2
# Synchronizer settings
7
# Size of the resend queue (in objects). This is the maximum
8
# number of objects that can be stored waiting to be confirmed
9
# via acknoledgment. If you keep this value low, the daemon
10
# will have less chances to recover state-changes under message
11
# omission. On the other hand, if you keep this value high,
12
# the daemon will consume more memory to store dead objects.
13
# Default is 131072 objects.
15
# ResendQueueSize 131072
18
# This parameter allows you to set an initial fixed timeout
19
# for the committed entries when this node goes from backup
20
# to primary. This mechanism provides a way to purge entries
21
# that were not recovered appropriately after the specified
22
# fixed timeout. If you set a low value, TCP entries in
23
# Established states with no traffic may hang. For example,
24
# an SSH connection without KeepAlive enabled. If not set,
25
# the daemon uses an approximate timeout value calculation
26
# mechanism. By default, this option is not set.
31
# If the firewall replica goes from primary to backup,
32
# the conntrackd -t command is invoked in the script.
33
# This command schedules a flush of the table in N seconds.
34
# This is useful to purge the connection tracking table of
35
# zombie entries and avoid clashes with old entries if you
36
# trigger several consecutive hand-overs. Default is 60 seconds.
40
# Set the acknowledgement window size. If you decrease this
41
# value, the number of acknowlegdments increases. More
42
# acknowledgments means more overhead as conntrackd has to
43
# handle more control messages. On the other hand, if you
44
# increase this value, the resend queue gets more populated.
45
# This results in more overhead in the queue releasing.
46
# The following value is based on some practical experiments
47
# measuring the cycles spent by the acknowledgment handling
48
# with oprofile. If not set, default window size is 300.
54
# Multicast IP and interface where messages are
55
# broadcasted (dedicated link). IMPORTANT: Make sure
56
# that iptables accepts traffic for destination
59
# iptables -I INPUT -d 225.0.0.50 -j ACCEPT
60
# iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
64
# Multicast address: The address that you use as destination
65
# in the synchronization messages. You do not have to add
66
# this IP to any of your existing interfaces. If any doubt,
67
# do not modify this value.
69
IPv4_address 225.0.0.50
72
# The multicast group that identifies the cluster. If any
73
# doubt, do not modify this value.
78
# IP address of the interface that you are going to use to
79
# send the synchronization messages. Remember that you must
80
# use a dedicated link for the synchronization messages.
82
IPv4_interface 192.168.100.100
85
# The name of the interface that you are going to use to
86
# send the synchronization messages.
90
# The multicast sender uses a buffer to enqueue the packets
91
# that are going to be transmitted. The default size of this
92
# socket buffer is available at /proc/sys/net/core/wmem_default.
93
# This value determines the chances to have an overrun in the
94
# sender queue. The overrun results packet loss, thus, losing
95
# state information that would have to be retransmitted. If you
96
# notice some packet loss, you may want to increase the size
97
# of the sender buffer. The default size is usually around
98
# ~100 KBytes which is fairly small for busy firewalls.
100
SndSocketBuffer 1249280
102
# The multicast receiver uses a buffer to enqueue the packets
103
# that the socket is pending to handle. The default size of this
104
# socket buffer is available at /proc/sys/net/core/rmem_default.
105
# This value determines the chances to have an overrun in the
106
# receiver queue. The overrun results packet loss, thus, losing
107
# state information that would have to be retransmitted. If you
108
# notice some packet loss, you may want to increase the size of
109
# the receiver buffer. The default size is usually around
110
# ~100 KBytes which is fairly small for busy firewalls.
112
RcvSocketBuffer 1249280
115
# Enable/Disable message checksumming. This is a good
116
# property to achieve fault-tolerance. In case of doubt, do
117
# not modify this value.
122
# You can specify more than one dedicated link. Thus, if one dedicated
123
# link fails, conntrackd can fail-over to another. Note that adding
124
# more than one dedicated link does not mean that state-updates will
125
# be sent to all of them. There is only one active dedicated link at
126
# a given moment. The `Default' keyword indicates that this interface
127
# will be selected as the initial dedicated link. You can have
128
# up to 4 redundant dedicated links. Note: Use different multicast
129
# groups for every redundant link.
131
# Multicast Default {
132
# IPv4_address 225.0.0.51
134
# IPv4_interface 192.168.100.101
136
# # SndSocketBuffer 1249280
137
# # RcvSocketBuffer 1249280
142
# You can use Unicast UDP instead of Multicast to propagate events.
143
# Note that you cannot use unicast UDP and Multicast at the same
144
# time, you can only select one.
148
# UDP address that this firewall uses to listen to events.
150
# IPv4_address 192.168.2.100
152
# or you may want to use an IPv6 address:
154
# IPv6_address fe80::215:58ff:fe28:5a27
157
# Destination UDP address that receives events, ie. the other
158
# firewall's dedicated link address.
160
# IPv4_Destination_Address 192.168.2.101
162
# or you may want to use an IPv6 address:
164
# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
172
# The name of the interface that you are going to use to
173
# send the synchronization messages.
178
