1CONNTRACKD.CONF(5) File Formats Manual CONNTRACKD.CONF(5)
2
3
4
6 conntrackd.conf - configuration file for conntrackd daemon
7
8
10 conntrackd.conf is the main configuration file for the conntrackd(8)
11 daemon. It is loaded by calling `conntrackd -C conntrackd.conf'.
12
13 The format of this file is simple, using brackets for sections and key-
14 value pairs for concrete configuration directives:
15
16 section1 {
17 option1 value1
18 option2 value2
19 }
20 section2 {
21 option3 value3
22 subsection1 {
23 option4 value4
24 }
25 }
26
27 You should consider this file as case-sensitive. Empty lines and lines
28 starting with the '#' character are ignored.
29
30 Before starting to develop a new configuration, you may want to learn
31 the concepts behind this technlogy at http://conntrack-tools.netfil‐
32 ter.org/manual.html.
33
34 There are complete configuration examples at the end of this man page.
35
36
38 This top-level section defines how conntrackd(8) should handle synchro‐
39 nization with other cluster nodes.
40
41 There are 3 main synchronization modes or protocols: NOTRACK, ALARM and
42 FTFW.
43
44 There are 3 transport protocols as well: TCP, Multicast and UDP.
45
46 You have to choose one synchronization mode and one transport protocol.
47
48 Also, there are some general options in this section.
49
50
51 Mode FTFW
52 This mode is based on a reliable protocol that performs message track‐
53 ing. Thus, the protocol can recover from message loss, re-ordering and
54 corruption.
55
56 In this synchronization mode you may configure ResendQueueSize, Commit‐
57 Timeout, PurgeTimeout, ACKWindowSize , DisableExternalCache and Star‐
58 tupResync.
59
60
61 ResendQueueSize <value>
62 Size of the resend queue (in objects). This is the maximum num‐
63 ber of objects that can be stored waiting to be confirmed via
64 acknoledgment. If you keep this value low, the daemon will have
65 less chances to recover state-changes under message omission. On
66 the other hand, if you keep this value high, the daemon will
67 consume more memory to store dead objects.
68
69 Example: ResendQueueSize 131072
70
71 Default is 131072 objects.
72
73
74 CommitTimeout <seconds>
75 This parameter allows you to set an initial fixed timeout for
76 the committed entries when this node goes from backup to pri‐
77 mary. This mechanism provides a way to purge entries that were
78 not recovered appropriately after the specified fixed timeout.
79 If you set a low value, TCP entries in Established states with
80 no traffic may hang. For example, an SSH connection without
81 KeepAlive enabled.
82
83 Example: CommitTimeout 180
84
85 By default, this option is not set (the daemon uses an approxi‐
86 mate timeout value calculation mechanism).
87
88
89 PurgeTimeout <seconds>
90 If the firewall replica goes from primary to backup, the `con‐
91 ntrackd -t command' is invoked in the script. This command
92 schedules a flush of the table in N seconds.
93
94 This is useful to purge the connection tracking table of zombie
95 entries and avoid clashes with old entries if you trigger sev‐
96 eral consecutive hand-overs.
97
98 Default is 60 seconds.
99
100
101 ACKWindowSize <value>
102 Set the acknowledgement window size. If you decrease this value,
103 the number of acknowlegdments increases. More acknowledgments
104 means more overhead as conntrackd(8) has to handle more control
105 messages. On the other hand, if you increase this value, the re‐
106 send queue gets more populated. This results in more overhead in
107 the queue releasing.
108
109 Example: ACKWindowSize 300
110
111 If not set, default window size is 300 (value is based on some
112 practical experiments measuring the cycles spent by the acknowl‐
113 edgment handling with oprofile).
114
115
116 DisableExternalCache <yes|no>
117 This clause allows you to disable the external cache. Thus, the
118 state entries are directly injected into the kernel conntrack
119 table. As a result, you save memory in user-space but you con‐
120 sume slots in the kernel conntrack table for backup state en‐
121 tries. Moreover, disabling the external cache means more CPU
122 consumption. You need a Linux kernel >= 2.6.29 to use this fea‐
123 ture.
124
125 If you are installing conntrackd(8) for first time, please read
126 the user manual and I encourage you to consider using the fail-
127 over scripts instead of enabling this option!
128
129 By default this is set to no, meaning the external cache is en‐
130 abled.
