1# 2# Synchronizer settings 3# 4Sync { 5 Mode FTFW { 6 # 7 # Size of the resend queue (in objects). This is the maximum 8 # number of objects that can be stored waiting to be confirmed 9 # via acknoledgment. If you keep this value low, the daemon 10 # will have less chances to recover state-changes under message 11 # omission. On the other hand, if you keep this value high, 12 # the daemon will consume more memory to store dead objects. 13 # Default is 131072 objects. 14 # 15 # ResendQueueSize 131072 16 17 # 18 # This parameter allows you to set an initial fixed timeout 19 # for the committed entries when this node goes from backup 20 # to primary. This mechanism provides a way to purge entries 21 # that were not recovered appropriately after the specified 22 # fixed timeout. If you set a low value, TCP entries in 23 # Established states with no traffic may hang. For example, 24 # an SSH connection without KeepAlive enabled. If not set, 25 # the daemon uses an approximate timeout value calculation 26 # mechanism. By default, this option is not set. 27 # 28 # CommitTimeout 180 29 30 # 31 # If the firewall replica goes from primary to backup, 32 # the conntrackd -t command is invoked in the script. 33 # This command schedules a flush of the table in N seconds. 34 # This is useful to purge the connection tracking table of 35 # zombie entries and avoid clashes with old entries if you 36 # trigger several consecutive hand-overs. Default is 60 seconds. 37 # 38 # PurgeTimeout 60 39 40 # Set the acknowledgement window size. If you decrease this 41 # value, the number of acknowlegdments increases. More 42 # acknowledgments means more overhead as conntrackd has to 43 # handle more control messages. On the other hand, if you 44 # increase this value, the resend queue gets more populated. 45 # This results in more overhead in the queue releasing. 46 # The following value is based on some practical experiments 47 # measuring the cycles spent by the acknowledgment handling 48 # with oprofile. If not set, default window size is 300. 49 # 50 # ACKWindowSize 300 51 52 # 53 # This clause allows you to disable the external cache. Thus, 54 # the state entries are directly injected into the kernel 55 # conntrack table. As a result, you save memory in user-space 56 # but you consume slots in the kernel conntrack table for 57 # backup state entries. Moreover, disabling the external cache 58 # means more CPU consumption. You need a Linux kernel 59 # >= 2.6.29 to use this feature. By default, this clause is 60 # set off. If you are installing conntrackd for first time, 61 # please read the user manual and I encourage you to consider 62 # using the fail-over scripts instead of enabling this option! 63 # 64 # DisableExternalCache Off 65 } 66 67 # 68 # Multicast IP and interface where messages are 69 # broadcasted (dedicated link). IMPORTANT: Make sure 70 # that iptables accepts traffic for destination 71 # 225.0.0.50, eg: 72 # 73 # iptables -I INPUT -d 225.0.0.50 -j ACCEPT 74 # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT 75 # 76 Multicast { 77 # 78 # Multicast address: The address that you use as destination 79 # in the synchronization messages. You do not have to add 80 # this IP to any of your existing interfaces. If any doubt, 81 # do not modify this value. 82 # 83 IPv4_address 225.0.0.50 84 85 # 86 # The multicast group that identifies the cluster. If any 87 # doubt, do not modify this value. 88 # 89 Group 3780 90 91 # 92 # IP address of the interface that you are going to use to 93 # send the synchronization messages. Remember that you must 94 # use a dedicated link for the synchronization messages. 95 # 96 IPv4_interface 192.168.100.100 97 98 # 99 # The name of the interface that you are going to use to 100 # send the synchronization messages. 101 # 102 Interface eth2 103 104 # The multicast sender uses a buffer to enqueue the packets 105 # that are going to be transmitted. The default size of this 106 # socket buffer is available at /proc/sys/net/core/wmem_default. 107 # This value determines the chances to have an overrun in the 108 # sender queue. The overrun results packet loss, thus, losing 109 # state information that would have to be retransmitted. If you 110 # notice some packet loss, you may want to increase the size 111 # of the sender buffer. The default size is usually around 112 # ~100 KBytes which is fairly small for busy firewalls. 113 # 114 SndSocketBuffer 1249280 115 116 # The multicast receiver uses a buffer to enqueue the packets 117 # that the socket is pending to handle. The default size of this 118 # socket buffer is available at /proc/sys/net/core/rmem_default. 119 # This value determines the chances to have an overrun in the 120 # receiver queue. The overrun results packet loss, thus, losing 121 # state information that would have to be retransmitted. If you 122 # notice some packet loss, you may want to increase the size of 123 # the receiver buffer. The default size is usually around 124 # ~100 KBytes which is fairly small for busy firewalls. 