1CONNTRACKD.CONF(5) File Formats Manual CONNTRACKD.CONF(5)
2
6 conntrackd.conf - configuration file for conntrackd daemon
7
10 conntrackd.conf is the main configuration file for the conntrackd(8)
11 daemon. It is loaded by calling `conntrackd -C conntrackd.conf'.
12 The format of this file is simple, using brackets for sections and key-
14 value pairs for concrete configuration directives:
15 section1 {
17 option1 value1
18 option2 value2
19 }
20 section2 {
21 option3 value3
22 subsection1 {
23 option4 value4
24 }
25 }
26 You should consider this file as case-sensitive. Empty lines and lines
28 starting with the '#' character are ignored.
29 Before starting to develop a new configuration, you may want to learn
31 the concepts behind this technlogy at http://conntrack-tools.netfil‐
32 ter.org/manual.html.
33 There are complete configuration examples at the end of this man page.
35
38 This top-level section defines how conntrackd(8) should handle synchro‐
39 nization with other cluster nodes.
40 There are 3 main synchronization modes or protocols: NOTRACK, ALARM and
42 FTFW.
43 There are 3 transport protocols as well: TCP, Multicast and UDP.
45 You have to choose one synchronization mode and one transport protocol.
47 Also, there are some general options in this section.
49 Mode FTFW
52 This mode is based on a reliable protocol that performs message track‐
53 ing. Thus, the protocol can recover from message loss, re-ordering and
54 corruption.
55 In this synchronization mode you may configure ResendQueueSize, Commit‐
57 Timeout, PurgeTimeout, ACKWindowSize , DisableExternalCache and Star‐
58 tupResync.
59 ResendQueueSize <value>
62 Size of the resend queue (in objects). This is the maximum num‐
63 ber of objects that can be stored waiting to be confirmed via
64 acknoledgment. If you keep this value low, the daemon will have
65 less chances to recover state-changes under message omission. On
66 the other hand, if you keep this value high, the daemon will
67 consume more memory to store dead objects.
68 Example: ResendQueueSize 131072
70 Default is 131072 objects.
72 CommitTimeout <seconds>
75 This parameter allows you to set an initial fixed timeout for
76 the committed entries when this node goes from backup to pri‐
77 mary. This mechanism provides a way to purge entries that were
78 not recovered appropriately after the specified fixed timeout.
79 If you set a low value, TCP entries in Established states with
80 no traffic may hang. For example, an SSH connection without
81 KeepAlive enabled.
82 Example: CommitTimeout 180
84 By default, this option is not set (the daemon uses an approxi‐
86 mate timeout value calculation mechanism).
87 PurgeTimeout <seconds>
90 If the firewall replica goes from primary to backup, the `con‐
91 ntrackd -t command' is invoked in the script. This command
92 schedules a flush of the table in N seconds.
93 This is useful to purge the connection tracking table of zombie
95 entries and avoid clashes with old entries if you trigger sev‐
96 eral consecutive hand-overs.
97 Default is 60 seconds.
99 ACKWindowSize <value>
102 Set the acknowledgement window size. If you decrease this value,
103 the number of acknowlegdments increases. More acknowledgments
104 means more overhead as conntrackd(8) has to handle more control
105 messages. On the other hand, if you increase this value, the re‐
106 send queue gets more populated. This results in more overhead in
107 the queue releasing.
108 Example: ACKWindowSize 300
110 If not set, default window size is 300 (value is based on some
112 practical experiments measuring the cycles spent by the acknowl‐
113 edgment handling with oprofile).
114 DisableExternalCache <yes|no>
117 This clause allows you to disable the external cache. Thus, the
118 state entries are directly injected into the kernel conntrack
119 table. As a result, you save memory in user-space but you con‐
120 sume slots in the kernel conntrack table for backup state en‐
121 tries. Moreover, disabling the external cache means more CPU
122 consumption. You need a Linux kernel >= 2.6.29 to use this fea‐
123 ture.
124 If you are installing conntrackd(8) for first time, please read
126 the user manual and I encourage you to consider using the fail-
127 over scripts instead of enabling this option!
128 By default this is set to no, meaning the external cache is en‐
130 abled.
