Man Linux: Main Page and Category List


       conntrackd - netfilter connection tracking user-space daemon


       conntrackd [options]


       conntrackd  is  the  user-space  daemon  for  the  netfilter connection
       tracking system. This daemon synchronizes  connection  tracking  states
       between  several  replica  firewalls.  Thus,  conntrackd can be used to
       deploy  highly  available  stateful  firewalls.  The  daemon   supports
       Primary-Backup  and Multiprimary setups. The daemon can also be used as
       statistics collector.


       The options recognized  by  conntrackd  can  be  divided  into  several
       different groups.

       These options specify the particular operation mode in which conntrackd
       runs. Only one of them can be specified at any given time.

       -d     Run conntrackd in daemon mode.

       conntrackd can be used in client mode to  request  several  information
       and operations to a running daemon

       -i     Dump the internal cache, i.e. show local states

       -e     Dump the external cache, i.e. show foreign states

       -x     Display  output  in  XML  format.  This  option is only valid in
              combination with "-i" and "-e" parameters.

       -f [|internal|external]
              Flush the internal and/or external cache

       -F     Flush the kernel conntrack table (if you use a Linux  kernel  >=
              2.6.29,  this  option  will not flush your internal and external

       -B     Force a bulk send to other replica firewalls. With this command,
              you  will  ask conntrackd to send the state-entries that it owns
              to others.

       -k     Kill the daemon

       -s [|network|cache|runtime|link|rsqueue|process|queue]
              Dump statistics. If no parameter  is  passed,  it  displays  the
              general  statistics.   If  "network"  is  passed as parameter it
              displays the networking statistics.  If  "cache"  is  passed  as
              parameter, it shows the extended cache statistics.  If "runtime"
              is passed as parameter, it shows the  run-time  statistics.   If
              "process"  is  passed  as  parameter,  it  shows  existing child
              processes (if any).  If "queue" is passed as parameter, it shows
              queue statistics.

       -R     Force a resync against the kernel connection tracking table

       -t     Reset the in-kernel timers (See PurgeTimeout clause)

       -v     Display version information.

       -h     Display help information.


       The  exit  code is 0 for correct function. Errors cause an exit code of


       The following example are illustrative, for a real use  in  a  firewall
       fail-over,  check  the  script  that  comes with the

       conntrackd -d
              Runs conntrackd in daemon and synchronization mode

       conntrackd -i
              Dumps the states held in the internal cache, i.e. those  handled
              by this firewall

       conntrackd -e
              Dumps  the states held in the external cache, i.e. those handled
              by other replica firewalls

       conntrackd -c
              Commits the external cache into the kernel  connection  tracking
              system. This is used to inject the state so that the connections
              can be recovered during the failover.


       This daemon requires a Linux  kernel  version  >=  2.6.18.  TCP  window
       tracking  support requires >= 2.6.22, otherwise you have to disable it.
       Helpers are fully supported since >= 2.6.25, however, if  you  use  any
       previous version, depending on the protocol helper and your setup (e.g.
       if you setup performs NAT  sequence  adjustments  or  not),  your  help
       connection may be successfully recovered.

       There are several unsupported stateful iptables matches such as recent,
       connbytes and the quota matches which gather  internal  information  to
       operate.  Since  that  information does not belong to the domain of the
       connection tracking system, connections affected by those  matches  may
       not be fully recovered during the takeover.

       The daemon requires a Linux kernel version >= 2.6.26 to support kernel-
       space event filtering. Otherwise, all the event filtering  is  done  in
       userspace  with  the corresponding extra overhead. If you are not using
       the Filter clause in the configuration file, ignore this notice.


       During the 0.9.9 development, some important changes in the replication
       message format were introduced. Therefore, conntrackd >= 0.9.9 will not
       work  appropriately  with  conntrackd  <=  0.9.8.  This should not be a
       problem if you use the same conntrackd  version  in  all  the  firewall
       replica nodes.




       Please, report them to or file a bug in
       Netfilter’s bugzilla (


       Pablo Neira Ayuso wrote and maintains the conntrackd tool

       Please  send  bug  reports  to   <>.
       Subscription is required.

       Man page written by Pablo Neira Ayuso <>.

                                 Oct 21, 2008