131
132
133 StartupResync <yes|no>
134 Order conntrackd to request a complete conntrack table resync
135 against the other node at startup. A single request will be
136 made.
137
138 This is useful to get in sync with another node which has been
139 running while we were down.
140
141 Example: StartupResync yes
142
143 By default, this clause is set to no.
144
145
146 Mode ALARM
147 This mode is spamming. It is based on a alarm-based protocol that peri‐
148 odically re-sends the flow state to the backup firewall replicas. This
149 protocol consumes a lot of bandwidth but it resolves synchronization
150 problems fast.
151
152 In this synchronization mode you may configure RefreshTime, CacheTime‐
153 out, CommitTimeout and PurgeTimeout.
154
155
156 RefreshTime <seconds>
157 If a conntrack entry is not modified in <= N seconds, then a
158 message is broadcasted. For example, this mechanism may be used
159 to resynchronize nodes that just joined the multicast group.
160
161 Example: RefreshTime 15
162
163
164 CacheTimeout <seconds>
165 If we don't receive a notification about the state of an entry
166 in the external cache after N seconds, then remove it.
167
168 Example: CacheTimeout 180
169
170
171 CommitTimeout <seconds>
172 Same as in FTFW mode.
173
174
175 PurgeTimeout <seconds>
176 Same as in FTFW mode.
177
178
179 Mode NOTRACK
180 Is the most simple mode as it is based on a best effort replication
181 protocol, ie. unreliable protocol. This protocol sends and receives the
182 state information without performing any specific checking.
183
184 In this synchronization mode you may configure DisableInternalCache,
185 DisableExternalCache, CommitTimeout, PurgeTimeout and StartupResync.
186
187
188 DisableInternalCache <yes|no>
189 This clause allows you to disable the internal cache. Thus, the
190 synchronization messages are directly sent through the dedicated
191 link.
192
193 This option is set to no by default.
194
195
196 DisableExternalCache <yes|no>
197 Same as in FTFW mode.
198
199
200 CommitTimeout <seconds>
201 Same as in FTFW mode.
202
203
204 PurgeTimeout <seconds>
205 Same as in FTFW mode.
206
207
208 StartupResync <yes|no>
209 Same as in FTFW mode.
210
211
212 MULTICAST
213 This section indicates to conntrackd(8) to use multicast as transport
214 mechanism between nodes of the firewall cluster.
215
216 Please note you can specify more than one dedicated link. Thus, if one
217 dedicated link fails, the daemon can fail-over to another. Note that
218 adding more than one dedicated link does not mean that state-updates
219 will be sent to all of them. There is only one active dedicated link at
220 a given moment.
221
222 The Default keyword indicates that this interface will be selected as
223 the initial dedicated link. You can have up to 4 redundant dedicated
224 links.
225
226 Note: use different multicast groups for every redundant link.
227
228 Example:
229 Multicast Default {
230 IPv4_address 225.0.0.51
231 Group 3781
232 IPv4_interface 192.168.100.101
233 Interface eth3
234 SndSocketBuffer 1249280
235 RcvSocketBuffer 1249280
236 Checksum on
237 }
238 Multicast {
239 IPv4_address 225.0.0.51
240 Group 3782
241 IPv4_interface 192.168.100.102
242 Interface eth4
243 SndSocketBuffer 1249280
244 RcvSocketBuffer 1249280
245 Checksum on
246 }
247
248
249 IPv4_address <address>
250 Multicast address: The address that you use as destination in
251 the synchronization messages. You do not have to add this IP to
252 any of your existing interfaces.
253
254 Example: IPv4_address 255.0.0.50
255
256
257 Group <number>
258 The multicast group that identifies the cluster.
259
260 Example: Group 3780
261
262 If any doubt, do not modify this value.
263
264
265 IPv4_interface <address>
266 IP address of the interface that you are going to use to send
267 the synchronization messages. Remember that you must use a dedi‐
268 cated link for the synchronization messages.
269
270 Example: IPv4_interface 192.168.100.100
271
272
273 Interface <name>
274 The name of the interface that you are going to use to send the
275 synchronization messages.
276
277 Example: Interface eth2
278
279
280 SndSocketBuffer <number>
281 This transport protocol sender uses a buffer to enqueue the
282 packets that are going to be transmitted. The default size of
283 this socket buffer is available at /proc/sys/net/core/wmem_de‐
284 fault.
