• Home
  • History
  • Annotate
  • Line#
  • Navigate
  • Raw
  • Download
  • only in /netgear-R7000-V1.0.7.12_1.2.5/ap/gpl/conntrack-tools/conntrack-tools-1.4.0/doc/sync/notrack/
1#
2# Synchronizer settings
3#
4Sync {
5	Mode NOTRACK {
6		#
7		# This parameter allows you to set an initial fixed timeout
8		# for the committed entries when this node goes from backup
9		# to primary. This mechanism provides a way to purge entries
10		# that were not recovered appropriately after the specified
11		# fixed timeout. If you set a low value, TCP entries in
12		# Established states with no traffic may hang. For example,
13		# an SSH connection without KeepAlive enabled. If not set,
14		# the daemon uses an approximate timeout value calculation
15		# mechanism. By default, this option is not set.
16		#
17		# CommitTimeout 180
18
19		#
20		# If the firewall replica goes from primary to backup,
21		# the conntrackd -t command is invoked in the script. 
22		# This command schedules a flush of the table in N seconds.
23		# This is useful to purge the connection tracking table of
24		# zombie entries and avoid clashes with old entries if you
25		# trigger several consecutive hand-overs. Default is 60 seconds.
26		#
27		# PurgeTimeout 60
28
29		#
30		# This clause allows you to disable the internal cache. Thus,
31		# the synchronization messages are directly send through
32		# the dedicated link. This option is set of off by default.
33		#
34		# DisableInternalCache Off
35
36		#	
37		# This clause allows you to disable the external cache. Thus,
38		# the state entries are directly injected into the kernel
39		# conntrack table. As a result, you save memory in user-space
40		# but you consume slots in the kernel conntrack table for
41		# backup state entries. Moreover, disabling the external cache
42		# means more CPU consumption. You need a Linux kernel
43		# >= 2.6.29 to use this feature. By default, this clause is
44		# set off. If you are installing conntrackd for first time,
45		# please read the user manual and I encourage you to consider
46		# using the fail-over scripts instead of enabling this option!
47		#
48		# DisableExternalCache Off
49	}
50
51	#
52	# Multicast IP and interface where messages are
53	# broadcasted (dedicated link). IMPORTANT: Make sure
54	# that iptables accepts traffic for destination
55	# 225.0.0.50, eg:
56	#
57	#	iptables -I INPUT -d 225.0.0.50 -j ACCEPT
58	#	iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
59	#
60	Multicast {
61		# 
62		# Multicast address: The address that you use as destination
63		# in the synchronization messages. You do not have to add
64		# this IP to any of your existing interfaces. If any doubt,
65		# do not modify this value.
66		#
67		IPv4_address 225.0.0.50
68
69		#
70		# The multicast group that identifies the cluster. If any
71		# doubt, do not modify this value.
72		#
73		Group 3780
74
75		#
76		# IP address of the interface that you are going to use to
77		# send the synchronization messages. Remember that you must
78		# use a dedicated link for the synchronization messages.
79		#
80		IPv4_interface 192.168.100.100
81
82		#
83		# The name of the interface that you are going to use to
84		# send the synchronization messages.
85		#
86		Interface eth2
87
88		# The multicast sender uses a buffer to enqueue the packets
89		# that are going to be transmitted. The default size of this
90		# socket buffer is available at /proc/sys/net/core/wmem_default.
91		# This value determines the chances to have an overrun in the
92		# sender queue. The overrun results packet loss, thus, losing
93		# state information that would have to be retransmitted. If you
94		# notice some packet loss, you may want to increase the size
95		# of the sender buffer. The default size is usually around
96		# ~100 KBytes which is fairly small for busy firewalls.
97		# Note: This protocol is best effort, it is really recommended
98		# to increase the buffer size.
99		#
100		SndSocketBuffer 1249280
101
102		# The multicast receiver uses a buffer to enqueue the packets
103		# that the socket is pending to handle. The default size of this
104		# socket buffer is available at /proc/sys/net/core/rmem_default.
