1# 2# General settings 3# 4General { 5 # 6 # Set the nice value of the daemon. This value goes from -20 7 # (most favorable scheduling) to 19 (least favorable). Using a 8 # negative value reduces the chances to lose state-change events. 9 # Default is 0. See man nice(1) for more information. 10 # 11 Nice -1 12 13 # 14 # Select a different scheduler for the daemon, you can select between 15 # RR and FIFO and the process priority (minimum is 0, maximum is 99). 16 # See man sched_setscheduler(2) for more information. Using a RT 17 # scheduler reduces the chances to overrun the Netlink buffer. 18 # 19 # Scheduler { 20 # Type FIFO 21 # Priority 99 22 # } 23 24 # 25 # Number of buckets in the caches: hash table 26 # 27 HashSize 8192 28 29 # 30 # Maximum number of conntracks: 31 # it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max 32 # 33 HashLimit 65535 34 35 # 36 # Logfile: on (/var/log/conntrackd.log), off, or a filename 37 # Default: off 38 # 39 #LogFile on 40 41 # 42 # Syslog: on, off or a facility name (daemon (default) or local0..7) 43 # Default: off 44 # 45 #Syslog on 46 47 # 48 # Lockfile 49 # 50 LockFile /var/lock/conntrack.lock 51 52 # 53 # Unix socket configuration 54 # 55 UNIX { 56 Path /var/run/conntrackd.ctl 57 Backlog 20 58 } 59 60 # 61 # Netlink socket buffer size 62 # 63 NetlinkBufferSize 262142 64 65 # 66 # Increase the socket buffer up to maximun if required 67 # 68 NetlinkBufferSizeMaxGrowth 655355 69 70 # 71 # By default, the daemon receives state updates following an 72 # event-driven model. You can modify this behaviour by switching to 73 # polling mode with the PollSecs clause. This clause tells conntrackd 74 # to dump the states in the kernel every N seconds. With regards to 75 # synchronization mode, the polling mode can only guarantee that 76 # long-lifetime states are recovered. The main advantage of this method 77 # is the reduction in the state replication at the cost of reducing the 78 # chances of recovering connections. 79 # 80 # PollSecs 15 81 82 # 83 # Event filtering: This clause allows you to filter certain traffic, 84 # There are currently three filter-sets: Protocol, Address and 85 # State. The filter is attached to an action that can be: Accept or 86 # Ignore. Thus, you can define the event filtering policy of the 87 # filter-sets in positive or negative logic depending on your needs. 88 # 89 Filter { 90 # 91 # Accept only certain protocols: You may want to log the 92 # state of flows depending on their layer 4 protocol. 93 # 94 Protocol Accept { 95 TCP 96 # UDP 97 } 98 99 # 100 # Ignore traffic for a certain set of IP's. 101 # 102 Address Ignore { 103 IPv4_address 127.0.0.1 # loopback 104 # IPv6_address ::1 105 } 106 107 # 108 # Uncomment this line below if you want to filter by flow state. 109 # The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED, 110 # FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED, LISTEN. 111 # 112 # State Accept { 113 # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP 114 # } 115 } 116} 117 118Stats { 119 # 120 # If you enable this option, the daemon writes the information about 121 # destroyed connections to a logfile. Default is off. 122 # Logfile: on, off, or a filename 123 # Default file: (/var/log/conntrackd-stats.log) 124 # 125 LogFile on 126 127 # If you want reliable event reporting over Netlink, set on this 128 # option. If you set on this clause, it is a good idea to set off 129 # NetlinkOverrunResync. This option is off by default and you need 130 # a Linux kernel >= 2.6.31. 131 # 132 # NetlinkEventsReliable Off 133 134 # 135 # Enable connection logging via Syslog. Default is off. 136 # Syslog: on, off or a facility name (daemon (default) or local0..7) 137 # If you set the facility, use the same as in the General clause, 138 # otherwise you'll get a warning message. 139 # 140 #Syslog on 141} 142