131 StartupResync <yes|no>
134 Order conntrackd to request a complete conntrack table resync
135 against the other node at startup. A single request will be
136 made.
137 This is useful to get in sync with another node which has been
139 running while we were down.
140 Example: StartupResync yes
142 By default, this clause is set to no.
144 Mode ALARM
147 This mode is spamming. It is based on a alarm-based protocol that peri‐
148 odically re-sends the flow state to the backup firewall replicas. This
149 protocol consumes a lot of bandwidth but it resolves synchronization
150 problems fast.
151 In this synchronization mode you may configure RefreshTime, CacheTime‐
153 out, CommitTimeout and PurgeTimeout.
154 RefreshTime <seconds>
157 If a conntrack entry is not modified in <= N seconds, then a
158 message is broadcasted. For example, this mechanism may be used
159 to resynchronize nodes that just joined the multicast group.
160 Example: RefreshTime 15
162 CacheTimeout <seconds>
165 If we don't receive a notification about the state of an entry
166 in the external cache after N seconds, then remove it.
167 Example: CacheTimeout 180
169 CommitTimeout <seconds>
172 Same as in FTFW mode.
173 PurgeTimeout <seconds>
176 Same as in FTFW mode.
177 Mode NOTRACK
180 Is the most simple mode as it is based on a best effort replication
181 protocol, ie. unreliable protocol. This protocol sends and receives the
182 state information without performing any specific checking.
183 In this synchronization mode you may configure DisableInternalCache,
185 DisableExternalCache, CommitTimeout, PurgeTimeout and StartupResync.
186 DisableInternalCache <yes|no>
189 This clause allows you to disable the internal cache. Thus, the
190 synchronization messages are directly sent through the dedicated
191 link.
192 This option is set to no by default.
194 DisableExternalCache <yes|no>
197 Same as in FTFW mode.
198 CommitTimeout <seconds>
201 Same as in FTFW mode.
202 PurgeTimeout <seconds>
205 Same as in FTFW mode.
206 StartupResync <yes|no>
209 Same as in FTFW mode.
210 MULTICAST
213 This section indicates to conntrackd(8) to use multicast as transport
214 mechanism between nodes of the firewall cluster.
215 Please note you can specify more than one dedicated link. Thus, if one
217 dedicated link fails, the daemon can fail-over to another. Note that
218 adding more than one dedicated link does not mean that state-updates
219 will be sent to all of them. There is only one active dedicated link at
220 a given moment.
221 The Default keyword indicates that this interface will be selected as
223 the initial dedicated link. You can have up to 4 redundant dedicated
224 links.
225 Note: use different multicast groups for every redundant link.
227 Example:
229 Multicast Default {
230 IPv4_address 225.0.0.51
231 Group 3781
232 IPv4_interface 192.168.100.101
233 Interface eth3
234 SndSocketBuffer 1249280
235 RcvSocketBuffer 1249280
236 Checksum on
237 }
238 Multicast {
239 IPv4_address 225.0.0.51
240 Group 3782
241 IPv4_interface 192.168.100.102
242 Interface eth4
243 SndSocketBuffer 1249280
244 RcvSocketBuffer 1249280
245 Checksum on
246 }
247 IPv4_address <address>
250 Multicast address: The address that you use as destination in
251 the synchronization messages. You do not have to add this IP to
252 any of your existing interfaces.
253 Example: IPv4_address 255.0.0.50
255 Group <number>
258 The multicast group that identifies the cluster.
259 Example: Group 3780
261 If any doubt, do not modify this value.
263 IPv4_interface <address>
266 IP address of the interface that you are going to use to send
267 the synchronization messages. Remember that you must use a dedi‐
268 cated link for the synchronization messages.
269 Example: IPv4_interface 192.168.100.100
271 Interface <name>
274 The name of the interface that you are going to use to send the
275 synchronization messages.
276 Example: Interface eth2
278 SndSocketBuffer <number>
281 This transport protocol sender uses a buffer to enqueue the
282 packets that are going to be transmitted. The default size of
283 this socket buffer is available at /proc/sys/net/core/wmem_de‐
284 fault.
