• Home
  • History
  • Annotate
  • Line#
  • Navigate
  • Raw
  • Download
  • only in /netgear-R7000-V1.0.7.12_1.2.5/ap/gpl/conntrack-tools/conntrack-tools-1.4.0/doc/sync/notrack/
1#
2# Synchronizer settings
3#
4Sync {
5	Mode NOTRACK {
6		#
7		# This parameter allows you to set an initial fixed timeout
8		# for the committed entries when this node goes from backup
9		# to primary. This mechanism provides a way to purge entries
10		# that were not recovered appropriately after the specified
11		# fixed timeout. If you set a low value, TCP entries in
12		# Established states with no traffic may hang. For example,
13		# an SSH connection without KeepAlive enabled. If not set,
14		# the daemon uses an approximate timeout value calculation
15		# mechanism. By default, this option is not set.
16		#
17		# CommitTimeout 180
18
19		#
20		# If the firewall replica goes from primary to backup,
21		# the conntrackd -t command is invoked in the script. 
22		# This command schedules a flush of the table in N seconds.
23		# This is useful to purge the connection tracking table of
24		# zombie entries and avoid clashes with old entries if you
25		# trigger several consecutive hand-overs. Default is 60 seconds.
26		#
27		# PurgeTimeout 60
28
29		#
30		# This clause allows you to disable the internal cache. Thus,
31		# the synchronization messages are directly send through
32		# the dedicated link. This option is set of off by default.
33		#
34		# DisableInternalCache Off
35
36		#	
37		# This clause allows you to disable the external cache. Thus,
38		# the state entries are directly injected into the kernel
39		# conntrack table. As a result, you save memory in user-space
40		# but you consume slots in the kernel conntrack table for
41		# backup state entries. Moreover, disabling the external cache
42		# means more CPU consumption. You need a Linux kernel
43		# >= 2.6.29 to use this feature. By default, this clause is
44		# set off. If you are installing conntrackd for first time,
45		# please read the user manual and I encourage you to consider
46		# using the fail-over scripts instead of enabling this option!
47		#
48		# DisableExternalCache Off
49	}
50
51	#
52	# Multicast IP and interface where messages are
53	# broadcasted (dedicated link). IMPORTANT: Make sure
54	# that iptables accepts traffic for destination
55	# 225.0.0.50, eg:
56	#
57	#	iptables -I INPUT -d 225.0.0.50 -j ACCEPT
58	#	iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
59	#
60	Multicast {
61		# 
62		# Multicast address: The address that you use as destination
63		# in the synchronization messages. You do not have to add
64		# this IP to any of your existing interfaces. If any doubt,
65		# do not modify this value.
66		#
67		IPv4_address 225.0.0.50
68
69		#
70		# The multicast group that identifies the cluster. If any
71		# doubt, do not modify this value.
72		#
73		Group 3780
74
75		#
76		# IP address of the interface that you are going to use to
77		# send the synchronization messages. Remember that you must
78		# use a dedicated link for the synchronization messages.
79		#
80		IPv4_interface 192.168.100.100
81
82		#
83		# The name of the interface that you are going to use to
84		# send the synchronization messages.
85		#
86		Interface eth2
87
88		# The multicast sender uses a buffer to enqueue the packets
89		# that are going to be transmitted. The default size of this
90		# socket buffer is available at /proc/sys/net/core/wmem_default.
91		# This value determines the chances to have an overrun in the
92		# sender queue. The overrun results packet loss, thus, losing
93		# state information that would have to be retransmitted. If you
94		# notice some packet loss, you may want to increase the size
95		# of the sender buffer. The default size is usually around
96		# ~100 KBytes which is fairly small for busy firewalls.
97		# Note: This protocol is best effort, it is really recommended
98		# to increase the buffer size.
99		#
100		SndSocketBuffer 1249280
101
102		# The multicast receiver uses a buffer to enqueue the packets
103		# that the socket is pending to handle. The default size of this
104		# socket buffer is available at /proc/sys/net/core/rmem_default.