105		# This value determines the chances to have an overrun in the
106		# receiver queue. The overrun results packet loss, thus, losing
107		# state information that would have to be retransmitted. If you
108		# notice some packet loss, you may want to increase the size of
109		# of the sender buffer. The default size is usually around
110		# ~100 KBytes which is fairly small for busy firewalls.
111		# Note: This protocol is best effort, it is really recommended
112		# to increase the buffer size.
113		#
114		RcvSocketBuffer 1249280
115
116		#
117		# Enable/Disable message checksumming. This is a good
118		# property to achieve fault-tolerance. In case of doubt, do
119		# not modify this value.
120		#
121		Checksum on
122	}
123	#
124	# You can specify more than one dedicated link. Thus, if one dedicated
125	# link fails, conntrackd can fail-over to another. Note that adding
126	# more than one dedicated link does not mean that state-updates will
127	# be sent to all of them. There is only one active dedicated link at
128	# a given moment. The `Default' keyword indicates that this interface
129	# will be selected as the initial dedicated link. You can have 
130	# up to 4 redundant dedicated links. Note: Use different multicast 
131	# groups for every redundant link.
132	#
133	# Multicast Default {
134	#	IPv4_address 225.0.0.51
135	#	Group 3781
136	#	IPv4_interface 192.168.100.101
137	#	Interface eth3
138	#	# SndSocketBuffer 1249280
139	#	# RcvSocketBuffer 1249280
140	#	Checksum on
141	# }
142
143	#
144	# You can use Unicast UDP instead of Multicast to propagate events.
145	# Note that you cannot use unicast UDP and Multicast at the same
146	# time, you can only select one.
147	# 
148	# UDP {
149		# 
150		# UDP address that this firewall uses to listen to events.
151		#
152		# IPv4_address 192.168.2.100
153		#
154		# or you may want to use an IPv6 address:
155		#
156		# IPv6_address fe80::215:58ff:fe28:5a27
157
158		#
159		# Destination UDP address that receives events, ie. the other
160		# firewall's dedicated link address.
161		#
162		# IPv4_Destination_Address 192.168.2.101
163		#
164		# or you may want to use an IPv6 address:
165		#
166		# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
167
168		#
169		# UDP port used
170		#
171		# Port 3780
172
173		#
174		# The name of the interface that you are going to use to
175		# send the synchronization messages.
176		#
177		# Interface eth2
178
179		# 
180		# The sender socket buffer size
181		#
182		# SndSocketBuffer 1249280
183
184		#
185		# The receiver socket buffer size
186		#
187		# RcvSocketBuffer 1249280
188
189		# 
190		# Enable/Disable message checksumming. 
191		#
192		# Checksum on
193	# }
194
195	#
196	# You can also use Unicast TCP to propagate events. Thus, the NOTRACK
197	# mode becomes reliable.
198	# 
199	# TCP {
200		# 
201		# TCP address that this firewall uses to listen to events.
202		#
203		# IPv4_address 192.168.2.100
204		#
205		# or you may want to use an IPv6 address:
206		#
207		# IPv6_address fe80::215:58ff:fe28:5a27
208
209		#
210		# Destination TCP address that receives events, ie. the other
211		# firewall's dedicated link address.
212		#
213		# IPv4_Destination_Address 192.168.2.101
214		#
215		# or you may want to use an IPv6 address:
216		#
217		# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
218
219		#
220		# TCP port used
221		#
222		# Port 3780
223
224		#
225		# The name of the interface that you are going to use to
226		# send the synchronization messages.
227		#
228		# Interface eth2
229
230		# 
231		# The sender socket buffer size
232		#
233		# SndSocketBuffer 1249280
234
235		#
236		# The receiver socket buffer size
237		#
238		# RcvSocketBuffer 1249280
239
240		# 
241		# Enable/Disable message checksumming. 