285
286 This value determines the chances to have an overrun in the
287 sender queue. The overrun results in packet loss, thus, losing
288 state information that would have to be retransmitted. If you
289 notice some packet loss, you may want to increase the size of
290 the buffer. The system default size is usually around ~100
291 KBytes which is fairly small for busy firewalls.
292
293 Note: The NOTRACK protocol is best effort, it is really recom‐
294 mended to increase the buffer size.
295
296 Example: SndSocketBuffer 1249280
297
298
299 RcvSocketBuffer <number>
300 This transport protocol receiver uses a buffer to enqueue the
301 packets that the socket is pending to handle. The default size
302 of this socket buffer is available at
303 /proc/sys/net/core/rmem_default.
304
305 This value determines the chances to have an overrun in the re‐
306 ceiver queue. The overrun results in packet loss, thus, losing
307 state information that would have to be retransmitted. If you
308 notice some packet loss, you may want to increase the size of
309 the buffer. The system default size is usually around ~100
310 KBytes which is fairly small for busy firewalls.
311
312 Note: The NOTRACK protocol is best effort, it is really recom‐
313 mended to increase the buffer size.
314
315 Example: RcvSocketBuffer 1249280
316
317
318 Checksum <yes|no>
319 Enable/Disable message checksumming. This is a good property to
320 achieve fault-tolerance. In case of doubt, use it.
321
322
323 UDP
324 This section indicates to conntrackd(8) to use UDP as transport mecha‐
325 nism between nodes of the firewall cluster.
326
327 As in the Multicast configuration, you may especify several fail-over
328 dedicated links using the Default keyword.
329
330 Example:
331 UDP {
332 IPv4_address 172.16.0.1
333 IPv4_Destination_Address 172.16.0.2
334 Port 3781
335 Interface eth3
336 SndSocketBuffer 1249280
337 RcvSocketBuffer 1249280
338 Checksum on
339 }
340
341
342 IPv4_address <address>
343 UDP IPv4 address that this firewall uses to listen to events.
344
345 Example: IPv4_address 192.168.2.100
346
347
348 IPv6_address <address>
349 UDP IPv6 address that this firewall uses to listen to events.
350
351 Example: IPv6_address fe80::215:58ff:fe28:5a27
352
353
354 IPv4_Destination_Address <address>
355 Destination IPv4 UDP address that receives events, ie. the other
356 firewall's dedicated link address.
357
358 Example: IPv4_Destination_Address 192.168.2.101
359
360
361 IPv6_Destionation_Address <address>
362 Destination IPv6 UDP address that receives events, ie. the other
363 firewall's dedicated link address.
364
365 Example: IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
366
367
368 Port <number>
369 UDP port used
370
371 Example: Port 3780
372
373
374 Interface <name>
375 Same as in the Multicast transport protocol configuration.
376
377
378 SndSocketBuffer <number>
379 Same as in the Multicast transport protocol configuration.
380
381
382 RcvSocketBuffer <number>
383 Same as in the Multicast transport protocol configuration.
384
385
386 Checksum <yes|no>
387 Same as in the Multicast transport protocol configuration.
388
389
390
391 TCP
392 You can also use Unicast TCP to propagate events.
393
394 If you combine this transport with the NOTRACK mode, it becomes reli‐
395 able.
396
397 The TCP transport protocol can be configured in exactly the same way as
398 the UDP transport protocol.
399
400 As in the Multicast configuration, you may especify several fail-over
401 dedicated links using the Default keyword.
402
403 Example:
404 TCP {
405 IPv6_address fe80::215:58ff:fe28:5a27
406 IPv6_Destination_Address fe80::215:58ff:fe28:5a27
407 Port 3781
408 Interface eth2
409 SndSocketBuffer 1249280
410 RcvSocketBuffer 1249280
411 Checksum yes
412 }
413
414
415 OPTIONS
416 Other unsorted options that are related to the synchronization protocol
417 or transport mechanism.
418
419
420 TCPWindowTracking <yes|no>
421 TCP state-entries have window tracking disabled by default, you
422 can enable it with this option. As said, default is off. This
423 feature requires a Linux kernel >= 2.6.36.
424
425
426 ExpectationSync <on|{ list }>
427 Set this option on if you want to enable the synchronization of
428 expectations. You have to specify the list of helpers that you
429 want to enable.
