~ubuntu-branches/ubuntu/karmic/conntrack/karmic

Viewing changes to conntrackd.8

Committer: Bazaar Package Importer
Author(s): Andres Rodriguez
Date: 2009-06-18 18:27:31 UTC
mfrom: (3.1.2 squeeze)
Revision ID: james.westby@ubuntu.com-20090618182731-xlunt56xusrrif92

Tags: 1:0.9.12-1ubuntu1

* Merge from debian unstable (LP: #380358), remaining changes:
- Error on fwrite failure in src/read_config_lex.c.
- Patch from Kees Cook to not ignore return value of chdir call.
* debian/copyright: Updated download site.

files added:
debian/conntrackd.preinst

doc/manual

doc/manual/Makefile

doc/manual/config.xsl

doc/manual/conntrack-tools.html

doc/manual/conntrack-tools.tmpl

doc/manual/docbook.css

doc/stats/conntrackd.conf.orig

doc/stats/conntrackd.conf.rej

doc/sync/alarm/conntrackd.conf

doc/sync/alarm/conntrackd.conf.orig

doc/sync/alarm/conntrackd.conf.rej

doc/sync/ftfw/conntrackd.conf

doc/sync/ftfw/conntrackd.conf.orig

doc/sync/keepalived.conf

doc/sync/notrack/conntrackd.conf

doc/sync/notrack/conntrackd.conf.orig

doc/sync/notrack/conntrackd.conf.rej

doc/sync/primary-backup.sh

extensions/libct_proto_unknown.c

include/bitops.h

include/channel.h

include/cidr.h

include/filter.h

include/udp.h

include/vector.h

src/channel.c

src/channel_mcast.c

src/channel_udp.c

src/cidr.c

src/filter.c

src/multichannel.c

src/udp.c

src/vector.c

files removed:
doc/sync/alarm/node1

doc/sync/alarm/node1/conntrackd.conf

doc/sync/alarm/node1/keepalived.conf

doc/sync/alarm/node2

doc/sync/alarm/node2/conntrackd.conf

doc/sync/alarm/node2/keepalived.conf

doc/sync/alarm/script_backup.sh

doc/sync/alarm/script_master.sh

doc/sync/ftfw/node1

doc/sync/ftfw/node1/conntrackd.conf

doc/sync/ftfw/node1/keepalived.conf

doc/sync/ftfw/node2

doc/sync/ftfw/node2/conntrackd.conf

doc/sync/ftfw/node2/keepalived.conf

doc/sync/ftfw/script_backup.sh

doc/sync/ftfw/script_master.sh

doc/sync/notrack/node1

doc/sync/notrack/node1/conntrackd.conf

doc/sync/notrack/node1/keepalived.conf

doc/sync/notrack/node2

doc/sync/notrack/node2/conntrackd.conf

doc/sync/notrack/node2/keepalived.conf

doc/sync/notrack/script_backup.sh

doc/sync/notrack/script_master.sh

include/ignore.h

include/slist.h

include/state_helper.h

include/us-conntrack.h

src/cache_lifetime.c

src/ignore_pool.c

src/state_helper.c

src/state_helper_tcp.c

files modified:
INSTALL

Make_global.am

Makefile.am

Makefile.in

aclocal.m4

config.guess

config.sub

configure

configure.in

conntrack.8

conntrackd.8

debian/changelog

debian/conntrackd.README.Debian

debian/conntrackd.conf

debian/conntrackd.default

debian/conntrackd.init

debian/conntrackd.install

debian/conntrackd.logrotate

debian/control

debian/copyright

debian/rules

doc/stats/conntrackd.conf

extensions/Makefile.am

extensions/Makefile.in

extensions/libct_proto_icmp.c

extensions/libct_proto_icmpv6.c

extensions/libct_proto_tcp.c

extensions/libct_proto_udp.c

include/Makefile.am

include/Makefile.in

include/cache.h

include/conntrack.h

include/conntrackd.h

include/fds.h

include/hash.h

include/jhash.h

include/mcast.h

include/netlink.h

include/network.h

include/queue.h

include/sync.h

ltmain.sh

src/Makefile.am

src/Makefile.in

src/build.c

src/cache.c

src/cache_iterators.c

src/cache_timer.c

src/cache_wt.c

src/conntrack.c

src/event.c

src/fds.c

src/hash.c

src/log.c

src/main.c

src/mcast.c

src/netlink.c

src/network.c

src/parse.c

src/queue.c

src/read_config_lex.c

src/read_config_lex.l

src/read_config_yy.c

src/read_config_yy.h

src/read_config_yy.y

src/run.c

src/stats-mode.c

src/sync-alarm.c

src/sync-ftfw.c

src/sync-mode.c

src/sync-notrack.c

src/traffic_stats.c

Show diffs side-by-side

added added

removed removed

conntrackd.8

.TH CONNTRACKD 8 "Jan 5, 2008" "" ""

