• Home
  • History
  • Annotate
  • Line#
  • Navigate
  • Raw
  • Download
  • only in /netgear-R7000-V1.0.7.12_1.2.5/ap/gpl/conntrack-tools/conntrack-tools-1.4.0/doc/sync/alarm/
1#
2# Synchronizer settings
3#
4Sync {
5	Mode ALARM {
6		#
7		# If a conntrack entry is not modified in <= 15 seconds, then
8		# a message is broadcasted. This mechanism is used to
9		# resynchronize nodes that just joined the multicast group
10		#
11		RefreshTime 15
12	
13		#
14		# If we don't receive a notification about the state of 
15		# an entry in the external cache after N seconds, then
16		# remove it.
17		#
18		CacheTimeout 180
19
20		#
21		# This parameter allows you to set an initial fixed timeout
22		# for the committed entries when this node goes from backup
23		# to primary. This mechanism provides a way to purge entries
24		# that were not recovered appropriately after the specified
25		# fixed timeout. If you set a low value, TCP entries in
26		# Established states with no traffic may hang. For example,
27		# an SSH connection without KeepAlive enabled. If not set,
28		# the daemon uses an approximate timeout value calculation
29		# mechanism. By default, this option is not set.
30		#
31		# CommitTimeout 180
32
33		#
34		# If the firewall replica goes from primary to backup,
35		# the conntrackd -t command is invoked in the script. 
36		# This command schedules a flush of the table in N seconds.
37		# This is useful to purge the connection tracking table of
38		# zombie entries and avoid clashes with old entries if you
39		# trigger several consecutive hand-overs. Default is 60 seconds
40		#
41		# PurgeTimeout 60
42	}
43
44	#
45	# Multicast IP and interface where messages are
46	# broadcasted (dedicated link). IMPORTANT: Make sure
47	# that iptables accepts traffic for destination
48	# 225.0.0.50, eg:
49	#
50	#	iptables -I INPUT -d 225.0.0.50 -j ACCEPT
51	#	iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
52	#
53	Multicast {
54		# 
55		# Multicast address: The address that you use as destination
56		# in the synchronization messages. You do not have to add
57		# this IP to any of your existing interfaces. If any doubt,
58		# do not modify this value.
59		#
60		IPv4_address 225.0.0.50
61
62		#
63		# The multicast group that identifies the cluster. If any
64		# doubt, do not modify this value.
65		#
66		Group 3780
67
68		#
69		# IP address of the interface that you are going to use to
70		# send the synchronization messages. Remember that you must
71		# use a dedicated link for the synchronization messages.
72		#
73		IPv4_interface 192.168.100.100
74
75		#
76		# The name of the interface that you are going to use to
77		# send the synchronization messages.
78		#
79		Interface eth2
80
81		# The multicast sender uses a buffer to enqueue the packets
82		# that are going to be transmitted. The default size of this
83		# socket buffer is available at /proc/sys/net/core/wmem_default.
84		# This value determines the chances to have an overrun in the
85		# sender queue. The overrun results packet loss, thus, losing
86		# state information that would have to be retransmitted. If you
87		# notice some packet loss, you may want to increase the size
88		# of the sender buffer. The default size is usually around
89		# ~100 KBytes which is fairly small for busy firewalls.
90		#
91		SndSocketBuffer 1249280
92
93		# The multicast receiver uses a buffer to enqueue the packets
94		# that the socket is pending to handle. The default size of this
95		# socket buffer is available at /proc/sys/net/core/rmem_default.
96		# This value determines the chances to have an overrun in the
97		# receiver queue. The overrun results packet loss, thus, losing
98		# state information that would have to be retransmitted. If you
99		# notice some packet loss, you may want to increase the size of
100		# the receiver buffer. The default size is usually around
101		# ~100 KBytes which is fairly small for busy firewalls.
102		#
103		RcvSocketBuffer 1249280
104
105		# 
106		# Enable/Disable message checksumming. This is a good
107		# property to achieve fault-tolerance. In case of doubt, do
108		# not modify this value.
109		#
110		Checksum on
111	}
112	#
113	# You can specify more than one dedicated link. Thus, if one dedicated
114	# link fails, conntrackd can fail-over to another. Note that adding
115	# more than one dedicated link does not mean that state-updates will
116	# be sent to all of them. There is only one active dedicated link at
117	# a given moment. The `Default' keyword indicates that this interface
118	# will be selected as the initial dedicated link. You can have 
119	# up to 4 redundant dedicated links. Note: Use different multicast 
120	# groups for every redundant link.