430
431 This feature requires a Linux kernel >= 3.5.
432
433 Example, sync all expectations:
434 ExpectationSync on
435
436 Example, sync given expectations:
437 ExpectationSync {
438 ftp
439 ras
440 q.931
441 h.245
442 sip
443 }
444
445 By default, this option is disabled.
446
447
449 This top-level section contains generic configuration directives for
450 the conntrackd(8) daemon.
451
452
453 Systemd <yes|no>
454 Enable systemd(1) runtime support if conntrackd(8) is compiled
455 with the proper configuration. Then you can use a service unit
456 of Type=notify.
457
458 Obviously, this requires the init of your system to be sys‐
459 temd(1).
460
461 Note: systemd(1) watchdog is supported as well.
462
463 Example: Systemd yes
464
465 By default runtime support is enabled if conntrackd was built
466 with the systemd feature. Otherwise is off.
467
468
469 Nice <value>
470 Deprecated. Conntrackd ignores this option and it will be re‐
471 moved in the future. Please note that you can run nice(1) and
472 renice(1) externally. Also note that conntrackd(8) now uses by
473 default a RT scheduler.
474
475
476 HashSize <value>
477 Number of buckets in the cache hashtable. The bigger it is, the
478 closer it gets to O(1) at the cost of consuming more memory.
479 Read some documents about tuning hashtables for further refer‐
480 ence.
481
482 Example: HashSize 32768
483
484
485 HashLimit <value>
486 Maximum number of conntracks, it should be double of
487 /proc/sys/net/netfilter/nf_conntrack_max since the daemon may
488 keep some dead entries cached for possible retransmission during
489 state synchronization.
490
491 Example: HashLimit 131072
492
493
494 LogFile <yes|no|filename>
495 Enable conntrackd(8) to log to a file.
496
497 Example: LogFile no
498
499 Default is no. Default logfile is /var/log/conntrackd.log.
500
501
502 Syslog <yes|no|facility>
503 Enable connection logging via Syslog. If you set the facility,
504 use the same as in the Stats section, otherwise you'll get a
505 warning message.
506
507 Example: Syslog local0
508
509 Default is off.
510
511
512 Lockfile <filename>
513 Lockfile to be used by conntrackd(8) (absolute path).
514
515 Example: LockFile /var/lock/conntrack.lock
516
517 Default is /var/lock/conntrack.lock.
518
519
520 NetlinkBufferSize <value>
521 Netlink event socket buffer size. If you do not specify this
522 clause, the default buffer size value in
523 /proc/sys/net/core/rmem_default is used. This default value is
524 usually around 100 Kbytes which is fairly small for busy fire‐
525 walls. This leads to event message dropping and high CPU con‐
526 sumption.
527
528 Example: NetlinkBufferSize 2097152
529
530
531 NetlinkBufferSizeMaxGrowth <value>
532 The daemon doubles the size of the netlink event socket buffer
533 size if it detects netlink event message dropping. This clause
534 sets the maximum buffer size growth that can be reached.
535
536 Example: NetlinkBufferSizeMaxGrowth 8388608
537
538
539 NetlinkOverrunResync <yes|no|value>
540 If the daemon detects that Netlink is dropping state-change
541 events, it automatically schedules a resynchronization against
542 the Kernel after 30 seconds (default value). Resynchronizations
543 are expensive in terms of CPU consumption since the daemon has
544 to get the full kernel state-table and purge state-entries that
545 do not exist anymore.
546
547 Note: Be careful of setting a very small value here.
548
549 Example: NetlinkOverrunResync yes
550
551 The default value is 30 seconds. If not specified, the daemon
552 assumes that this option is enabled and uses the default value.
553
554
555 NetlinkEventsReliable <yes|no>
556 If you want reliable event reporting over Netlink, set on this
557 option. If you set on this clause, it is a good idea to set off
558 NetlinkOverrunResync.
559
560 You need Linux Kernel >= 2.6.31 for this option to work.
561
562 Example: NetlinkEventsReliable yes
563
564 This option is off by default.
565
566
567 PollSecs <seconds>
568 By default, the daemon receives state updates following an
569 event-driven model. You can modify this behaviour by switching
570 to polling mode with this clause.
571
572 This clause tells conntrackd(8) to dump the states in the kernel
573 every N seconds. With regards to synchronization mode, the
574 polling mode can only guarantee that long-lifetime states are
575 recovered. The main advantage of this method is the reduction in
576 the state replication at the cost of reducing the chances of re‐
577 covering connections.