285 This value determines the chances to have an overrun in the
287 sender queue. The overrun results in packet loss, thus, losing
288 state information that would have to be retransmitted. If you
289 notice some packet loss, you may want to increase the size of
290 the buffer. The system default size is usually around ~100
291 KBytes which is fairly small for busy firewalls.
292 Note: The NOTRACK protocol is best effort, it is really recom‐
294 mended to increase the buffer size.
295 Example: SndSocketBuffer 1249280
297 RcvSocketBuffer <number>
300 This transport protocol receiver uses a buffer to enqueue the
301 packets that the socket is pending to handle. The default size
302 of this socket buffer is available at
303 /proc/sys/net/core/rmem_default.
304 This value determines the chances to have an overrun in the re‐
306 ceiver queue. The overrun results in packet loss, thus, losing
307 state information that would have to be retransmitted. If you
308 notice some packet loss, you may want to increase the size of
309 the buffer. The system default size is usually around ~100
310 KBytes which is fairly small for busy firewalls.
311 Note: The NOTRACK protocol is best effort, it is really recom‐
313 mended to increase the buffer size.
314 Example: RcvSocketBuffer 1249280
316 Checksum <yes|no>
319 Enable/Disable message checksumming. This is a good property to
320 achieve fault-tolerance. In case of doubt, use it.
321 UDP
324 This section indicates to conntrackd(8) to use UDP as transport mecha‐
325 nism between nodes of the firewall cluster.
326 As in the Multicast configuration, you may especify several fail-over
328 dedicated links using the Default keyword.
329 Example:
331 UDP {
332 IPv4_address 172.16.0.1
333 IPv4_Destination_Address 172.16.0.2
334 Port 3781
335 Interface eth3
336 SndSocketBuffer 1249280
337 RcvSocketBuffer 1249280
338 Checksum on
339 }
340 IPv4_address <address>
343 UDP IPv4 address that this firewall uses to listen to events.
344 Example: IPv4_address 192.168.2.100
346 IPv6_address <address>
349 UDP IPv6 address that this firewall uses to listen to events.
350 Example: IPv6_address fe80::215:58ff:fe28:5a27
352 IPv4_Destination_Address <address>
355 Destination IPv4 UDP address that receives events, ie. the other
356 firewall's dedicated link address.
357 Example: IPv4_Destination_Address 192.168.2.101
359 IPv6_Destionation_Address <address>
362 Destination IPv6 UDP address that receives events, ie. the other
363 firewall's dedicated link address.
364 Example: IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
366 Port <number>
369 UDP port used
370 Example: Port 3780
372 Interface <name>
375 Same as in the Multicast transport protocol configuration.
376 SndSocketBuffer <number>
379 Same as in the Multicast transport protocol configuration.
380 RcvSocketBuffer <number>
383 Same as in the Multicast transport protocol configuration.
384 Checksum <yes|no>
387 Same as in the Multicast transport protocol configuration.
388 TCP
392 You can also use Unicast TCP to propagate events.
393 If you combine this transport with the NOTRACK mode, it becomes reli‐
395 able.
396 The TCP transport protocol can be configured in exactly the same way as
398 the UDP transport protocol.
399 As in the Multicast configuration, you may especify several fail-over
401 dedicated links using the Default keyword.
402 Example:
404 TCP {
405 IPv6_address fe80::215:58ff:fe28:5a27
406 IPv6_Destination_Address fe80::215:58ff:fe28:5a27
407 Port 3781
408 Interface eth2
409 SndSocketBuffer 1249280
410 RcvSocketBuffer 1249280
411 Checksum yes
412 }
413 OPTIONS
416 Other unsorted options that are related to the synchronization protocol
417 or transport mechanism.
418 TCPWindowTracking <yes|no>
421 TCP state-entries have window tracking disabled by default, you
422 can enable it with this option. As said, default is off. This
423 feature requires a Linux kernel >= 2.6.36.
424 ExpectationSync <on|{ list }>
427 Set this option on if you want to enable the synchronization of
428 expectations. You have to specify the list of helpers that you
429 want to enable.