242		#
243		# Checksum on
244	# }
245
246	#
247	# Other unsorted options that are related to the synchronization.
248	#
249	# Options {
250		#
251		# TCP state-entries have window tracking disabled by default,
252		# you can enable it with this option. As said, default is off.
253		# This feature requires a Linux kernel >= 2.6.36.
254		#
255		# TCPWindowTracking Off
256
257		# Set this option on if you want to enable the synchronization
258		# of expectations. You have to specify the list of helpers that
259		# you want to enable. Default is off.
260		#
261		# ExpectationSync {
262		#       ftp
263		#       ras
264		#	q.931
265		#	h.245
266		#       sip
267		# }
268		#
269		# You can use this alternatively:
270		#
271		# ExpectationSync On
272		#
273		# If you want to synchronize expectations of all helpers.
274	# }
275}
276
277#
278# General settings
279#
280General {
281	#
282	# Set the nice value of the daemon, this value goes from -20
283	# (most favorable scheduling) to 19 (least favorable). Using a
284	# very low value reduces the chances to lose state-change events.
285	# Default is 0 but this example file sets it to most favourable
286	# scheduling as this is generally a good idea. See man nice(1) for
287	# more information.
288	#
289	Nice -20
290
291	#
292	# Select a different scheduler for the daemon, you can select between
293	# RR and FIFO and the process priority (minimum is 0, maximum is 99).
294	# See man sched_setscheduler(2) for more information. Using a RT
295	# scheduler reduces the chances to overrun the Netlink buffer.
296	#
297	# Scheduler {
298	#	Type FIFO
299	#	Priority 99
300	# }
301
302	#
303	# Number of buckets in the cache hashtable. The bigger it is,
304	# the closer it gets to O(1) at the cost of consuming more memory.
305	# Read some documents about tuning hashtables for further reference.
306	#
307	HashSize 32768
308
309	#
310	# Maximum number of conntracks, it should be double of: 
311	# $ cat /proc/sys/net/netfilter/nf_conntrack_max
312	# since the daemon may keep some dead entries cached for possible
313	# retransmission during state synchronization.
314	#
315	HashLimit 131072
316
317	#
318	# Logfile: on (/var/log/conntrackd.log), off, or a filename
319	# Default: off
320	#
321	LogFile on
322
323	#
324	# Syslog: on, off or a facility name (daemon (default) or local0..7)
325	# Default: off
326	#
327	#Syslog on
328
329	#
330	# Lockfile
331	# 
332	LockFile /var/lock/conntrack.lock
333
334	#
335	# Unix socket configuration
336	#
337	UNIX {
338		Path /var/run/conntrackd.ctl
339		Backlog 20
340	}
341
342	#
343	# Netlink event socket buffer size. If you do not specify this clause,
344	# the default buffer size value in /proc/net/core/rmem_default is
345	# used. This default value is usually around 100 Kbytes which is
346	# fairly small for busy firewalls. This leads to event message dropping
347	# and high CPU consumption. This example configuration file sets the
348	# size to 2 MBytes to avoid this sort of problems.
349	#
350	NetlinkBufferSize 2097152
351
352	#
353	# The daemon doubles the size of the netlink event socket buffer size
354	# if it detects netlink event message dropping. This clause sets the
355	# maximum buffer size growth that can be reached. This example file
356	# sets the size to 8 MBytes.
357	#
358	NetlinkBufferSizeMaxGrowth 8388608
359
360	#
361	# If the daemon detects that Netlink is dropping state-change events,
362	# it automatically schedules a resynchronization against the Kernel
363	# after 30 seconds (default value). Resynchronizations are expensive
364	# in terms of CPU consumption since the daemon has to get the full
365	# kernel state-table and purge state-entries that do not exist anymore.
