CONNTRACKD
Section: (8)Updated: Jan 5, 2008
NAME
conntrackd - netfilter connection tracking userspace daemonSYNOPSIS
conntrackd [options]DESCRIPTION
conntrackd provides a userspace daemon for the netfilter connection tracking system. This daemon synchronizes connection tracking states among several replica firewalls. Thus, conntrackd can be used to implement highly available stateful firewalls. The daemon fully supports Primary-Backup and Multiprimary setups for both symmetric and asymmetric paths. It can also be used as statistics collector.OPTIONS
The options recognized by conntrackd can be divided into several different groups.MODES
These options specify the particular operation mode in which conntrackd runs. Only one of them can be specified at any given time.- -d
- Run conntrackd in daemon mode.
CLIENT COMMANDS
conntrackd can be used in client mode to request several information and operations to a running daemon- -i
- Dump the internal cache, i.e. show local states
- -e
- Dump the external cache, i.e. show foreign states
- -x
- Display output in XML format. This option is only valid in combination with "-i" and "-e" parameters.
- -f
- Flush the internal and the external cache
- -k
- Kill the daemon
- -s
- Dump statistics
- -R
- Force a resync against the kernel connection tracking table
DIAGNOSTICS
The exit code is 0 for correct function. Errors cause an exit code of 1.EXAMPLES
- conntrackd -d
- Runs conntrackd in daemon and synchronization mode
- conntrackd -i
- Dumps the states held in the internal cache, i.e. those handled by this firewall
- conntrackd -e
- Dumps the states held in the external cache, i.e. those handled by other replica firewalls
- conntrackd -c
- Commits the internal cache into the kernel connection tracking system. This is used to inject the state so that the connections can be recovered during the failover.
DEPENDENCIES
This daemon requires a Linux kernel version >= 2.6.18. TCP window tracking support requires >= 2.6.22, otherwise you have to disable it. Helpers are fully supported since >= 2.6.25, however, if you use any previous version, depending on the protocol helper and your setup (e.g. if you setup performs NAT sequence adjustments or not), your help connection may be successfully recovered.- There are several unsupported stateful iptables matches such as recent, connbytes and the quota matches which gather internal information to operate. Since that information does not belong to the domain of the connection tracking system, connections affected by those matches may not be fully recovered during the takeover.
SEE ALSO
conntrack(8),iptables(8)http://people.netfilter.org/pablo/conntrack-tools/
AUTHORS
Pablo Neira Ayuso wrote and maintains the conntrackd tool- Please send bug reports to <[email protected]>. Subscription is required.
Man page written by Pablo Neira Ayuso <[email protected]>.
Index
This document was created by man2html, using the manual pages.
Time: 12:38:38 GMT, December 28, 2007