430 This feature requires a Linux kernel >= 3.5.
432 Example, sync all expectations:
434 ExpectationSync on
435 Example, sync given expectations:
437 ExpectationSync {
438 ftp
439 ras
440 q.931
441 h.245
442 sip
443 }
444 By default, this option is disabled.
446
449 This top-level section contains generic configuration directives for
450 the conntrackd(8) daemon.
451 Systemd <yes|no>
454 Enable systemd(1) runtime support if conntrackd(8) is compiled
455 with the proper configuration. Then you can use a service unit
456 of Type=notify.
457 Obviously, this requires the init of your system to be sys‐
459 temd(1).
460 Note: systemd(1) watchdog is supported as well.
462 Example: Systemd yes
464 By default runtime support is enabled if conntrackd was built
466 with the systemd feature. Otherwise is off.
467 Nice <value>
470 Deprecated. Conntrackd ignores this option and it will be re‐
471 moved in the future. Please note that you can run nice(1) and
472 renice(1) externally. Also note that conntrackd(8) now uses by
473 default a RT scheduler.
474 HashSize <value>
477 Number of buckets in the cache hashtable. The bigger it is, the
478 closer it gets to O(1) at the cost of consuming more memory.
479 Read some documents about tuning hashtables for further refer‐
480 ence.
481 Example: HashSize 32768
483 HashLimit <value>
486 Maximum number of conntracks, it should be double of
487 /proc/sys/net/netfilter/nf_conntrack_max since the daemon may
488 keep some dead entries cached for possible retransmission during
489 state synchronization.
490 Example: HashLimit 131072
492 LogFile <yes|no|filename>
495 Enable conntrackd(8) to log to a file.
496 Example: LogFile no
498 Default is no. Default logfile is /var/log/conntrackd.log.
500 Syslog <yes|no|facility>
503 Enable connection logging via Syslog. If you set the facility,
504 use the same as in the Stats section, otherwise you'll get a
505 warning message.
506 Example: Syslog local0
508 Default is off.
510 Lockfile <filename>
513 Lockfile to be used by conntrackd(8) (absolute path).
514 Example: LockFile /var/lock/conntrack.lock
516 Default is /var/lock/conntrack.lock.
518 NetlinkBufferSize <value>
521 Netlink event socket buffer size. If you do not specify this
522 clause, the default buffer size value in
523 /proc/sys/net/core/rmem_default is used. This default value is
524 usually around 100 Kbytes which is fairly small for busy fire‐
525 walls. This leads to event message dropping and high CPU con‐
526 sumption.
527 Example: NetlinkBufferSize 2097152
529 NetlinkBufferSizeMaxGrowth <value>
532 The daemon doubles the size of the netlink event socket buffer
533 size if it detects netlink event message dropping. This clause
534 sets the maximum buffer size growth that can be reached.
535 Example: NetlinkBufferSizeMaxGrowth 8388608
537 NetlinkOverrunResync <yes|no|value>
540 If the daemon detects that Netlink is dropping state-change
541 events, it automatically schedules a resynchronization against
542 the Kernel after 30 seconds (default value). Resynchronizations
543 are expensive in terms of CPU consumption since the daemon has
544 to get the full kernel state-table and purge state-entries that
545 do not exist anymore.
546 Note: Be careful of setting a very small value here.
548 Example: NetlinkOverrunResync yes
550 The default value is 30 seconds. If not specified, the daemon
552 assumes that this option is enabled and uses the default value.
553 NetlinkEventsReliable <yes|no>
556 If you want reliable event reporting over Netlink, set on this
557 option. If you set on this clause, it is a good idea to set off
558 NetlinkOverrunResync.
559 You need Linux Kernel >= 2.6.31 for this option to work.
561 Example: NetlinkEventsReliable yes
563 This option is off by default.
565 PollSecs <seconds>
568 By default, the daemon receives state updates following an
569 event-driven model. You can modify this behaviour by switching
570 to polling mode with this clause.
571 This clause tells conntrackd(8) to dump the states in the kernel
573 every N seconds. With regards to synchronization mode, the
574 polling mode can only guarantee that long-lifetime states are
575 recovered. The main advantage of this method is the reduction in
576 the state replication at the cost of reducing the chances of re‐
577 covering connections.
