Blob Blame History Raw

# See also: http://conntrack-tools.netfilter.org/support.html
# 
# There are 3 different modes of running conntrackd: "alarm", "notrack" and "ftfw"
#
# The default package ships with a FTFW configuration, see /usr/share/doc/conntrackd*
# for example configurations for other modes.


#
# Synchronizer settings
#
Sync {
	Mode FTFW {
		#
		# Size of the resend queue (in objects). This is the maximum
		# number of objects that can be stored waiting to be confirmed
		# via acknoledgment. If you keep this value low, the daemon
		# will have less chances to recover state-changes under message
		# omission. On the other hand, if you keep this value high,
		# the daemon will consume more memory to store dead objects.
		# Default is 131072 objects.
		#
		# ResendQueueSize 131072

		#
		# This parameter allows you to set an initial fixed timeout
		# for the committed entries when this node goes from backup
		# to primary. This mechanism provides a way to purge entries
		# that were not recovered appropriately after the specified
		# fixed timeout. If you set a low value, TCP entries in
		# Established states with no traffic may hang. For example,
		# an SSH connection without KeepAlive enabled. If not set,
		# the daemon uses an approximate timeout value calculation
		# mechanism. By default, this option is not set.
		#
		# CommitTimeout 180

		#
		# If the firewall replica goes from primary to backup,
		# the conntrackd -t command is invoked in the script. 
		# This command schedules a flush of the table in N seconds.
		# This is useful to purge the connection tracking table of
		# zombie entries and avoid clashes with old entries if you
		# trigger several consecutive hand-overs. Default is 60 seconds.
		#
		# PurgeTimeout 60

		# Set the acknowledgement window size. If you decrease this
		# value, the number of acknowlegdments increases. More
		# acknowledgments means more overhead as conntrackd has to
		# handle more control messages. On the other hand, if you
		# increase this value, the resend queue gets more populated.
		# This results in more overhead in the queue releasing.
		# The following value is based on some practical experiments
		# measuring the cycles spent by the acknowledgment handling
		# with oprofile. If not set, default window size is 300.
		#
		# ACKWindowSize 300

		#
		# This clause allows you to disable the external cache. Thus,
		# the state entries are directly injected into the kernel
		# conntrack table. As a result, you save memory in user-space
		# but you consume slots in the kernel conntrack table for
		# backup state entries. Moreover, disabling the external cache
		# means more CPU consumption. You need a Linux kernel
		# >= 2.6.29 to use this feature. By default, this clause is
		# set off. If you are installing conntrackd for first time,
		# please read the user manual and I encourage you to consider
		# using the fail-over scripts instead of enabling this option!
		#
		# DisableExternalCache Off
	}

	#
	# Multicast IP and interface where messages are
	# broadcasted (dedicated link). IMPORTANT: Make sure
	# that iptables accepts traffic for destination
	# 225.0.0.50, eg:
	#
	#	iptables -I INPUT -d 225.0.0.50 -j ACCEPT
	#	iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
	#
	Multicast {
		# 
		# Multicast address: The address that you use as destination
		# in the synchronization messages. You do not have to add
		# this IP to any of your existing interfaces. If any doubt,
		# do not modify this value.
		#
		IPv4_address 225.0.0.50

		#
		# The multicast group that identifies the cluster. If any
		# doubt, do not modify this value.
		#
		Group 3780

		#
		# IP address of the interface that you are going to use to
		# send the synchronization messages. Remember that you must
		# use a dedicated link for the synchronization messages.
		#
		IPv4_interface 192.168.100.100

		#
		# The name of the interface that you are going to use to
		# send the synchronization messages.
		#
		Interface eth2

		# The multicast sender uses a buffer to enqueue the packets
		# that are going to be transmitted. The default size of this
		# socket buffer is available at /proc/sys/net/core/wmem_default.
		# This value determines the chances to have an overrun in the
		# sender queue. The overrun results packet loss, thus, losing
		# state information that would have to be retransmitted. If you
		# notice some packet loss, you may want to increase the size
		# of the sender buffer. The default size is usually around
		# ~100 KBytes which is fairly small for busy firewalls.
		#
		SndSocketBuffer 1249280

		# The multicast receiver uses a buffer to enqueue the packets
		# that the socket is pending to handle. The default size of this
		# socket buffer is available at /proc/sys/net/core/rmem_default.
		# This value determines the chances to have an overrun in the
		# receiver queue. The overrun results packet loss, thus, losing
		# state information that would have to be retransmitted. If you
		# notice some packet loss, you may want to increase the size of
		# the receiver buffer. The default size is usually around
		# ~100 KBytes which is fairly small for busy firewalls.
		#
		RcvSocketBuffer 1249280