.TH CONNTRACKD 8 "Oct 21, 2008" "" ""

.\" Man page written by Pablo Neira Ayuso <pablo@netfilter.org> (Dec 2007)

.SH NAME

conntrackd \- netfilter connection tracking userspace daemon

conntrackd \- netfilter connection tracking user-space daemon

.SH SYNOPSIS

.BR "conntrackd [options]"

.SH DESCRIPTION

.B conntrackd

provides a userspace daemon for the netfilter connection tracking system. This daemon synchronizes connection tracking states among several replica firewalls. Thus,

is the user-space daemon for the netfilter connection tracking system. This daemon synchronizes connection tracking states between several replica firewalls. Thus,

.B conntrackd

can be used to implement highly available stateful firewalls. The daemon fully supports Primary-Backup and Multiprimary setups for both symmetric and asymmetric paths. It can also be used as statistics collector.

can be used to deploy highly available stateful firewalls. The daemon supports Primary-Backup and Multiprimary setups. The daemon can also be used as statistics collector.

.SH OPTIONS

The options recognized by

.B conntrackd

Display output in XML format. This option is only valid in combination

with "-i" and "-e" parameters.

.TP

.BI "-f "

Flush the internal and the external cache

.BI "-f " "[|internal|external]"

Flush the internal and/or external cache

.TP

.BI "-F "

Flush the kernel conntrack table (if you use a Linux kernel >= 2.6.29, this

option will not flush your internal and external cache).

.TP

.BI "-k "

Kill the daemon

.TP

.BI "-s "

Dump statistics

Dump statistics. If no parameter is passed, it displays the general statistics.

If "network" is passed as parameter it displays the networking statistics.

If "cache" is passed as parameter, it shows the extended cache statistics.

If "runtime" is passed as parameter, it shows the run-time statistics.

.TP

.BI "-R "

Force a resync against the kernel connection tracking table

.TP

.BI "-t "

Reset the in-kernel timers (See PurgeTimeout clause)

.TP

.BI "-v "

Display version information.

.TP

.BI "-h "

Display help information.

.SH DIAGNOSTICS

The exit code is 0 for correct function. Errors cause an exit code of 1.

.SH EXAMPLES

The following example are illustrative, for a real use in a firewall fail-over,

check the primary-backup.sh script that comes with the sources.

.TP

.B conntrackd \-d

Runs conntrackd in daemon and synchronization mode

This daemon requires a Linux kernel version >= 2.6.18. TCP window tracking support requires >= 2.6.22, otherwise you have to disable it. Helpers are fully supported since >= 2.6.25, however, if you use any previous version, depending on the protocol helper and your setup (e.g. if you setup performs NAT sequence adjustments or not), your help connection may be successfully recovered.

.TP

There are several unsupported stateful iptables matches such as recent, connbytes and the quota matches which gather internal information to operate. Since that information does not belong to the domain of the connection tracking system, connections affected by those matches may not be fully recovered during the takeover.

.TP

The daemon requires a Linux kernel version >= 2.6.26 to support kernel-space event filtering. Otherwise, all the event filtering is done in userspace with the corresponding extra overhead. If you are not using the Filter clause in the configuration file, ignore this notice.

.SH INCOMPATIBILITIES

During the 0.9.9 development, some important changes in the replication message format were introduced. Therefore, conntrackd >= 0.9.9 will not work appropriately with conntrackd <= 0.9.8. This should not be a problem if you use the same

conntrackd version in all the firewall replica nodes.

.SH SEE ALSO

.BR conntrack (8), iptables (8)

.br

.SH AUTHORS

Pablo Neira Ayuso wrote and maintains the conntrackd tool

100

.TP

Please send bug reports to <netfilter-failover@lists.netfilter.org>. Subscription is required.

101

Please send bug reports to <netfilter-devel@lists.netfilter.org>. Subscription is required.

102

.PP

103

Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.

Older »