105		# This value determines the chances to have an overrun in the
106		# receiver queue. The overrun results packet loss, thus, losing
107		# state information that would have to be retransmitted. If you
108		# notice some packet loss, you may want to increase the size of
109		# of the sender buffer. The default size is usually around
110		# ~100 KBytes which is fairly small for busy firewalls.
111		# Note: This protocol is best effort, it is really recommended
112		# to increase the buffer size.
113		#
114		RcvSocketBuffer 1249280
115
116		#
117		# Enable/Disable message checksumming. This is a good
118		# property to achieve fault-tolerance. In case of doubt, do
119		# not modify this value.
120		#
121		Checksum on
122	}
123	#
124	# You can specify more than one dedicated link. Thus, if one dedicated
125	# link fails, conntrackd can fail-over to another. Note that adding
126	# more than one dedicated link does not mean that state-updates will
127	# be sent to all of them. There is only one active dedicated link at
128	# a given moment. The `Default' keyword indicates that this interface
129	# will be selected as the initial dedicated link. You can have 
130	# up to 4 redundant dedicated links. Note: Use different multicast 
131	# groups for every redundant link.
132	#
133	# Multicast Default {
134	#	IPv4_address 225.0.0.51
135	#	Group 3781
136	#	IPv4_interface 192.168.100.101
137	#	Interface eth3
138	#	# SndSocketBuffer 1249280
139	#	# RcvSocketBuffer 1249280
140	#	Checksum on
141	# }
142
143	#
144	# You can use Unicast UDP instead of Multicast to propagate events.
145	# Note that you cannot use unicast UDP and Multicast at the same
146	# time, you can only select one.
147	# 
148	# UDP {
149		# 
150		# UDP address that this firewall uses to listen to events.
151		#
152		# IPv4_address 192.168.2.100
153		#
154		# or you may want to use an IPv6 address:
155		#
156		# IPv6_address fe80::215:58ff:fe28:5a27
157
158		#
159		# Destination UDP address that receives events, ie. the other
160		# firewall's dedicated link address.
161		#
162		# IPv4_Destination_Address 192.168.2.101
163		#
164		# or you may want to use an IPv6 address:
165		#
166		# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
167
168		#
169		# UDP port used
170		#
171		# Port 3780
172
173		#
174		# The name of the interface that you are going to use to
175		# send the synchronization messages.
176		#
177		# Interface eth2
178
179		# 
180		# The sender socket buffer size
181		#
182		# SndSocketBuffer 1249280
183
184		#
185		# The receiver socket buffer size
186		#
187		# RcvSocketBuffer 1249280
188
189		# 
190		# Enable/Disable message checksumming. 
191		#
192		# Checksum on
193	# }
194
195	#
196	# You can also use Unicast TCP to propagate events. Thus, the NOTRACK
197	# mode becomes reliable.
198	# 
199	# TCP {
200		# 
201		# TCP address that this firewall uses to listen to events.
202		#
203		# IPv4_address 192.168.2.100
204		#
205		# or you may want to use an IPv6 address:
206		#
207		# IPv6_address fe80::215:58ff:fe28:5a27
208
209		#
210		# Destination TCP address that receives events, ie. the other
211		# firewall's dedicated link address.
212		#
213		# IPv4_Destination_Address 192.168.2.101
214		#
215		# or you may want to use an IPv6 address:
216		#
217		# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
218
219		#
220		# TCP port used
221		#
222		# Port 3780
223
224		#
225		# The name of the interface that you are going to use to
226		# send the synchronization messages.
227		#
228		# Interface eth2
229
230		# 
231		# The sender socket buffer size
232		#
233		# SndSocketBuffer 1249280
234
235		#
236		# The receiver socket buffer size
237		#
238		# RcvSocketBuffer 1249280
239
240		# 
241		# Enable/Disable message checksumming. 
