• Home
  • History
  • Annotate
  • Line#
  • Navigate
  • Raw
  • Download
  • only in /netgear-R7000-V1.0.7.12_1.2.5/ap/gpl/conntrack-tools/conntrack-tools-1.4.0/doc/sync/alarm/
1#
2# Synchronizer settings
3#
4Sync {
5	Mode ALARM {
6		#
7		# If a conntrack entry is not modified in <= 15 seconds, then
8		# a message is broadcasted. This mechanism is used to
9		# resynchronize nodes that just joined the multicast group
10		#
11		RefreshTime 15
12	
13		#
14		# If we don't receive a notification about the state of 
15		# an entry in the external cache after N seconds, then
16		# remove it.
17		#
18		CacheTimeout 180
19
20		#
21		# This parameter allows you to set an initial fixed timeout
22		# for the committed entries when this node goes from backup
23		# to primary. This mechanism provides a way to purge entries
24		# that were not recovered appropriately after the specified
25		# fixed timeout. If you set a low value, TCP entries in
26		# Established states with no traffic may hang. For example,
27		# an SSH connection without KeepAlive enabled. If not set,
28		# the daemon uses an approximate timeout value calculation
29		# mechanism. By default, this option is not set.
30		#
31		# CommitTimeout 180
32
33		#
34		# If the firewall replica goes from primary to backup,
35		# the conntrackd -t command is invoked in the script. 
36		# This command schedules a flush of the table in N seconds.
37		# This is useful to purge the connection tracking table of
38		# zombie entries and avoid clashes with old entries if you
39		# trigger several consecutive hand-overs. Default is 60 seconds
40		#
41		# PurgeTimeout 60
42	}
43
44	#
45	# Multicast IP and interface where messages are
46	# broadcasted (dedicated link). IMPORTANT: Make sure
47	# that iptables accepts traffic for destination
48	# 225.0.0.50, eg:
49	#
50	#	iptables -I INPUT -d 225.0.0.50 -j ACCEPT
51	#	iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
52	#
53	Multicast {
54		# 
55		# Multicast address: The address that you use as destination
56		# in the synchronization messages. You do not have to add
57		# this IP to any of your existing interfaces. If any doubt,
58		# do not modify this value.
59		#
60		IPv4_address 225.0.0.50
61
62		#
63		# The multicast group that identifies the cluster. If any
64		# doubt, do not modify this value.
65		#
66		Group 3780
67
68		#
69		# IP address of the interface that you are going to use to
70		# send the synchronization messages. Remember that you must
71		# use a dedicated link for the synchronization messages.
72		#
73		IPv4_interface 192.168.100.100
74
75		#
76		# The name of the interface that you are going to use to
77		# send the synchronization messages.
78		#
79		Interface eth2
80
81		# The multicast sender uses a buffer to enqueue the packets
82		# that are going to be transmitted. The default size of this
83		# socket buffer is available at /proc/sys/net/core/wmem_default.
84		# This value determines the chances to have an overrun in the
85		# sender queue. The overrun results packet loss, thus, losing
86		# state information that would have to be retransmitted. If you
87		# notice some packet loss, you may want to increase the size
88		# of the sender buffer. The default size is usually around
89		# ~100 KBytes which is fairly small for busy firewalls.
90		#
91		SndSocketBuffer 1249280
92
93		# The multicast receiver uses a buffer to enqueue the packets
94		# that the socket is pending to handle. The default size of this
95		# socket buffer is available at /proc/sys/net/core/rmem_default.
96		# This value determines the chances to have an overrun in the
97		# receiver queue. The overrun results packet loss, thus, losing
98		# state information that would have to be retransmitted. If you
99		# notice some packet loss, you may want to increase the size of
100		# the receiver buffer. The default size is usually around
101		# ~100 KBytes which is fairly small for busy firewalls.
102		#
103		RcvSocketBuffer 1249280
104
105		# 
106		# Enable/Disable message checksumming. This is a good
107		# property to achieve fault-tolerance. In case of doubt, do
108		# not modify this value.
109		#
110		Checksum on
111	}
112	#
113	# You can specify more than one dedicated link. Thus, if one dedicated
114	# link fails, conntrackd can fail-over to another. Note that adding
115	# more than one dedicated link does not mean that state-updates will
116	# be sent to all of them. There is only one active dedicated link at
117	# a given moment. The `Default' keyword indicates that this interface
118	# will be selected as the initial dedicated link. You can have 
119	# up to 4 redundant dedicated links. Note: Use different multicast 
120	# groups for every redundant link.
