CONNTRACKD(8) - Linux man page online | Administration and privileged commands
Netfilter connection tracking user-space daemon.
Aug 30, 2016
Aug 30, 2016 CONNTRACKD(8)
NAMEconntrackd - netfilter connection tracking user-space daemon
DESCRIPTIONconntrackd is the user-space daemon for the netfilter connection tracking system. This daemon synchronizes connection tracking states between several replica firewalls. Thus, conntrackd can be used to deploy highly available stateful firewalls. The daemon supports Primary-Backup and Multiprimary setups and can also be used as statis‐ tics collector.
OPTIONSThe options recognized by conntrackd can be divided into two different groups. GEMERAL OPTIONS General options for the conntrackd daemon. -d Run conntrackd in daemon mode (fork to background). -C <path> Load config file specified in path. See conntrackd.conf(5) for details. -v Display version information. -h Display help information. CLIENT COMMANDS conntrackd can be used in client mode to request several information and operations to a running instance of the daemon. -i [ct|expect] Dump the internal cache, i.e. show local states -e [ct|expect] Dump the external cache, i.e. show foreign states -x Display output in XML format. This option is only valid in combination with -i and -e parameters. -f [internal|external] Flush the internal and/or external cache -F [ct|expect] Flush the kernel conntrack table (if you use a Linux kernel >= 2.6.29, this option will not flush your internal and external cache). -c Commit external cache to conntrack table. -B Force a bulk send to other replica firewalls. With this command, you will ask con‐ ntrackd to send the state-entries that it owns to others. -n Request resync with other node (only FT-FW and NOTRACK modes). -k Kill the daemon -s [network|cache|runtime|link|rsqueue|process|queue|ct|expect] Dump statistics. If no parameter is passed, it displays the general statistics. If "network" is passed as parameter it displays the networking statistics. If "cache" is passed as parameter, it shows the extended cache statistics. If "runtime" is passed as parameter, it shows the run-time statistics. If "process" is passed as parameter, it shows existing child processes (if any). If "queue" is passed as parameter, it shows queue statistics. If "ct" is passed, it displays the general statistics. If "expect" is passed as parameter, it shows expectation statistics. -R [ct|expect] Force a resync against the kernel connection tracking table -t Reset the in-kernel timers (See PurgeTimeout clause)
DIAGNOSTICSThe exit code is 0 for correct function. Errors cause an exit code of 1.
EXAMPLESThe following example are illustrative, for a real use in a firewall fail-over, check the primary-backup.sh script that comes with the sources. conntrackd -d Runs conntrackd in daemon and synchronization mode conntrackd -i Dumps the states held in the internal cache, i.e. those handled by this firewall conntrackd -e Dumps the states held in the external cache, i.e. those handled by other replica firewalls conntrackd -c Commits the external cache into the kernel connection tracking system. This is used to inject the state so that the connections can be recovered during the failover.
DEPENDENCIESThis daemon requires a Linux kernel version >= 2.6.18. TCP window tracking support requires >= 2.6.22, otherwise you have to disable it. Helpers are fully supported since >= 2.6.25, however, if you use any previous version, depending on the protocol helper and your setup (e.g. if you setup performs NAT sequence adjustments or not), your help connec‐ tion may be successfully recovered. There are several unsupported stateful iptables matches such as recent, connbytes and the quota matches which gather internal information to operate. Since that information does not belong to the domain of the connection tracking system, connections affected by those matches may not be fully recovered during the takeover. The daemon requires a Linux kernel version >= 2.6.26 to support kernel-space event filter‐ ing. Otherwise, all the event filtering is done in userspace with the corresponding extra overhead. If you are not using the Filter clause in the configuration file, ignore this notice.
SYSTEMD INTEGRATIONStarting with the 1.4.4 release, conntrackd includes integration with systemd(1) to use an unit file of Type=notify and watchdog support. The daemon should be configured at build time to include such support and con‐ ntrackd.conf(5) should contain Systemd on.
INCOMPATIBILITIESDuring the 0.9.9 development, some important changes in the replication message format were introduced. Therefore, conntrackd >= 0.9.9 will not work appropriately with con‐ ntrackd <= 0.9.8. This should not be a problem if you use the same conntrackd version in all the firewall replica nodes.
SEE ALSOconntrackd.conf(5) conntrack(8) iptables(8) nft(8) http://conntrack-tools.netfilter.org
BUGSPlease, report them to @vger.kernel.org (subscription required) or file a bug in Netfilter's bugzilla (https://bugzilla.netfilter.org).
AUTHORSPablo Neira Ayuso wrote and maintains the conntrackd tool Man page written by Pablo Neira Ayuso <@netfilter.org>.
|This manual||Reference||Other manuals|
|refer to||conntrack(8) | conntrackd.conf(5) | iptables(8) | nft(8) | systemd(1)|