# The sender socket buffer size
180
# SndSocketBuffer 1249280
183
# The receiver socket buffer size
185
# RcvSocketBuffer 1249280
188
# Enable/Disable message checksumming.
199
# Set the nice value of the daemon, this value goes from -20
200
# (most favorable scheduling) to 19 (least favorable). Using a
201
# very low value reduces the chances to lose state-change events.
202
# Default is 0 but this example file sets it to most favourable
203
# scheduling as this is generally a good idea. See man nice(1) for
209
# Number of buckets in the cache hashtable. The bigger it is,
210
# the closer it gets to O(1) at the cost of consuming more memory.
211
# Read some documents about tuning hashtables for further reference.
216
# Maximum number of conntracks, it should be double of:
217
# $ cat /proc/sys/net/netfilter/nf_conntrack_max
218
# since the daemon may keep some dead entries cached for possible
219
# retransmission during state synchronization.
224
# Logfile: on (/var/log/conntrackd.log), off, or a filename
230
# Syslog: on, off or a facility name (daemon (default) or local0..7)
238
LockFile /var/lock/conntrack.lock
241
# Unix socket configuration
244
Path /var/run/conntrackd.ctl
249
# Netlink event socket buffer size. If you do not specify this clause,
250
# the default buffer size value in /proc/net/core/rmem_default is
251
# used. This default value is usually around 100 Kbytes which is
252
# fairly small for busy firewalls. This leads to event message dropping
253
# and high CPU consumption. This example configuration file sets the
254
# size to 2 MBytes to avoid this sort of problems.
256
NetlinkBufferSize 2097152
259
# The daemon doubles the size of the netlink event socket buffer size
260
# if it detects netlink event message dropping. This clause sets the
261
# maximum buffer size growth that can be reached. This example file
262
# sets the size to 8 MBytes.
264
NetlinkBufferSizeMaxGrowth 8388608
267
# If the daemon detects that Netlink is dropping state-change events,
268
# it automatically schedules a resynchronization against the Kernel
269
# after 30 seconds (default value). Resynchronizations are expensive
270
# in terms of CPU consumption since the daemon has to get the full
271
# kernel state-table and purge state-entries that do not exist anymore.
272
# Be careful of setting a very small value here. You have the following
273
# choices: On (enabled, use default 30 seconds value), Off (disabled)
274
# or Value (in seconds, to set a specific amount of time). If not
275
# specified, the daemon assumes that this option is enabled.
277
# NetlinkOverrunResync On
280
# By default, the daemon receives state updates following an
281
# event-driven model. You can modify this behaviour by switching to
282
# polling mode with the PollSecs clause. This clause tells conntrackd
283
# to dump the states in the kernel every N seconds. With regards to
284
# synchronization mode, the polling mode can only guarantee that
285
# long-lifetime states are recovered. The main advantage of this method
286
# is the reduction in the state replication at the cost of reducing the
287
# chances of recovering connections.
292
# The daemon prioritizes the handling of state-change events coming
293
# from the core. With this clause, you can set the maximum number of
294
# state-change events (those coming from kernel-space) that the daemon
295
# will handle after which it will handle other events coming from the
296
# network or userspace. A low value improves interactivity (in terms of
297
# real-time behaviour) at the cost of extra CPU consumption.
298
# Default (if not set) is 100.
300
# EventIterationLimit 100
303
# Event filtering: This clause allows you to filter certain traffic,
304
# There are currently three filter-sets: Protocol, Address and
305
# State. The filter is attached to an action that can be: Accept or
306
# Ignore. Thus, you can define the event filtering policy of the
307
# filter-sets in positive or negative logic depending on your needs.
308
# You can select if conntrackd filters the event messages from
309
# user-space or kernel-space. The kernel-space event filtering
310
# saves some CPU cycles by avoiding the copy of the event message
311
# from kernel-space to user-space. The kernel-space event filtering
312
# is prefered, however, you require a Linux kernel >= 2.6.29 to
313
# filter from kernel-space. If you want to select kernel-space
314
# event filtering, use the keyword 'Kernelspace' instead of
317
Filter From Userspace {
319
# Accept only certain protocols: You may want to replicate
320
# the state of flows depending on their layer 4 protocol.
327
# Ignore traffic for a certain set of IP's: Usually all the
328
# IP assigned to the firewall since local traffic must be
329
# ignored, only forwarded connections are worth to replicate.
330
# Note that these values depends on the local IPs that are
331
# assigned to the firewall.
334
IPv4_address 127.0.0.1 # loopback
335
IPv4_address 192.168.0.100 # virtual IP 1
336
IPv4_address 192.168.1.100 # virtual IP 2
337
IPv4_address 192.168.0.1
338
IPv4_address 192.168.1.1
339
IPv4_address 192.168.100.100 # dedicated link ip
341
# You can also specify networks in format IP/cidr.
342
# IPv4_address 192.168.0.0/24
346
# Uncomment this line below if you want to filter by flow state.
347
# This option introduces a trade-off in the replication: it
348
# reduces CPU consumption at the cost of having lazy backup
349
# firewall replicas. The existing TCP states are: SYN_SENT,
350
# SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
351
# TIME_WAIT, CLOSED, LISTEN.
354
# ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP