Accept only certain protocols: You may want to replicate the
654 state of flows depending on their layer 4 protocol.
655 Policy is one of Accept or Ignore.
657 Protocols are: TCP, SCTP, DCCP, UDP, ICMP and IPv6-ICMP.
659 The ICMP and IPv6-ICMP protocols require a Linux kernel >=
661 2.6.31.
662 Example:
664 Protocol Accept {
665 TCP
666 SCTP
667 DCCP
668 }
669 Address <policy> { <addresses list> }
672 Ignore traffic for a certain set of IP's: Usually all the IP as‐
673 signed to the firewall since local traffic must be ignored, only
674 forwarded connections are worth to replicate.
675 Note that these values depends on the local IPs that are as‐
677 signed to the firewall.
678 You may specify several IPv4_address and/or IPv6_address direc‐
680 tives. You can also specify networks in CIDR format.
681 Policy is one of Accept or Ignore.
683 Example:
685 Address Ignore {
686 IPv4_address 127.0.0.1 # loopback
687 IPv4_address 192.168.0.100 # virtual IP 1
688 IPv4_address 192.168.1.100 # virtual IP 2
689 IPv4_address 192.168.100.100 # dedicated link ip
690 IPv4_address 192.168.0.0/24
691 IPv6_address ::1
692 }
693 State <policy> { <states list> for TCP }
696 Filter by flow state. This option introduces a trade-off in the
697 replication: it reduces CPU consumption at the cost of having
698 lazy backup firewall replicas.
699 Note: only affects TCP flows.
701 The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
703 FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED and LISTEN.
704 Policy is one of Accept or Ignore.
706 Example:
708 State Accept {
709 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
710 }
711 SCHEDULER
714 Select a different scheduler for the daemon, you can select between RR
715 and FIFO and the process priority.
716 Using a RT scheduler reduces the chances to overrun the Netlink buffer
718 and conntrackd(8) uses by default RR unless FIFO is selected. See
719 sched_setscheduler(2) for more information.
720 Example:
722 Scheduler {
723 Type FIFO
724 Priority 99
725 }
726 Type <type>
729 Supported values are RR or FIFO.
730 Default: RR
732 Priority <value>
735 Value of the scheduler priority. Minimum is 0, maximum is 99.
736 Default: 99 (as returned by sched_get_priority_max(2) for
738 SCHED_RR)
739
742 This top-level section indicates conntrackd(8) to work as a statistic
743 collector for the nf_conntrack linux kernel subsystem.
744 LogFile <on|off|filename>
747 If you enable this option, the daemon writes the information
748 about destroyed connections to a logfile.
749 Default is off. Default filename is /var/log/conntrackd-
751 stats.log.
752 NetlinkEventsReliable <on|off>
755 If you want reliable event reporting over Netlink, set on this
756 option. If you set on this clause, it is a good idea to set off
757 NetlinkOverrunResync. This requires Linux kernel >= 2.6.31.
758 Default is off.
760 Syslog <on|off|facility>
763 Enable connection logging via Syslog. If you set the facility,
764 use the same as in the General section, otherwise you'll get a
765 warning message.
766 Example: Syslog local0
768 Default is off.
770
773 Note: this configuration is very advanced and has nothing to do with
774 synchronization or stats collection.
775 This top-level section indicates conntrackd(8) to inject user-space
777 helpers into the nf_conntrack linux kernel subsystem. It will result
778 in the nf_conntrack engine sending connections to userspace for further
779 processing.
780 Before this, you have to make sure you have registered the given user-
782 space helper stub.
783 Example:
785 % nfct add helper ftp inet tcp
786 Each user-space helper should be registered using a Type section, which
788 are named this way:
789 Type <name> <af> <transport>
790 Examples:
792 Helper {
794 Type ftp inet tcp {
795 QueueNum 0
796 QueueLen 10240
797 Policy ftp {
798 ExpectMax 1
799 ExpectTimeout 300
800 }
801 }
802 Type rpc inet tcp {
803 QueueNum 1
804 QueueLen 10240
805 Policy rpc {
806 ExpectMax 1
807 ExpectTimeout 300
808 }
809 }
810 Type rpc inet udp {
811 QueueNum 2
812 QueueLen 10240
813 Policy rpc {
814 ExpectMax 1
815 ExpectTimeout 300
816 }
817 }
818 Type tns inet tcp {
819 QueueNum 3
820 QueueLen 10240
821 Policy tns {
822 ExpectMax 1
823 ExpectTimeout 300
824 }
825 }
826 Type dhcpv6 inet6 udp {
827 QueueNum 4
828 QueueLen 10240
829 Policy dhcpv6 {
830 ExpectMax 1
831 ExpectTimeout 300
832 }
833 }
834 Type ssdp inet udp {
835 QueueNum 5
836 QueueLen 10240
837 Policy ssdp {
838 ExpectMax 1
839 ExpectTimeout 300
840 }
841 }
842 }
843 Parameters inside the Type section:
845 QueueNum <number>
848 Set NFQUEUE number you want to use to receive traffic from the
849 kernel.
850 Example: QueueNum 0
852 QueueLen <number>
855 Maximum number of packets waiting in the queue to receive a ver‐
856 dict from user-space.
857 Rise value if you hit the following error message:
859 "nf_queue: full at X entries, dropping packet(s)"
860 Default is 1024.
862 Example: QueueLen 10240
864 Policy <name> { }
867 Set the expectation policy for the given helper.
868 This sub-section contains 2 directives: ExpectMax <number> (max‐
870 imum number of simultaneous expectations) and ExpecTimeout <sec‐
871 onds> (maximum living time for one expectation).
872
875 Find below some real-life working examples.
876 STATS EXAMPLE
879 This configuration example tells conntrackd(8) to work as a stats col‐
880 lector.
881 Stats {
883 LogFile on
884 NetlinkEventsReliable Off
885 Syslog off
886 }
887 General {
888 Systemd on
889 HashSize 8192
890 HashLimit 65535
891 Syslog on
892 LockFile /var/lock/conntrack.lock
893 UNIX {
894 Path /var/run/conntrackd.ctl
895 }
896 NetlinkBufferSize 262142
897 NetlinkBufferSizeMaxGrowth 655355
898 Filter {
899 Protocol Accept {
900 TCP
901 UDP
902 }
903 Address Ignore {
904 IPv4_address 127.0.0.1
905 IPv6_address ::1
906 }
907 }
908 }
909 SYNC EXAMPLE 1
912 This example configures synchronization in FTFW mode with Multicast
913 transport.
914 It includes common general configuration as well.
916 Note: this is one of the recommended setups for conntrackd(8) in a
918 firewall cluster environment.
919 Sync {
921 Mode FTFW {
922 ResendQueueSize 131072
923 PurgeTimeout 60
924 ACKWindowSize 300
925 DisableExternalCache Off
926 }
927 Multicast {
928 IPv4_address 225.0.0.50
929 Group 3780
930 IPv4_interface 192.168.100.100
931 Interface eth2
932 SndSocketBuffer 1249280
933 RcvSocketBuffer 1249280
934 Checksum on
935 }
936 Multicast Default {
937 IPv4_address 225.0.0.51
938 Group 3781
939 IPv4_interface 192.168.100.101
940 Interface eth3
941 SndSocketBuffer 1249280
942 RcvSocketBuffer 1249280
943 Checksum on
944 }
945 Options {
946 TCPWindowTracking Off
947 ExpectationSync On
948 }
949 }
950 General {
951 Systemd on
952 HashSize 32768
953 HashLimit 131072
954 LogFile on
955 Syslog off
956 LockFile /var/lock/conntrack.lock
957 UNIX {
958 Path /var/run/conntrackd.ctl
959 }
960 NetlinkBufferSize 2097152
961 NetlinkBufferSizeMaxGrowth 8388608
962 NetlinkOverrunResync On
963 NetlinkEventsReliable Off
964 EventIterationLimit 100
965 Filter From Userspace {
966 Protocol Accept {
967 TCP
968 SCTP
969 DCCP
970 }
971 Address Ignore {
972 IPv4_address 127.0.0.1
973 IPv4_address 192.168.100.0/24
974 IPv6_address ::1
975 }
976 }
977 }
978 SYNC EXAMPLE 2
981 This example configures synchronization in NOTRACK mode with TCP trans‐
982 port.
983 It includes common general configuration as well.
985 Sync {
987 Mode NOTRACK {
988 DisableInternalCache on
989 DisableExternalCache on
990 }
991 TCP {
992 IPv4_address 192.168.2.100
993 IPv4_Destination_Address 192.168.2.101
994 Port 3780
995 Interface eth2
996 SndSocketBuffer 1249280
997 RcvSocketBuffer 1249280
998 Checksum on
999 }
1000 Options {
1001 TCPWindowTracking Off
1002 ExpectationSync On
1003 }
1004 }
1005 General {
1006 Systemd on
1007 HashSize 32768
1008 HashLimit 131072
1009 LogFile on
1010 Syslog off
1011 LockFile /var/lock/conntrack.lock
1012 UNIX {
1013 Path /var/run/conntrackd.ctl
1014 }
1015 NetlinkBufferSize 2097152
1016 NetlinkBufferSizeMaxGrowth 8388608
1017 NetlinkOverrunResync On
1018 NetlinkEventsReliable Off
1019 EventIterationLimit 100
1020 Filter From Userspace {
1021 Protocol Accept {
1022 TCP
1023 SCTP
1024 DCCP
1025 }
1026 Address Ignore {
1027 IPv4_address 127.0.0.1
1028 IPv4_address 192.168.0.0/16
1029 IPv6_address ::1
1030 }
1031 State Accept {
1032 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
1033 }
1034 }
1035 }
1036
1040 conntrackd(8), conntrack(8), nfct(8), http://conntrack-tools.netfil‐
1041 ter.org/manual.html
1042
1045 Pablo Neira Ayuso wrote and maintains the conntrackd tool.
1046 This manual page was written by Arturo Borrero Gonzalez <arturo@de‐
1048 bian.org> based on the conntrackd tarball config examples.
1049 Please send bug reports to <netfilter-devel@lists.netfilter.org>. Sub‐
1051 scription is required.
1052 This documentation is free/libre under the terms of the GPLv2+.
1054 Jan 27, 2019 CONNTRACKD.CONF(5)