125 # 126 RcvSocketBuffer 1249280 127 128 # 129 # Enable/Disable message checksumming. This is a good 130 # property to achieve fault-tolerance. In case of doubt, do 131 # not modify this value. 132 # 133 Checksum on 134 } 135 # 136 # You can specify more than one dedicated link. Thus, if one dedicated 137 # link fails, conntrackd can fail-over to another. Note that adding 138 # more than one dedicated link does not mean that state-updates will 139 # be sent to all of them. There is only one active dedicated link at 140 # a given moment. The `Default' keyword indicates that this interface 141 # will be selected as the initial dedicated link. You can have 142 # up to 4 redundant dedicated links. Note: Use different multicast 143 # groups for every redundant link. 144 # 145 # Multicast Default { 146 # IPv4_address 225.0.0.51 147 # Group 3781 148 # IPv4_interface 192.168.100.101 149 # Interface eth3 150 # # SndSocketBuffer 1249280 151 # # RcvSocketBuffer 1249280 152 # Checksum on 153 # } 154 155 # 156 # You can use Unicast UDP instead of Multicast to propagate events. 157 # Note that you cannot use unicast UDP and Multicast at the same 158 # time, you can only select one. 159 # 160 # UDP { 161 # 162 # UDP address that this firewall uses to listen to events. 163 # 164 # IPv4_address 192.168.2.100 165 # 166 # or you may want to use an IPv6 address: 167 # 168 # IPv6_address fe80::215:58ff:fe28:5a27 169 170 # 171 # Destination UDP address that receives events, ie. the other 172 # firewall's dedicated link address. 173 # 174 # IPv4_Destination_Address 192.168.2.101 175 # 176 # or you may want to use an IPv6 address: 177 # 178 # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c 179 180 # 181 # UDP port used 182 # 183 # Port 3780 184 185 # 186 # The name of the interface that you are going to use to 187 # send the synchronization messages. 188 # 189 # Interface eth2 190 191 # 192 # The sender socket buffer size 193 # 194 # SndSocketBuffer 1249280 195 196 # 197 # The receiver socket buffer size 198 # 199 # RcvSocketBuffer 1249280 200 201 # 202 # Enable/Disable message checksumming. 203 # 204 # Checksum on 205 # } 206 207 # 208 # Other unsorted options that are related to the synchronization. 209 # 210 # Options { 211 # 212 # TCP state-entries have window tracking disabled by default, 213 # you can enable it with this option. As said, default is off. 214 # This feature requires a Linux kernel >= 2.6.36. 215 # 216 # TCPWindowTracking Off 217 218 # Set this option on if you want to enable the synchronization 219 # of expectations. You have to specify the list of helpers that 220 # you want to enable. Default is off. This feature requires 221 # a Linux kernel >= 3.5. 222 # 223 # ExpectationSync { 224 # ftp 225 # ras 226 # q.931 227 # h.245 228 # sip 229 # } 230 # 231 # You can use this alternatively: 232 # 233 # ExpectationSync On 234 # 235 # If you want to synchronize expectations of all helpers. 236 # } 237} 238 239# 240# General settings 241# 242General { 243 # 244 # Set the nice value of the daemon, this value goes from -20 245 # (most favorable scheduling) to 19 (least favorable). Using a 246 # very low value reduces the chances to lose state-change events. 247 # Default is 0 but this example file sets it to most favourable 248 # scheduling as this is generally a good idea. See man nice(1) for 249 # more information. 250 # 251 Nice -20 252 253 # 254 # Select a different scheduler for the daemon, you can select between 255 # RR and FIFO and the process priority (minimum is 0, maximum is 99). 256 # See man sched_setscheduler(2) for more information. Using a RT 257 # scheduler reduces the chances to overrun the Netlink buffer. 258 # 259 # Scheduler { 260 # Type FIFO 261 # Priority 99 262 # } 263 264 # 265 # Number of buckets in the cache hashtable. The bigger it is, 266 # the closer it gets to O(1) at the cost of consuming more memory. 267 # Read some documents about tuning hashtables for further reference. 268 # 269 HashSize 32768 270 271 # 272 # Maximum number of conntracks, it should be double of: 273 # $ cat /proc/sys/net/netfilter/nf_conntrack_max 274 # since the daemon may keep some dead entries cached for possible 275 # retransmission during state synchronization. 276 # 277 HashLimit 131072 278 279 # 280 # Logfile: on (/var/log/conntrackd.log), off, or a filename 281 # Default: off 282 # 283 LogFile on 284 285 # 286 # Syslog: on, off or a facility name (daemon (default) or local0..7) 287 # Default: off 288 # 289 #Syslog on 290 291 # 292 # Lockfile 293 # 294 LockFile /var/lock/conntrack.lock 295 296 # 297 # Unix socket configuration 298 # 299 UNIX { 300 Path /var/run/conntrackd.ctl 301 Backlog 20 302 } 303 304 # 305 # Netlink event socket buffer size. If you do not specify this clause, 306 # the default buffer size value in /proc/net/core/rmem_default is 307 # used. This default value is usually around 100 Kbytes which is 308 # fairly small for busy firewalls. This leads to event message dropping 309 # and high CPU consumption. This example configuration file sets the 310 # size to 2 MBytes to avoid this sort of problems. 