		# 
		# Enable/Disable message checksumming. This is a good
		# property to achieve fault-tolerance. In case of doubt, do
		# not modify this value.
		#
		Checksum on
	}
	#
	# You can specify more than one dedicated link. Thus, if one dedicated
	# link fails, conntrackd can fail-over to another. Note that adding
	# more than one dedicated link does not mean that state-updates will
	# be sent to all of them. There is only one active dedicated link at
	# a given moment. The `Default' keyword indicates that this interface
	# will be selected as the initial dedicated link. You can have 
	# up to 4 redundant dedicated links. Note: Use different multicast 
	# groups for every redundant link.
	#
	# Multicast Default {
	#	IPv4_address 225.0.0.51
	#	Group 3781
	#	IPv4_interface 192.168.100.101
	#	Interface eth3
	#	# SndSocketBuffer 1249280
	#	# RcvSocketBuffer 1249280
	#	Checksum on
	# }

	#
	# You can use Unicast UDP instead of Multicast to propagate events.
	# Note that you cannot use unicast UDP and Multicast at the same
	# time, you can only select one.
	# 
	# UDP {
		# 
		# UDP address that this firewall uses to listen to events.
		#
		# IPv4_address 192.168.2.100
		#
		# or you may want to use an IPv6 address:
		#
		# IPv6_address fe80::215:58ff:fe28:5a27

		#
		# Destination UDP address that receives events, ie. the other
		# firewall's dedicated link address.
		#
		# IPv4_Destination_Address 192.168.2.101
		#
		# or you may want to use an IPv6 address:
		#
		# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c

		#
		# UDP port used
		#
		# Port 3780

		#
		# The name of the interface that you are going to use to
		# send the synchronization messages.
		#
		# Interface eth2

		# 
		# The sender socket buffer size
		#
		# SndSocketBuffer 1249280

		#
		# The receiver socket buffer size
		#
		# RcvSocketBuffer 1249280

		# 
		# Enable/Disable message checksumming. 
		#
		# Checksum on
	# }

	# 
	# Other unsorted options that are related to the synchronization.
	# 
	# Options {
		#
		# TCP state-entries have window tracking disabled by default,
		# you can enable it with this option. As said, default is off.
		# This feature requires a Linux kernel >= 2.6.36.
		#
		# TCPWindowTracking Off
	# }
}

#
# General settings
#
General {
	#
	# Set the nice value of the daemon, this value goes from -20
	# (most favorable scheduling) to 19 (least favorable). Using a
	# very low value reduces the chances to lose state-change events.
	# Default is 0 but this example file sets it to most favourable
	# scheduling as this is generally a good idea. See man nice(1) for
	# more information.
	#
	Nice -20

	#
	# Select a different scheduler for the daemon, you can select between
	# RR and FIFO and the process priority (minimum is 0, maximum is 99).
	# See man sched_setscheduler(2) for more information. Using a RT
	# scheduler reduces the chances to overrun the Netlink buffer.
	#
	# Scheduler {
	#	Type FIFO
	#	Priority 99
	# }

	#
	# Number of buckets in the cache hashtable. The bigger it is,
	# the closer it gets to O(1) at the cost of consuming more memory.
	# Read some documents about tuning hashtables for further reference.
	#
	HashSize 32768

	#
	# Maximum number of conntracks, it should be double of: 
	# $ cat /proc/sys/net/netfilter/nf_conntrack_max
	# since the daemon may keep some dead entries cached for possible
	# retransmission during state synchronization.
	#
	HashLimit 131072

	#
	# Logfile: on (/var/log/conntrackd.log), off, or a filename
	# Default: off
	#
	LogFile on

	#
	# Syslog: on, off or a facility name (daemon (default) or local0..7)
	# Default: off
	#
	#Syslog on

	#
	# Lockfile
	# 
	LockFile /var/lock/conntrack.lock

	#
	# Unix socket configuration
	#
	UNIX {
		Path /var/run/conntrackd.ctl
		Backlog 20
	}

	#
	# Netlink event socket buffer size. If you do not specify this clause,
	# the default buffer size value in /proc/net/core/rmem_default is
	# used. This default value is usually around 100 Kbytes which is
	# fairly small for busy firewalls. This leads to event message dropping
	# and high CPU consumption. This example configuration file sets the
	# size to 2 MBytes to avoid this sort of problems.
	#
	NetlinkBufferSize 2097152