121	#
122	# Multicast Default {
123	#	IPv4_address 225.0.0.51
124	#	Group 3781
125	#	IPv4_interface 192.168.100.101
126	#	Interface eth3
127	#	# SndSocketBuffer 1249280
128	#	# RcvSocketBuffer 1249280
129	#	Checksum on
130	# }
131
132	#
133	# You can use Unicast UDP instead of Multicast to propagate events.
134	# Note that you cannot use unicast UDP and Multicast at the same
135	# time, you can only select one.
136	# 
137	# UDP {
138		# 
139		# UDP address that this firewall uses to listen to events.
140		#
141		# IPv4_address 192.168.2.100
142		#
143		# or you may want to use an IPv6 address:
144		#
145		# IPv6_address fe80::215:58ff:fe28:5a27
146
147		#
148		# Destination UDP address that receives events, ie. the other
149		# firewall's dedicated link address.
150		#
151		# IPv4_Destination_Address 192.168.2.101
152		#
153		# or you may want to use an IPv6 address:
154		#
155		# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
156
157		#
158		# UDP port used
159		#
160		# Port 3780
161
162		#
163		# The name of the interface that you are going to use to
164		# send the synchronization messages.
165		#
166		# Interface eth2
167
168		# 
169		# The sender socket buffer size
170		#
171		# SndSocketBuffer 1249280
172
173		#
174		# The receiver socket buffer size
175		#
176		# RcvSocketBuffer 1249280
177
178		# 
179		# Enable/Disable message checksumming. 
180		#
181		# Checksum on
182	# }
183
184	#
185	# Other unsorted options that are related to the synchronization.
186	#
187	# Options {
188		#
189		# TCP state-entries have window tracking disabled by default,
190		# you can enable it with this option. As said, default is off.
191		# This feature requires a Linux kernel >= 2.6.36.
192		#
193		# TCPWindowTracking Off
194
195		# Set this option on if you want to enable the synchronization
196		# of expectations. You have to specify the list of helpers that
197		# you want to enable. Default is off. This feature requires
198		# a Linux kernel >= 3.5.
199		#
200		# ExpectationSync {
201		#       ftp
202		#       ras
203		#	q.931
204		#	h.245
205		#       sip
206		# }
207		#
208		# You can use this alternatively:
209		#
210		# ExpectationSync On
211		#
212		# If you want to synchronize expectations of all helpers.
213	# }
214}
215
216#
217# General settings
218#
219General {
220	#
221	# Set the nice value of the daemon, this value goes from -20
222	# (most favorable scheduling) to 19 (least favorable). Using a
223	# very low value reduces the chances to lose state-change events.
224	# Default is 0 but this example file sets it to most favourable
225	# scheduling as this is generally a good idea. See man nice(1) for
226	# more information.
227	#
228	Nice -20
229
230	#
231	# Select a different scheduler for the daemon, you can select between
232	# RR and FIFO and the process priority (minimum is 0, maximum is 99).
233	# See man sched_setscheduler(2) for more information. Using a RT
234	# scheduler reduces the chances to overrun the Netlink buffer.
235	#
236	# Scheduler {
237	#	Type FIFO
238	#	Priority 99
239	# }
240
241	#
242	# Number of buckets in the cache hashtable. The bigger it is,
243	# the closer it gets to O(1) at the cost of consuming more memory.
244	# Read some documents about tuning hashtables for further reference.
245	#
246	HashSize 32768
247
248	#
249	# Maximum number of conntracks, it should be double of: 
250	# $ cat /proc/sys/net/netfilter/nf_conntrack_max
251	# since the daemon may keep some dead entries cached for possible
252	# retransmission during state synchronization.
253	#
254	HashLimit 131072
255
256	#
257	# Logfile: on (/var/log/conntrackd.log), off, or a filename
258	# Default: off
259	#
260	LogFile on
261
262	#
263	# Syslog: on, off or a facility name (daemon (default) or local0..7)
264	# Default: off
265	#
266	#Syslog on
267
268	#
269	# Lockfile
270	# 
271	LockFile /var/lock/conntrack.lock
272
273	#
274	# Unix socket configuration
275	#
276	UNIX {
277		Path /var/run/conntrackd.ctl
278		Backlog 20
279	}
280
281	#
282	# Netlink event socket buffer size. If you do not specify this clause,
283	# the default buffer size value in /proc/net/core/rmem_default is
284	# used. This default value is usually around 100 Kbytes which is
285	# fairly small for busy firewalls. This leads to event message dropping
286	# and high CPU consumption. This example configuration file sets the
287	# size to 2 MBytes to avoid this sort of problems.