242		#
243		# Checksum on
244	# }
245
246	#
247	# Other unsorted options that are related to the synchronization.
248	#
249	# Options {
250		#
251		# TCP state-entries have window tracking disabled by default,
252		# you can enable it with this option. As said, default is off.
253		# This feature requires a Linux kernel >= 2.6.36.
254		#
255		# TCPWindowTracking Off
256
257		# Set this option on if you want to enable the synchronization
258		# of expectations. You have to specify the list of helpers that
259		# you want to enable. Default is off. This feature requires
260		# a Linux kernel >= 3.5.
261		#
262		# ExpectationSync {
263		#       ftp
264		#       ras
265		#	q.931
266		#	h.245
267		#       sip
268		# }
269		#
270		# You can use this alternatively:
271		#
272		# ExpectationSync On
273		#
274		# If you want to synchronize expectations of all helpers.
275	# }
276}
277
278#
279# General settings
280#
281General {
282	#
283	# Set the nice value of the daemon, this value goes from -20
284	# (most favorable scheduling) to 19 (least favorable). Using a
285	# very low value reduces the chances to lose state-change events.
286	# Default is 0 but this example file sets it to most favourable
287	# scheduling as this is generally a good idea. See man nice(1) for
288	# more information.
289	#
290	Nice -20
291
292	#
293	# Select a different scheduler for the daemon, you can select between
294	# RR and FIFO and the process priority (minimum is 0, maximum is 99).
295	# See man sched_setscheduler(2) for more information. Using a RT
296	# scheduler reduces the chances to overrun the Netlink buffer.
297	#
298	# Scheduler {
299	#	Type FIFO
300	#	Priority 99
301	# }
302
303	#
304	# Number of buckets in the cache hashtable. The bigger it is,
305	# the closer it gets to O(1) at the cost of consuming more memory.
306	# Read some documents about tuning hashtables for further reference.
307	#
308	HashSize 32768
309
310	#
311	# Maximum number of conntracks, it should be double of: 
312	# $ cat /proc/sys/net/netfilter/nf_conntrack_max
313	# since the daemon may keep some dead entries cached for possible
314	# retransmission during state synchronization.
315	#
316	HashLimit 131072
317
318	#
319	# Logfile: on (/var/log/conntrackd.log), off, or a filename
320	# Default: off
321	#
322	LogFile on
323
324	#
325	# Syslog: on, off or a facility name (daemon (default) or local0..7)
326	# Default: off
327	#
328	#Syslog on
329
330	#
331	# Lockfile
332	# 
333	LockFile /var/lock/conntrack.lock
334
335	#
336	# Unix socket configuration
337	#
338	UNIX {
339		Path /var/run/conntrackd.ctl
340		Backlog 20
341	}
342
343	#
344	# Netlink event socket buffer size. If you do not specify this clause,
345	# the default buffer size value in /proc/net/core/rmem_default is
346	# used. This default value is usually around 100 Kbytes which is
347	# fairly small for busy firewalls. This leads to event message dropping
348	# and high CPU consumption. This example configuration file sets the
349	# size to 2 MBytes to avoid this sort of problems.
350	#
351	NetlinkBufferSize 2097152
352
353	#
354	# The daemon doubles the size of the netlink event socket buffer size
355	# if it detects netlink event message dropping. This clause sets the
356	# maximum buffer size growth that can be reached. This example file
357	# sets the size to 8 MBytes.
358	#
359	NetlinkBufferSizeMaxGrowth 8388608
360
361	#
362	# If the daemon detects that Netlink is dropping state-change events,
363	# it automatically schedules a resynchronization against the Kernel
364	# after 30 seconds (default value). Resynchronizations are expensive
365	# in terms of CPU consumption since the daemon has to get the full
366	# kernel state-table and purge state-entries that do not exist anymore.
