CONNTRACKD

Section: (8)
Updated: Jan 5, 2008
 

NAME

conntrackd - netfilter connection tracking userspace daemon  

SYNOPSIS

conntrackd [options]  

DESCRIPTION

conntrackd provides a userspace daemon for the netfilter connection tracking system. This daemon synchronizes connection tracking states among several replica firewalls. Thus, conntrackd can be used to implement highly available stateful firewalls. The daemon fully supports Primary-Backup and Multiprimary setups for both symmetric and asymmetric paths. It can also be used as statistics collector.  

OPTIONS

The options recognized by conntrackd can be divided into several different groups.  

MODES

These options specify the particular operation mode in which conntrackd runs. Only one of them can be specified at any given time.
-d
Run conntrackd in daemon mode.
 

CLIENT COMMANDS

conntrackd can be used in client mode to request several information and operations to a running daemon
-i
Dump the internal cache, i.e. show local states
-e
Dump the external cache, i.e. show foreign states
-x
Display output in XML format. This option is only valid in combination with "-i" and "-e" parameters.
-f
Flush the internal and the external cache
-k
Kill the daemon
-s
Dump statistics
-R
Force a resync against the kernel connection tracking table
 

DIAGNOSTICS

The exit code is 0 for correct function. Errors cause an exit code of 1.  

EXAMPLES

conntrackd -d
Runs conntrackd in daemon and synchronization mode
conntrackd -i
Dumps the states held in the internal cache, i.e. those handled by this firewall
conntrackd -e
Dumps the states held in the external cache, i.e. those handled by other replica firewalls
conntrackd -c
Commits the internal cache into the kernel connection tracking system. This is used to inject the state so that the connections can be recovered during the failover.
 

DEPENDENCIES

This daemon requires a Linux kernel version >= 2.6.18. TCP window tracking support requires >= 2.6.22, otherwise you have to disable it. Helpers are fully supported since >= 2.6.25, however, if you use any previous version, depending on the protocol helper and your setup (e.g. if you setup performs NAT sequence adjustments or not), your help connection may be successfully recovered.
There are several unsupported stateful iptables matches such as recent, connbytes and the quota matches which gather internal information to operate. Since that information does not belong to the domain of the connection tracking system, connections affected by those matches may not be fully recovered during the takeover.
 

SEE ALSO

conntrack(8),iptables(8)
http://people.netfilter.org/pablo/conntrack-tools/  

AUTHORS

Pablo Neira Ayuso wrote and maintains the conntrackd tool
Please send bug reports to <[email protected]>. Subscription is required.

Man page written by Pablo Neira Ayuso <[email protected]>.


 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
MODES
CLIENT COMMANDS
DIAGNOSTICS
EXAMPLES
DEPENDENCIES
SEE ALSO
AUTHORS

This document was created by man2html, using the manual pages.
Time: 12:38:38 GMT, December 28, 2007