578 Example: PollSecs 15
580 EventIterationLimit <value>
583 The daemon prioritizes the handling of state-change events com‐
584 ing from the core. With this clause, you can set the maximum
585 number of state-change events (those coming from kernel-space)
586 that the daemon will handle after which it will handle other
587 events coming from the network or userspace.
588 A low value improves interactivity (in terms of real-time behav‐
590 iour) at the cost of extra CPU consumption.
591 Example: EventIterationLimit 100
593 Default (if not set) is 100.
595 UNIX
598 Unix socket configuration. This socket is used by conntrackd(8) to lis‐
599 ten to external commands like `conntrackd -k' or `conntrackd -n'.
600 Example:
602 UNIX {
603 Path /var/run/conntrackd.ctl
604 }
605 Path <filename>
608 Absolute path to the Unix socket.
609 Example: Path /var/run/conntrackd.ctl
611 Backlog <value>
614 Deprecated option.
615 FILTER
618 Event filtering. This clause allows you to filter certain traffic.
619 There are currently three filter-sets: Protocol, Address and State. The
621 filter is attached to an action that can be: Accept or Ignore. Thus,
622 you can define the event filtering policy of the filter-sets in posi‐
623 tive or negative logic depending on your needs.
624 You can select if conntrackd(8) filters the event messages from user-
626 space or kernel-space. The kernel-space event filtering saves some CPU
627 cycles by avoiding the copy of the event message from kernel-space to
628 user-space. The kernel-space event filtering is prefered, however, you
629 require a Linux kernel >= 2.6.29 to filter from kernel-space.
630 The syntax for this section is: Filter From <from> { }.
632 If you want to select kernel-space event filtering, use the keyword
634 Kernelspace instead of Userspace.
635 Example:
637 Filter From Userspace {
638 Protocol Accept {
639 TCP
640 SCTP
641 DCCP
642 }
643 Address Ignore {
644 IPv4_address 127.0.0.1
645 IPv6_address ::1
646 }
647 State Accept {
648 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
649 }
650 }
651 Protocol <policy> { <protocols list> }
654 Accept only certain protocols: You may want to replicate the
655 state of flows depending on their layer 4 protocol.
656 Policy is one of Accept or Ignore.
658 Protocols are: TCP, SCTP, DCCP, UDP, ICMP and IPv6-ICMP.
660 The ICMP and IPv6-ICMP protocols require a Linux kernel >=
662 2.6.31.
663 Example:
665 Protocol Accept {
666 TCP
667 SCTP
668 DCCP
669 }
670 Address <policy> { <addresses list> }
673 Ignore traffic for a certain set of IP's: Usually all the IP as‐
674 signed to the firewall since local traffic must be ignored, only
675 forwarded connections are worth to replicate.
676 Note that these values depends on the local IPs that are as‐
678 signed to the firewall.
679 You may specify several IPv4_address and/or IPv6_address direc‐
681 tives. You can also specify networks in CIDR format.
682 Policy is one of Accept or Ignore.
684 Example:
686 Address Ignore {
687 IPv4_address 127.0.0.1 # loopback
688 IPv4_address 192.168.0.100 # virtual IP 1
689 IPv4_address 192.168.1.100 # virtual IP 2
690 IPv4_address 192.168.100.100 # dedicated link ip
691 IPv4_address 192.168.0.0/24
692 IPv6_address ::1
693 }
694 State <policy> { <states list> for TCP }
697 Filter by flow state. This option introduces a trade-off in the
698 replication: it reduces CPU consumption at the cost of having
699 lazy backup firewall replicas.
700 Note: only affects TCP flows.
702 The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
704 FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED and LISTEN.
705 Policy is one of Accept or Ignore.
707 Example:
709 State Accept {
710 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
711 }
712 SCHEDULER
715 Select a different scheduler for the daemon, you can select between RR
716 and FIFO and the process priority.
717 Using a RT scheduler reduces the chances to overrun the Netlink buffer
719 and conntrackd(8) uses by default RR unless FIFO is selected. See
720 sched_setscheduler(2) for more information.