121	#
122	# Multicast Default {
123	#	IPv4_address 225.0.0.51
124	#	Group 3781
125	#	IPv4_interface 192.168.100.101
126	#	Interface eth3
127	#	# SndSocketBuffer 1249280
128	#	# RcvSocketBuffer 1249280
129	#	Checksum on
130	# }
131
132	#
133	# You can use Unicast UDP instead of Multicast to propagate events.
134	# Note that you cannot use unicast UDP and Multicast at the same
135	# time, you can only select one.
136	# 
137	# UDP {
138		# 
139		# UDP address that this firewall uses to listen to events.
140		#
141		# IPv4_address 192.168.2.100
142		#
143		# or you may want to use an IPv6 address:
144		#
145		# IPv6_address fe80::215:58ff:fe28:5a27
146
147		#
148		# Destination UDP address that receives events, ie. the other
149		# firewall's dedicated link address.
150		#
151		# IPv4_Destination_Address 192.168.2.101
152		#
153		# or you may want to use an IPv6 address:
154		#
155		# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
156
157		#
158		# UDP port used
159		#
160		# Port 3780
161
162		#
163		# The name of the interface that you are going to use to
164		# send the synchronization messages.
165		#
166		# Interface eth2
167
168		# 
169		# The sender socket buffer size
170		#
171		# SndSocketBuffer 1249280
172
173		#
174		# The receiver socket buffer size
175		#
176		# RcvSocketBuffer 1249280
177
178		# 
179		# Enable/Disable message checksumming. 
180		#
181		# Checksum on
182	# }
183
184	#
185	# Other unsorted options that are related to the synchronization.
186	#
187	# Options {
188		#
189		# TCP state-entries have window tracking disabled by default,
190		# you can enable it with this option. As said, default is off.
191		# This feature requires a Linux kernel >= 2.6.36.
192		#
193		# TCPWindowTracking Off
194
195		# Set this option on if you want to enable the synchronization
196		# of expectations. You have to specify the list of helpers that
197		# you want to enable. Default is off.
198		#
199		# ExpectationSync {
200		#       ftp
201		#       ras
202		#	q.931
203		#	h.245
204		#       sip
205		# }
206		#
207		# You can use this alternatively:
208		#
209		# ExpectationSync On
210		#
211		# If you want to synchronize expectations of all helpers.
212	# }
213}
214
215#
216# General settings
217#
218General {
219	#
220	# Set the nice value of the daemon, this value goes from -20
221	# (most favorable scheduling) to 19 (least favorable). Using a
222	# very low value reduces the chances to lose state-change events.
223	# Default is 0 but this example file sets it to most favourable
224	# scheduling as this is generally a good idea. See man nice(1) for
225	# more information.
226	#
227	Nice -20
228
229	#
230	# Select a different scheduler for the daemon, you can select between
231	# RR and FIFO and the process priority (minimum is 0, maximum is 99).
232	# See man sched_setscheduler(2) for more information. Using a RT
233	# scheduler reduces the chances to overrun the Netlink buffer.
234	#
235	# Scheduler {
236	#	Type FIFO
237	#	Priority 99
238	# }
239
240	#
241	# Number of buckets in the cache hashtable. The bigger it is,
242	# the closer it gets to O(1) at the cost of consuming more memory.
243	# Read some documents about tuning hashtables for further reference.
244	#
245	HashSize 32768
246
247	#
248	# Maximum number of conntracks, it should be double of: 
249	# $ cat /proc/sys/net/netfilter/nf_conntrack_max
250	# since the daemon may keep some dead entries cached for possible
251	# retransmission during state synchronization.
252	#
253	HashLimit 131072
254
255	#
256	# Logfile: on (/var/log/conntrackd.log), off, or a filename
257	# Default: off
258	#
259	LogFile on
260
261	#
262	# Syslog: on, off or a facility name (daemon (default) or local0..7)
263	# Default: off
264	#
265	#Syslog on
266
267	#
268	# Lockfile
269	# 
270	LockFile /var/lock/conntrack.lock
271
272	#
273	# Unix socket configuration
274	#
275	UNIX {
276		Path /var/run/conntrackd.ctl
277		Backlog 20
278	}
279
280	#
281	# Netlink event socket buffer size. If you do not specify this clause,
282	# the default buffer size value in /proc/net/core/rmem_default is
283	# used. This default value is usually around 100 Kbytes which is
284	# fairly small for busy firewalls. This leads to event message dropping
285	# and high CPU consumption. This example configuration file sets the
286	# size to 2 MBytes to avoid this sort of problems.