	#
	# The daemon doubles the size of the netlink event socket buffer size
	# if it detects netlink event message dropping. This clause sets the
	# maximum buffer size growth that can be reached. This example file
	# sets the size to 8 MBytes.
	#
	NetlinkBufferSizeMaxGrowth 8388608

	#
	# If the daemon detects that Netlink is dropping state-change events,
	# it automatically schedules a resynchronization against the Kernel
	# after 30 seconds (default value). Resynchronizations are expensive
	# in terms of CPU consumption since the daemon has to get the full
	# kernel state-table and purge state-entries that do not exist anymore.
	# Be careful of setting a very small value here. You have the following
	# choices: On (enabled, use default 30 seconds value), Off (disabled)
	# or Value (in seconds, to set a specific amount of time). If not
	# specified, the daemon assumes that this option is enabled.
	#
	# NetlinkOverrunResync On

	#
	# If you want reliable event reporting over Netlink, set on this
	# option. If you set on this clause, it is a good idea to set off
	# NetlinkOverrunResync. This option is off by default and you need
	# a Linux kernel >= 2.6.31.
	#
	# NetlinkEventsReliable Off

	# 
	# By default, the daemon receives state updates following an
	# event-driven model. You can modify this behaviour by switching to
	# polling mode with the PollSecs clause. This clause tells conntrackd
	# to dump the states in the kernel every N seconds. With regards to
	# synchronization mode, the polling mode can only guarantee that
	# long-lifetime states are recovered. The main advantage of this method
	# is the reduction in the state replication at the cost of reducing the
	# chances of recovering connections.
	#
	# PollSecs 15

	#
	# The daemon prioritizes the handling of state-change events coming
	# from the core. With this clause, you can set the maximum number of
	# state-change events (those coming from kernel-space) that the daemon
	# will handle after which it will handle other events coming from the
	# network or userspace. A low value improves interactivity (in terms of
	# real-time behaviour) at the cost of extra CPU consumption.
	# Default (if not set) is 100.
	#
	# EventIterationLimit 100

	#
	# Event filtering: This clause allows you to filter certain traffic,
	# There are currently three filter-sets: Protocol, Address and
	# State. The filter is attached to an action that can be: Accept or
	# Ignore. Thus, you can define the event filtering policy of the
	# filter-sets in positive or negative logic depending on your needs.
	# You can select if conntrackd filters the event messages from 
	# user-space or kernel-space. The kernel-space event filtering
	# saves some CPU cycles by avoiding the copy of the event message
	# from kernel-space to user-space. The kernel-space event filtering
	# is prefered, however, you require a Linux kernel >= 2.6.29 to
	# filter from kernel-space. If you want to select kernel-space 
	# event filtering, use the keyword 'Kernelspace' instead of 
	# 'Userspace'.
	#
	Filter From Userspace {
		#
		# Accept only certain protocols: You may want to replicate
		# the state of flows depending on their layer 4 protocol.
		#
		Protocol Accept {
			TCP
			SCTP
			DCCP
			# UDP
			# ICMP # This requires a Linux kernel >= 2.6.31
			# IPv6-ICMP # This requires a Linux kernel >= 2.6.31
		}

		#
		# Ignore traffic for a certain set of IP's: Usually all the
		# IP assigned to the firewall since local traffic must be
		# ignored, only forwarded connections are worth to replicate.
		# Note that these values depends on the local IPs that are
		# assigned to the firewall.
		#
		Address Ignore {
			IPv4_address 127.0.0.1 # loopback
			IPv4_address 192.168.0.100 # virtual IP 1
			IPv4_address 192.168.1.100 # virtual IP 2
			IPv4_address 192.168.0.1
			IPv4_address 192.168.1.1
			IPv4_address 192.168.100.100 # dedicated link ip
			#
			# You can also specify networks in format IP/cidr.
			# IPv4_address 192.168.0.0/24
			#
			# You can also specify an IPv6 address
			# IPv6_address ::1
		}

		#
		# Uncomment this line below if you want to filter by flow state.
		# This option introduces a trade-off in the replication: it
		# reduces CPU consumption at the cost of having lazy backup 
		# firewall replicas. The existing TCP states are: SYN_SENT,
		# SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
		# TIME_WAIT, CLOSED, LISTEN.
		#
		# State Accept {
		#	ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
		# }
	}
}