721 Example:
723 Scheduler {
724 Type FIFO
725 Priority 99
726 }
727 Type <type>
730 Supported values are RR or FIFO.
731 Default: RR
733 Priority <value>
736 Value of the scheduler priority. Minimum is 0, maximum is 99.
737 Default: 99 (as returned by sched_get_priority_max(2) for
739 SCHED_RR)
740
743 This top-level section indicates conntrackd(8) to work as a statistic
744 collector for the nf_conntrack linux kernel subsystem.
745 LogFile <yes|no|filename>
748 If you enable this option, the daemon writes the information
749 about destroyed connections to a logfile.
750 Default is no. Default filename is /var/log/conntrackd-
752 stats.log.
753 NetlinkEventsReliable <yes|no>
756 If you want reliable event reporting over Netlink, set on this
757 option. If you set on this clause, it is a good idea to set off
758 NetlinkOverrunResync. This requires Linux kernel >= 2.6.31.
759 Default is no.
761 Syslog <yes|no|facility>
764 Enable connection logging via Syslog. If you set the facility,
765 use the same as in the General section, otherwise you'll get a
766 warning message.
767 Example: Syslog local0
769 Default is no.
771
774 Note: this configuration is very advanced and has nothing to do with
775 synchronization or stats collection.
776 This top-level section indicates conntrackd(8) to inject user-space
778 helpers into the nf_conntrack linux kernel subsystem. It will result
779 in the nf_conntrack engine sending connections to userspace for further
780 processing.
781 Before this, you have to make sure you have registered the given user-
783 space helper stub.
784 Example:
786 % nfct add helper ftp inet tcp
787 Each user-space helper should be registered using a Type section, which
789 are named this way:
790 Type <name> <af> <transport>
791 Examples:
793 Helper {
795 Type ftp inet tcp {
796 QueueNum 0
797 QueueLen 10240
798 Policy ftp {
799 ExpectMax 1
800 ExpectTimeout 300
801 }
802 }
803 Type rpc inet tcp {
804 QueueNum 1
805 QueueLen 10240
806 Policy rpc {
807 ExpectMax 1
808 ExpectTimeout 300
809 }
810 }
811 Type rpc inet udp {
812 QueueNum 2
813 QueueLen 10240
814 Policy rpc {
815 ExpectMax 1
816 ExpectTimeout 300
817 }
818 }
819 Type tns inet tcp {
820 QueueNum 3
821 QueueLen 10240
822 Policy tns {
823 ExpectMax 1
824 ExpectTimeout 300
825 }
826 }
827 Type dhcpv6 inet6 udp {
828 QueueNum 4
829 QueueLen 10240
830 Policy dhcpv6 {
831 ExpectMax 1
832 ExpectTimeout 300
833 }
834 }
835 Type ssdp inet udp {
836 QueueNum 5
837 QueueLen 10240
838 Policy ssdp {
839 ExpectMax 1
840 ExpectTimeout 300
841 }
842 }
843 }
844 Parameters inside the Type section:
846 QueueNum <number>
849 Set NFQUEUE number you want to use to receive traffic from the
850 kernel.
851 Example: QueueNum 0
853 QueueLen <number>
856 Maximum number of packets waiting in the queue to receive a ver‐
857 dict from user-space.
858 Rise value if you hit the following error message:
860 "nf_queue: full at X entries, dropping packet(s)"
861 Default is 1024.
863 Example: QueueLen 10240
865 Policy <name> { }
868 Set the expectation policy for the given helper.
869 This sub-section contains 2 directives: ExpectMax <number> (max‐
871 imum number of simultaneous expectations) and ExpecTimeout <sec‐
872 onds> (maximum living time for one expectation).
873
876 Find below some real-life working examples.
877 STATS EXAMPLE
880 This configuration example tells conntrackd(8) to work as a stats col‐
881 lector.
882 Stats {
884 LogFile yes
885 NetlinkEventsReliable no
886 Syslog yes
887 }
888 General {
889 Systemd yes
890 HashSize 8192
891 HashLimit 65535
892 Syslog yes
893 LockFile /var/lock/conntrack.lock
894 UNIX {
895 Path /var/run/conntrackd.ctl
896 }
897 NetlinkBufferSize 262142
898 NetlinkBufferSizeMaxGrowth 655355
899 Filter {
900 Protocol Accept {
901 TCP
902 UDP
903 }
904 Address Ignore {
905 IPv4_address 127.0.0.1
906 IPv6_address ::1
907 }
908 }
909 }
910 SYNC EXAMPLE 1
913 This example configures synchronization in FTFW mode with Multicast
914 transport.