578
579 Example: PollSecs 15
580
581
582 EventIterationLimit <value>
583 The daemon prioritizes the handling of state-change events com‐
584 ing from the core. With this clause, you can set the maximum
585 number of state-change events (those coming from kernel-space)
586 that the daemon will handle after which it will handle other
587 events coming from the network or userspace.
588
589 A low value improves interactivity (in terms of real-time behav‐
590 iour) at the cost of extra CPU consumption.
591
592 Example: EventIterationLimit 100
593
594 Default (if not set) is 100.
595
596
597 UNIX
598 Unix socket configuration. This socket is used by conntrackd(8) to lis‐
599 ten to external commands like `conntrackd -k' or `conntrackd -n'.
600
601 Example:
602 UNIX {
603 Path /var/run/conntrackd.ctl
604 }
605
606
607 Path <filename>
608 Absolute path to the Unix socket.
609
610 Example: Path /var/run/conntrackd.ctl
611
612
613 Backlog <value>
614 Deprecated option.
615
616
617 FILTER
618 Event filtering. This clause allows you to filter certain traffic.
619
620 There are currently three filter-sets: Protocol, Address and State. The
621 filter is attached to an action that can be: Accept or Ignore. Thus,
622 you can define the event filtering policy of the filter-sets in posi‐
623 tive or negative logic depending on your needs.
624
625 You can select if conntrackd(8) filters the event messages from user-
626 space or kernel-space. The kernel-space event filtering saves some CPU
627 cycles by avoiding the copy of the event message from kernel-space to
628 user-space. The kernel-space event filtering is prefered, however, you
629 require a Linux kernel >= 2.6.29 to filter from kernel-space.
630
631 The syntax for this section is: Filter From <from> { }.
632
633 If you want to select kernel-space event filtering, use the keyword
634 Kernelspace instead of Userspace.
635
636 Example:
637 Filter From Userspace {
638 Protocol Accept {
639 TCP
640 SCTP
641 DCCP
642 }
643 Address Ignore {
644 IPv4_address 127.0.0.1
645 IPv6_address ::1
646 }
647 State Accept {
648 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
649 }
650 }
651
652
653 Protocol <policy> { <protocols list> }
654 Accept only certain protocols: You may want to replicate the
655 state of flows depending on their layer 4 protocol.
656
657 Policy is one of Accept or Ignore.
658
659 Protocols are: TCP, SCTP, DCCP, UDP, ICMP and IPv6-ICMP.
660
661 The ICMP and IPv6-ICMP protocols require a Linux kernel >=
662 2.6.31.
663
664 Example:
665 Protocol Accept {
666 TCP
667 SCTP
668 DCCP
669 }
670
671
672 Address <policy> { <addresses list> }
673 Ignore traffic for a certain set of IP's: Usually all the IP as‐
674 signed to the firewall since local traffic must be ignored, only
675 forwarded connections are worth to replicate.
676
677 Note that these values depends on the local IPs that are as‐
678 signed to the firewall.
679
680 You may specify several IPv4_address and/or IPv6_address direc‐
681 tives. You can also specify networks in CIDR format.
682
683 Policy is one of Accept or Ignore.
684
685 Example:
686 Address Ignore {
687 IPv4_address 127.0.0.1 # loopback
688 IPv4_address 192.168.0.100 # virtual IP 1
689 IPv4_address 192.168.1.100 # virtual IP 2
690 IPv4_address 192.168.100.100 # dedicated link ip
691 IPv4_address 192.168.0.0/24
692 IPv6_address ::1
693 }
694
695
696 State <policy> { <states list> for TCP }
697 Filter by flow state. This option introduces a trade-off in the
698 replication: it reduces CPU consumption at the cost of having
699 lazy backup firewall replicas.
700
701 Note: only affects TCP flows.
702
703 The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
704 FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED and LISTEN.
705
706 Policy is one of Accept or Ignore.
707
708 Example:
709 State Accept {
710 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
711 }
712
713
714 SCHEDULER
715 Select a different scheduler for the daemon, you can select between RR
716 and FIFO and the process priority.
717
718 Using a RT scheduler reduces the chances to overrun the Netlink buffer
719 and conntrackd(8) uses by default RR unless FIFO is selected. See
720 sched_setscheduler(2) for more information.