287	#
288	NetlinkBufferSize 2097152
289
290	#
291	# The daemon doubles the size of the netlink event socket buffer size
292	# if it detects netlink event message dropping. This clause sets the
293	# maximum buffer size growth that can be reached. This example file
294	# sets the size to 8 MBytes.
295	#
296	NetlinkBufferSizeMaxGrowth 8388608
297
298	#
299	# If the daemon detects that Netlink is dropping state-change events,
300	# it automatically schedules a resynchronization against the Kernel
301	# after 30 seconds (default value). Resynchronizations are expensive
302	# in terms of CPU consumption since the daemon has to get the full
303	# kernel state-table and purge state-entries that do not exist anymore.
304	# Be careful of setting a very small value here. You have the following
305	# choices: On (enabled, use default 30 seconds value), Off (disabled)
306	# or Value (in seconds, to set a specific amount of time). If not
307	# specified, the daemon assumes that this option is enabled.
308	#
309	# NetlinkOverrunResync On
310
311	# If you want reliable event reporting over Netlink, set on this
312	# option. If you set on this clause, it is a good idea to set off
313	# NetlinkOverrunResync. This option is off by default and you need
314	# a Linux kernel >= 2.6.31.
315	#
316	# NetlinkEventsReliable Off
317
318	# 
319	# By default, the daemon receives state updates following an
320	# event-driven model. You can modify this behaviour by switching to
321	# polling mode with the PollSecs clause. This clause tells conntrackd
322	# to dump the states in the kernel every N seconds. With regards to
323	# synchronization mode, the polling mode can only guarantee that
324	# long-lifetime states are recovered. The main advantage of this method
325	# is the reduction in the state replication at the cost of reducing the
326	# chances of recovering connections.
327	#
328	# PollSecs 15
329
330	#
331	# The daemon prioritizes the handling of state-change events coming
332	# from the core. With this clause, you can set the maximum number of
333	# state-change events (those coming from kernel-space) that the daemon
334	# will handle after which it will handle other events coming from the
335	# network or userspace. A low value improves interactivity (in terms of
336	# real-time behaviour) at the cost of extra CPU consumption.
337	# Default (if not set) is 100.
338	#
339	# EventIterationLimit 100
340
341	#
342	# Event filtering: This clause allows you to filter certain traffic,
343	# There are currently three filter-sets: Protocol, Address and
344	# State. The filter is attached to an action that can be: Accept or
345	# Ignore. Thus, you can define the event filtering policy of the
346	# filter-sets in positive or negative logic depending on your needs.
347	# You can select if conntrackd filters the event messages from 
348	# user-space or kernel-space. The kernel-space event filtering
349	# saves some CPU cycles by avoiding the copy of the event message
350	# from kernel-space to user-space. The kernel-space event filtering
351	# is prefered, however, you require a Linux kernel >= 2.6.29 to
352	# filter from kernel-space. If you want to select kernel-space 
353	# event filtering, use the keyword 'Kernelspace' instead of 
354	# 'Userspace'.
355	#
356	Filter From Userspace {
357		#
358		# Accept only certain protocols: You may want to replicate
359		# the state of flows depending on their layer 4 protocol.
360		#
361		Protocol Accept {
362			TCP
363			SCTP
364			DCCP
365			# UDP
366			# ICMP # This requires a Linux kernel >= 2.6.31
367			# IPv6-ICMP # This requires a Linux kernel >= 2.6.31
368		}
369
370		#
371		# Ignore traffic for a certain set of IP's: Usually all the
372		# IP assigned to the firewall since local traffic must be
373		# ignored, only forwarded connections are worth to replicate.
374		# Note that these values depends on the local IPs that are
375		# assigned to the firewall.
376		#
377		Address Ignore {
378			IPv4_address 127.0.0.1 # loopback
379			IPv4_address 192.168.0.100 # virtual IP 1
380			IPv4_address 192.168.1.100 # virtual IP 2
381			IPv4_address 192.168.0.1
382			IPv4_address 192.168.1.1
383			IPv4_address 192.168.100.100 # dedicated link ip
384			#
385			# You can also specify networks in format IP/cidr.
386			# IPv4_address 192.168.0.0/24
387			#
388			# You can also specify an IPv6 address
389			# IPv6_address ::1
390		}
391
392		#
393		# Uncomment this line below if you want to filter by flow state.
394		# This option introduces a trade-off in the replication: it
395		# reduces CPU consumption at the cost of having lazy backup 
396		# firewall replicas. The existing TCP states are: SYN_SENT,
397		# SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
398		# TIME_WAIT, CLOSED, LISTEN.
399		#
400		# State Accept {
401		#	ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
402		# }
403	}
404}
405