915 It includes common general configuration as well.
917 Note: this is one of the recommended setups for conntrackd(8) in a
919 firewall cluster environment.
920 Sync {
922 Mode FTFW {
923 ResendQueueSize 131072
924 PurgeTimeout 60
925 ACKWindowSize 300
926 DisableExternalCache no
927 }
928 Multicast {
929 IPv4_address 225.0.0.50
930 Group 3780
931 IPv4_interface 192.168.100.100
932 Interface eth2
933 SndSocketBuffer 1249280
934 RcvSocketBuffer 1249280
935 Checksum yes
936 }
937 Multicast Default {
938 IPv4_address 225.0.0.51
939 Group 3781
940 IPv4_interface 192.168.100.101
941 Interface eth3
942 SndSocketBuffer 1249280
943 RcvSocketBuffer 1249280
944 Checksum yes
945 }
946 Options {
947 TCPWindowTracking no
948 ExpectationSync yes
949 }
950 }
951 General {
952 Systemd yes
953 HashSize 32768
954 HashLimit 131072
955 LogFile yes
956 Syslog no
957 LockFile /var/lock/conntrack.lock
958 UNIX {
959 Path /var/run/conntrackd.ctl
960 }
961 NetlinkBufferSize 2097152
962 NetlinkBufferSizeMaxGrowth 8388608
963 NetlinkOverrunResync yes
964 NetlinkEventsReliable no
965 EventIterationLimit 100
966 Filter From Userspace {
967 Protocol Accept {
968 TCP
969 SCTP
970 DCCP
971 }
972 Address Ignore {
973 IPv4_address 127.0.0.1
974 IPv4_address 192.168.100.0/24
975 IPv6_address ::1
976 }
977 }
978 }
979 SYNC EXAMPLE 2
982 This example configures synchronization in NOTRACK mode with TCP trans‐
983 port.
984 It includes common general configuration as well.
986 Sync {
988 Mode NOTRACK {
989 DisableInternalCache yes
990 DisableExternalCache yes
991 }
992 TCP {
993 IPv4_address 192.168.2.100
994 IPv4_Destination_Address 192.168.2.101
995 Port 3780
996 Interface eth2
997 SndSocketBuffer 1249280
998 RcvSocketBuffer 1249280
999 Checksum yes
1000 }
1001 Options {
1002 TCPWindowTracking no
1003 ExpectationSync yes
1004 }
1005 }
1006 General {
1007 Systemd yes
1008 HashSize 32768
1009 HashLimit 131072
1010 LogFile yes
1011 Syslog no
1012 LockFile /var/lock/conntrack.lock
1013 UNIX {
1014 Path /var/run/conntrackd.ctl
1015 }
1016 NetlinkBufferSize 2097152
1017 NetlinkBufferSizeMaxGrowth 8388608
1018 NetlinkOverrunResync yes
1019 NetlinkEventsReliable no
1020 EventIterationLimit 100
1021 Filter From Userspace {
1022 Protocol Accept {
1023 TCP
1024 SCTP
1025 DCCP
1026 }
1027 Address Ignore {
1028 IPv4_address 127.0.0.1
1029 IPv4_address 192.168.0.0/16
1030 IPv6_address ::1
1031 }
1032 State Accept {
1033 ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
1034 }
1035 }
1036 }
1037
1041 conntrackd(8), conntrack(8), nfct(8), http://conntrack-tools.netfil‐
1042 ter.org/manual.html
1043
1046 Pablo Neira Ayuso wrote and maintains the conntrackd tool.
1047 This manual page was written by Arturo Borrero Gonzalez <arturo@de‐
1049 bian.org> based on the conntrackd tarball config examples.
1050 Please send bug reports to <netfilter-devel@lists.netfilter.org>. Sub‐
1052 scription is required.
1053 This documentation is free/libre under the terms of the GPLv2+.
1055 Jan 20, 2021 CONNTRACKD.CONF(5)