721
722 Example:
723 Scheduler {
724 Type FIFO
725 Priority 99
726 }
727
728
729 Type <type>
730 Supported values are RR or FIFO.
731
732 Default: RR
733
734
735 Priority <value>
736 Value of the scheduler priority. Minimum is 0, maximum is 99.
737
738 Default: 99 (as returned by sched_get_priority_max(2) for
739 SCHED_RR)
740
741
743 This top-level section indicates conntrackd(8) to work as a statistic
744 collector for the nf_conntrack linux kernel subsystem.
745
746
747 LogFile <yes|no|filename>
748 If you enable this option, the daemon writes the information
749 about destroyed connections to a logfile.
750
751 Default is no. Default filename is /var/log/conntrackd-
752 stats.log.
753
754
755 NetlinkEventsReliable <yes|no>
756 If you want reliable event reporting over Netlink, set on this
757 option. If you set on this clause, it is a good idea to set off
758 NetlinkOverrunResync. This requires Linux kernel >= 2.6.31.
759
760 Default is no.
761
762
763 Syslog <yes|no|facility>
764 Enable connection logging via Syslog. If you set the facility,
765 use the same as in the General section, otherwise you'll get a
766 warning message.
767
768 Example: Syslog local0
769
770 Default is no.
771
772
774 Note: this configuration is very advanced and has nothing to do with
775 synchronization or stats collection.
776
777 This top-level section indicates conntrackd(8) to inject user-space
778 helpers into the nf_conntrack linux kernel subsystem. It will result
779 in the nf_conntrack engine sending connections to userspace for further
780 processing.
781
782 Before this, you have to make sure you have registered the given user-
783 space helper stub.
784
785 Example:
786 % nfct add helper ftp inet tcp
787
788 Each user-space helper should be registered using a Type section, which
789 are named this way:
790 Type <name> <af> <transport>
791
792 Examples:
793
794 Helper {
795 Type ftp inet tcp {
796 QueueNum 0
797 QueueLen 10240
798 Policy ftp {
799 ExpectMax 1
800 ExpectTimeout 300
801 }
802 }
803 Type rpc inet tcp {
804 QueueNum 1
805 QueueLen 10240
806 Policy rpc {
807 ExpectMax 1
808 ExpectTimeout 300
809 }
810 }
811 Type rpc inet udp {
812 QueueNum 2
813 QueueLen 10240
814 Policy rpc {
815 ExpectMax 1
816 ExpectTimeout 300
817 }
818 }
819 Type tns inet tcp {
820 QueueNum 3
821 QueueLen 10240
822 Policy tns {
823 ExpectMax 1
824 ExpectTimeout 300
825 }
826 }
827 Type dhcpv6 inet6 udp {
828 QueueNum 4
829 QueueLen 10240
830 Policy dhcpv6 {
831 ExpectMax 1
832 ExpectTimeout 300
833 }
834 }
835 Type ssdp inet udp {
836 QueueNum 5
837 QueueLen 10240
838 Policy ssdp {
839 ExpectMax 1
840 ExpectTimeout 300
841 }
842 }
843 }
844
845 Parameters inside the Type section:
846
847
848 QueueNum <number>
849 Set NFQUEUE number you want to use to receive traffic from the
850 kernel.
851
852 Example: QueueNum 0
853
854
855 QueueLen <number>
856 Maximum number of packets waiting in the queue to receive a ver‐
857 dict from user-space.
858
859 Rise value if you hit the following error message:
860 "nf_queue: full at X entries, dropping packet(s)"
861
862 Default is 1024.
863
864 Example: QueueLen 10240
865
866
867 Policy <name> { }
868 Set the expectation policy for the given helper.
869
870 This sub-section contains 2 directives: ExpectMax <number> (max‐
871 imum number of simultaneous expectations) and ExpecTimeout <sec‐
872 onds> (maximum living time for one expectation).
873
874
876 Find below some real-life working examples.
877
878
879 STATS EXAMPLE
880 This configuration example tells conntrackd(8) to work as a stats col‐
881 lector.
882
883 Stats {
884 LogFile yes
885 NetlinkEventsReliable no
886 Syslog yes
887 }
888 General {
889 Systemd yes
890 HashSize 8192
891 HashLimit 65535
892 Syslog yes
893 LockFile /var/lock/conntrack.lock
894 UNIX {
895 Path /var/run/conntrackd.ctl
896 }
897 NetlinkBufferSize 262142
898 NetlinkBufferSizeMaxGrowth 655355
899 Filter {
900 Protocol Accept {
901 TCP
902 UDP
903 }
904 Address Ignore {
905 IPv4_address 127.0.0.1
906 IPv6_address ::1
907 }
908 }
909 }
910
911
912 SYNC EXAMPLE 1
913 This example configures synchronization in FTFW mode with Multicast
914 transport.