311 # 312 NetlinkBufferSize 2097152 313 314 # 315 # The daemon doubles the size of the netlink event socket buffer size 316 # if it detects netlink event message dropping. This clause sets the 317 # maximum buffer size growth that can be reached. This example file 318 # sets the size to 8 MBytes. 319 # 320 NetlinkBufferSizeMaxGrowth 8388608 321 322 # 323 # If the daemon detects that Netlink is dropping state-change events, 324 # it automatically schedules a resynchronization against the Kernel 325 # after 30 seconds (default value). Resynchronizations are expensive 326 # in terms of CPU consumption since the daemon has to get the full 327 # kernel state-table and purge state-entries that do not exist anymore. 328 # Be careful of setting a very small value here. You have the following 329 # choices: On (enabled, use default 30 seconds value), Off (disabled) 330 # or Value (in seconds, to set a specific amount of time). If not 331 # specified, the daemon assumes that this option is enabled. 332 # 333 # NetlinkOverrunResync On 334 335 # 336 # If you want reliable event reporting over Netlink, set on this 337 # option. If you set on this clause, it is a good idea to set off 338 # NetlinkOverrunResync. This option is off by default and you need 339 # a Linux kernel >= 2.6.31. 340 # 341 # NetlinkEventsReliable Off 342 343 # 344 # By default, the daemon receives state updates following an 345 # event-driven model. You can modify this behaviour by switching to 346 # polling mode with the PollSecs clause. This clause tells conntrackd 347 # to dump the states in the kernel every N seconds. With regards to 348 # synchronization mode, the polling mode can only guarantee that 349 # long-lifetime states are recovered. The main advantage of this method 350 # is the reduction in the state replication at the cost of reducing the 351 # chances of recovering connections. 352 # 353 # PollSecs 15 354 355 # 356 # The daemon prioritizes the handling of state-change events coming 357 # from the core. With this clause, you can set the maximum number of 358 # state-change events (those coming from kernel-space) that the daemon 359 # will handle after which it will handle other events coming from the 360 # network or userspace. A low value improves interactivity (in terms of 361 # real-time behaviour) at the cost of extra CPU consumption. 362 # Default (if not set) is 100. 363 # 364 # EventIterationLimit 100 365 366 # 367 # Event filtering: This clause allows you to filter certain traffic, 368 # There are currently three filter-sets: Protocol, Address and 369 # State. The filter is attached to an action that can be: Accept or 370 # Ignore. Thus, you can define the event filtering policy of the 371 # filter-sets in positive or negative logic depending on your needs. 372 # You can select if conntrackd filters the event messages from 373 # user-space or kernel-space. The kernel-space event filtering 374 # saves some CPU cycles by avoiding the copy of the event message 375 # from kernel-space to user-space. The kernel-space event filtering 376 # is prefered, however, you require a Linux kernel >= 2.6.29 to 377 # filter from kernel-space. If you want to select kernel-space 378 # event filtering, use the keyword 'Kernelspace' instead of 379 # 'Userspace'. 380 # 381 Filter From Userspace { 382 # 383 # Accept only certain protocols: You may want to replicate 384 # the state of flows depending on their layer 4 protocol. 385 # 386 Protocol Accept { 387 TCP 388 SCTP 389 DCCP 390 # UDP 391 # ICMP # This requires a Linux kernel >= 2.6.31 392 # IPv6-ICMP # This requires a Linux kernel >= 2.6.31 393 } 394 395 # 396 # Ignore traffic for a certain set of IP's: Usually all the 397 # IP assigned to the firewall since local traffic must be 398 # ignored, only forwarded connections are worth to replicate. 399 # Note that these values depends on the local IPs that are 400 # assigned to the firewall. 401 # 402 Address Ignore { 403 IPv4_address 127.0.0.1 # loopback 404 IPv4_address 192.168.0.100 # virtual IP 1 405 IPv4_address 192.168.1.100 # virtual IP 2 406 IPv4_address 192.168.0.1 407 IPv4_address 192.168.1.1 408 IPv4_address 192.168.100.100 # dedicated link ip 409 # 410 # You can also specify networks in format IP/cidr. 411 # IPv4_address 192.168.0.0/24 412 # 413 # You can also specify an IPv6 address 414 # IPv6_address ::1 415 } 416 417 # 418 # Uncomment this line below if you want to filter by flow state. 419 # This option introduces a trade-off in the replication: it 420 # reduces CPU consumption at the cost of having lazy backup 421 # firewall replicas. The existing TCP states are: SYN_SENT, 422 # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, 423 # TIME_WAIT, CLOSED, LISTEN. 424 # 425 # State Accept { 426 # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP 427 # } 428 } 429} 430