367	# Be careful of setting a very small value here. You have the following
368	# choices: On (enabled, use default 30 seconds value), Off (disabled)
369	# or Value (in seconds, to set a specific amount of time). If not
370	# specified, the daemon assumes that this option is enabled.
371	#
372	# NetlinkOverrunResync On
373
374	# If you want reliable event reporting over Netlink, set on this
375	# option. If you set on this clause, it is a good idea to set off
376	# NetlinkOverrunResync. This option is off by default and you need
377	# a Linux kernel >= 2.6.31.
378	#
379	# NetlinkEventsReliable Off
380
381	# 
382	# By default, the daemon receives state updates following an
383	# event-driven model. You can modify this behaviour by switching to
384	# polling mode with the PollSecs clause. This clause tells conntrackd
385	# to dump the states in the kernel every N seconds. With regards to
386	# synchronization mode, the polling mode can only guarantee that
387	# long-lifetime states are recovered. The main advantage of this method
388	# is the reduction in the state replication at the cost of reducing the
389	# chances of recovering connections.
390	#
391	# PollSecs 15
392
393	#
394	# The daemon prioritizes the handling of state-change events coming
395	# from the core. With this clause, you can set the maximum number of
396	# state-change events (those coming from kernel-space) that the daemon
397	# will handle after which it will handle other events coming from the
398	# network or userspace. A low value improves interactivity (in terms of
399	# real-time behaviour) at the cost of extra CPU consumption.
400	# Default (if not set) is 100.
401	#
402	# EventIterationLimit 100
403
404	#
405	# Event filtering: This clause allows you to filter certain traffic,
406	# There are currently three filter-sets: Protocol, Address and
407	# State. The filter is attached to an action that can be: Accept or
408	# Ignore. Thus, you can define the event filtering policy of the
409	# filter-sets in positive or negative logic depending on your needs.
410	# You can select if conntrackd filters the event messages from 
411	# user-space or kernel-space. The kernel-space event filtering
412	# saves some CPU cycles by avoiding the copy of the event message
413	# from kernel-space to user-space. The kernel-space event filtering
414	# is prefered, however, you require a Linux kernel >= 2.6.29 to
415	# filter from kernel-space. If you want to select kernel-space 
416	# event filtering, use the keyword 'Kernelspace' instead of 
417	# 'Userspace'.
418	#
419	Filter From Userspace {
420		#
421		# Accept only certain protocols: You may want to replicate
422		# the state of flows depending on their layer 4 protocol.
423		#
424		Protocol Accept {
425			TCP
426			SCTP
427			DCCP
428			# UDP
429			# ICMP # This requires a Linux kernel >= 2.6.31
430			# IPv6-ICMP # This requires a Linux kernel >= 2.6.31
431		}
432
433		#
434		# Ignore traffic for a certain set of IP's: Usually all the
435		# IP assigned to the firewall since local traffic must be
436		# ignored, only forwarded connections are worth to replicate.
437		# Note that these values depends on the local IPs that are
438		# assigned to the firewall.
439		#
440		Address Ignore {
441			IPv4_address 127.0.0.1 # loopback
442			IPv4_address 192.168.0.100 # virtual IP 1
443			IPv4_address 192.168.1.100 # virtual IP 2
444			IPv4_address 192.168.0.1
445			IPv4_address 192.168.1.1
446			IPv4_address 192.168.100.100 # dedicated link ip
447			#
448			# You can also specify networks in format IP/cidr.
449			# IPv4_address 192.168.0.0/24
450			#
451			# You can also specify an IPv6 address
452			# IPv6_address ::1
453		}
454
455		#
456		# Uncomment this line below if you want to filter by flow state.
457		# This option introduces a trade-off in the replication: it
458		# reduces CPU consumption at the cost of having lazy backup 
459		# firewall replicas. The existing TCP states are: SYN_SENT,
460		# SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
461		# TIME_WAIT, CLOSED, LISTEN.
462		#
463		# State Accept {
464		#	ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
465		# }
466	}
467}
468