366	# Be careful of setting a very small value here. You have the following
367	# choices: On (enabled, use default 30 seconds value), Off (disabled)
368	# or Value (in seconds, to set a specific amount of time). If not
369	# specified, the daemon assumes that this option is enabled.
370	#
371	# NetlinkOverrunResync On
372
373	# If you want reliable event reporting over Netlink, set on this
374	# option. If you set on this clause, it is a good idea to set off
375	# NetlinkOverrunResync. This option is off by default and you need
376	# a Linux kernel >= 2.6.31.
377	#
378	# NetlinkEventsReliable Off
379
380	# 
381	# By default, the daemon receives state updates following an
382	# event-driven model. You can modify this behaviour by switching to
383	# polling mode with the PollSecs clause. This clause tells conntrackd
384	# to dump the states in the kernel every N seconds. With regards to
385	# synchronization mode, the polling mode can only guarantee that
386	# long-lifetime states are recovered. The main advantage of this method
387	# is the reduction in the state replication at the cost of reducing the
388	# chances of recovering connections.
389	#
390	# PollSecs 15
391
392	#
393	# The daemon prioritizes the handling of state-change events coming
394	# from the core. With this clause, you can set the maximum number of
395	# state-change events (those coming from kernel-space) that the daemon
396	# will handle after which it will handle other events coming from the
397	# network or userspace. A low value improves interactivity (in terms of
398	# real-time behaviour) at the cost of extra CPU consumption.
399	# Default (if not set) is 100.
400	#
401	# EventIterationLimit 100
402
403	#
404	# Event filtering: This clause allows you to filter certain traffic,
405	# There are currently three filter-sets: Protocol, Address and
406	# State. The filter is attached to an action that can be: Accept or
407	# Ignore. Thus, you can define the event filtering policy of the
408	# filter-sets in positive or negative logic depending on your needs.
409	# You can select if conntrackd filters the event messages from 
410	# user-space or kernel-space. The kernel-space event filtering
411	# saves some CPU cycles by avoiding the copy of the event message
412	# from kernel-space to user-space. The kernel-space event filtering
413	# is prefered, however, you require a Linux kernel >= 2.6.29 to
414	# filter from kernel-space. If you want to select kernel-space 
415	# event filtering, use the keyword 'Kernelspace' instead of 
416	# 'Userspace'.
417	#
418	Filter From Userspace {
419		#
420		# Accept only certain protocols: You may want to replicate
421		# the state of flows depending on their layer 4 protocol.
422		#
423		Protocol Accept {
424			TCP
425			SCTP
426			DCCP
427			# UDP
428			# ICMP # This requires a Linux kernel >= 2.6.31
429			# IPv6-ICMP # This requires a Linux kernel >= 2.6.31
430		}
431
432		#
433		# Ignore traffic for a certain set of IP's: Usually all the
434		# IP assigned to the firewall since local traffic must be
435		# ignored, only forwarded connections are worth to replicate.
436		# Note that these values depends on the local IPs that are
437		# assigned to the firewall.
438		#
439		Address Ignore {
440			IPv4_address 127.0.0.1 # loopback
441			IPv4_address 192.168.0.100 # virtual IP 1
442			IPv4_address 192.168.1.100 # virtual IP 2
443			IPv4_address 192.168.0.1
444			IPv4_address 192.168.1.1
445			IPv4_address 192.168.100.100 # dedicated link ip
446			#
447			# You can also specify networks in format IP/cidr.
448			# IPv4_address 192.168.0.0/24
449			#
450			# You can also specify an IPv6 address
451			# IPv6_address ::1
452		}
453
454		#
455		# Uncomment this line below if you want to filter by flow state.
456		# This option introduces a trade-off in the replication: it
457		# reduces CPU consumption at the cost of having lazy backup 
458		# firewall replicas. The existing TCP states are: SYN_SENT,
459		# SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
460		# TIME_WAIT, CLOSED, LISTEN.
461		#
462		# State Accept {
463		#	ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
464		# }
465	}
466}
467