915
916 It includes common general configuration as well.
917
918 Note: this is one of the recommended setups for conntrackd(8) in a
919 firewall cluster environment.
920
921 Sync {
922 Mode FTFW {
923 ResendQueueSize 131072
924 PurgeTimeout 60
925 ACKWindowSize 300
926 DisableExternalCache no
927 }
928 Multicast {
929 IPv4_address 225.0.0.50
930 Group 3780
931 IPv4_interface 192.168.100.100
932 Interface eth2
933 SndSocketBuffer 1249280
934 RcvSocketBuffer 1249280
935 Checksum yes
936 }
937 Multicast Default {
938 IPv4_address 225.0.0.51
939 Group 3781
940 IPv4_interface 192.168.100.101
941 Interface eth3
942 SndSocketBuffer 1249280
943 RcvSocketBuffer 1249280
944 Checksum yes
945 }
946 Options {
947 TCPWindowTracking no
948 ExpectationSync yes
949 }
950 }
951 General {
952 Systemd yes
953 HashSize 32768
954 HashLimit 131072
955 LogFile yes
956 Syslog no
957 LockFile /var/lock/conntrack.lock
958 UNIX {
959 Path /var/run/conntrackd.ctl
960 }
961 NetlinkBufferSize 2097152
962 NetlinkBufferSizeMaxGrowth 8388608
963 NetlinkOverrunResync yes
964 NetlinkEventsReliable no
965 EventIterationLimit 100
966 Filter From Userspace {
967 Protocol Accept {
968 TCP
969 SCTP
970 DCCP
971 }
972 Address Ignore {
973 IPv4_address 127.0.0.1
974 IPv4_address 192.168.100.0/24
975 IPv6_address ::1
976 }
977 }
978 }
979
980
981 SYNC EXAMPLE 2
982 This example configures synchronization in NOTRACK mode with TCP trans‐
983 port.
984
985 It includes common general configuration as well.
986
987 Sync {
988 Mode NOTRACK {
989 DisableInternalCache yes
990 DisableExternalCache yes
991 }
992 TCP {
993 IPv4_address 192.168.2.100
994 IPv4_Destination_Address 192.168.2.101
995 Port 3780
996 Interface eth2
997 SndSocketBuffer 1249280
998 RcvSocketBuffer 1249280
999 Checksum yes
1000 }
1001 Options {
1002 TCPWindowTracking no
1003 ExpectationSync yes
1004 }
1005 }
1006 General {
1007 Systemd yes
1008 HashSize 32768
1009 HashLimit 131072
1010 LogFile yes
1011 Syslog no
1012 LockFile /var/lock/conntrack.lock
1013 UNIX {
1014 Path /var/run/conntrackd.ctl
1015 }
1016 NetlinkBufferSize 2097152
1017 NetlinkBufferSizeMaxGrowth 8388608
1018 NetlinkOverrunResync yes
1019 NetlinkEventsReliable no
1020 EventIterationLimit 100
1021 Filter From Userspace {
1022 Protocol Accept {
1023 TCP
1024 SCTP
1025 DCCP
1026 }
1027 Address Ignore {
1028 IPv4_address 127.0.0.1
1029 IPv4_address 192.168.0.0/16
1030 IPv6_address ::1
1031 }
1032 State Accept {
1033 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
1034 }
1035 }
1036 }
1037
1038
1039
1041 conntrackd(8), conntrack(8), nfct(8), http://conntrack-tools.netfil‐
1042 ter.org/manual.html
1043
1044
1046 Pablo Neira Ayuso wrote and maintains the conntrackd tool.
1047
1048 This manual page was written by Arturo Borrero Gonzalez <arturo@de‐
1049 bian.org> based on the conntrackd tarball config examples.
1050
1051 Please send bug reports to <netfilter-devel@lists.netfilter.org>. Sub‐
1052 scription is required.
1053
1054 This documentation is free/libre under the terms of the GPLv2+.
1055
1056
1057
1058 Jan 20, 2021 CONNTRACKD.CONF(5)