288	#
289	NetlinkBufferSize 2097152
290
291	#
292	# The daemon doubles the size of the netlink event socket buffer size
293	# if it detects netlink event message dropping. This clause sets the
294	# maximum buffer size growth that can be reached. This example file
295	# sets the size to 8 MBytes.
296	#
297	NetlinkBufferSizeMaxGrowth 8388608
298
299	#
300	# If the daemon detects that Netlink is dropping state-change events,
301	# it automatically schedules a resynchronization against the Kernel
302	# after 30 seconds (default value). Resynchronizations are expensive
303	# in terms of CPU consumption since the daemon has to get the full
304	# kernel state-table and purge state-entries that do not exist anymore.
305	# Be careful of setting a very small value here. You have the following
306	# choices: On (enabled, use default 30 seconds value), Off (disabled)
307	# or Value (in seconds, to set a specific amount of time). If not
308	# specified, the daemon assumes that this option is enabled.
309	#
310	# NetlinkOverrunResync On
311
312	# If you want reliable event reporting over Netlink, set on this
313	# option. If you set on this clause, it is a good idea to set off
314	# NetlinkOverrunResync. This option is off by default and you need
315	# a Linux kernel >= 2.6.31.
316	#
317	# NetlinkEventsReliable Off
318
319	# 
320	# By default, the daemon receives state updates following an
321	# event-driven model. You can modify this behaviour by switching to
322	# polling mode with the PollSecs clause. This clause tells conntrackd
323	# to dump the states in the kernel every N seconds. With regards to
324	# synchronization mode, the polling mode can only guarantee that
325	# long-lifetime states are recovered. The main advantage of this method
326	# is the reduction in the state replication at the cost of reducing the
327	# chances of recovering connections.
328	#
329	# PollSecs 15
330
331	#
332	# The daemon prioritizes the handling of state-change events coming
333	# from the core. With this clause, you can set the maximum number of
334	# state-change events (those coming from kernel-space) that the daemon
335	# will handle after which it will handle other events coming from the
336	# network or userspace. A low value improves interactivity (in terms of
337	# real-time behaviour) at the cost of extra CPU consumption.
338	# Default (if not set) is 100.
339	#
340	# EventIterationLimit 100
341
342	#
343	# Event filtering: This clause allows you to filter certain traffic,
344	# There are currently three filter-sets: Protocol, Address and
345	# State. The filter is attached to an action that can be: Accept or
346	# Ignore. Thus, you can define the event filtering policy of the
347	# filter-sets in positive or negative logic depending on your needs.
348	# You can select if conntrackd filters the event messages from 
349	# user-space or kernel-space. The kernel-space event filtering
350	# saves some CPU cycles by avoiding the copy of the event message
351	# from kernel-space to user-space. The kernel-space event filtering
352	# is prefered, however, you require a Linux kernel >= 2.6.29 to
353	# filter from kernel-space. If you want to select kernel-space 
354	# event filtering, use the keyword 'Kernelspace' instead of 
355	# 'Userspace'.
356	#
357	Filter From Userspace {
358		#
359		# Accept only certain protocols: You may want to replicate
360		# the state of flows depending on their layer 4 protocol.
361		#
362		Protocol Accept {
363			TCP
364			SCTP
365			DCCP
366			# UDP
367			# ICMP # This requires a Linux kernel >= 2.6.31
368			# IPv6-ICMP # This requires a Linux kernel >= 2.6.31
369		}
370
371		#
372		# Ignore traffic for a certain set of IP's: Usually all the
373		# IP assigned to the firewall since local traffic must be
374		# ignored, only forwarded connections are worth to replicate.
375		# Note that these values depends on the local IPs that are
376		# assigned to the firewall.
377		#
378		Address Ignore {
379			IPv4_address 127.0.0.1 # loopback
380			IPv4_address 192.168.0.100 # virtual IP 1
381			IPv4_address 192.168.1.100 # virtual IP 2
382			IPv4_address 192.168.0.1
383			IPv4_address 192.168.1.1
384			IPv4_address 192.168.100.100 # dedicated link ip
385			#
386			# You can also specify networks in format IP/cidr.
387			# IPv4_address 192.168.0.0/24
388			#
389			# You can also specify an IPv6 address
390			# IPv6_address ::1
391		}
392
393		#
394		# Uncomment this line below if you want to filter by flow state.
395		# This option introduces a trade-off in the replication: it
396		# reduces CPU consumption at the cost of having lazy backup 
397		# firewall replicas. The existing TCP states are: SYN_SENT,
398		# SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
399		# TIME_WAIT, CLOSED, LISTEN.
400		#
401		# State Accept {
402		#	ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
403		# }
404	}
405}
406