Man Linux: Main Page and Category List

NAME

       conntrackd - netfilter connection tracking user-space daemon

SYNOPSIS

       conntrackd [options]

DESCRIPTION

       conntrackd  is  the  user-space  daemon  for  the  netfilter connection
       tracking system. This daemon synchronizes  connection  tracking  states
       between  several  replica  firewalls.  Thus,  conntrackd can be used to
       deploy  highly  available  stateful  firewalls.  The  daemon   supports
       Primary-Backup  and Multiprimary setups. The daemon can also be used as
       statistics collector.

OPTIONS

       The options recognized  by  conntrackd  can  be  divided  into  several
       different groups.

   MODES
       These options specify the particular operation mode in which conntrackd
       runs. Only one of them can be specified at any given time.

       -d     Run conntrackd in daemon mode.

   CLIENT COMMANDS
       conntrackd can be used in client mode to  request  several  information
       and operations to a running daemon

       -i     Dump the internal cache, i.e. show local states

       -e     Dump the external cache, i.e. show foreign states

       -x     Display  output  in  XML  format.  This  option is only valid in
              combination with "-i" and "-e" parameters.

       -f [|internal|external]
              Flush the internal and/or external cache

       -F     Flush the kernel conntrack table (if you use a Linux  kernel  >=
              2.6.29,  this  option  will not flush your internal and external
              cache).

       -B     Force a bulk send to other replica firewalls. With this command,
              you  will  ask conntrackd to send the state-entries that it owns
              to others.

       -k     Kill the daemon

       -s [|network|cache|runtime|link|rsqueue|process|queue]
              Dump statistics. If no parameter  is  passed,  it  displays  the
              general  statistics.   If  "network"  is  passed as parameter it
              displays the networking statistics.  If  "cache"  is  passed  as
              parameter, it shows the extended cache statistics.  If "runtime"
              is passed as parameter, it shows the  run-time  statistics.   If
              "process"  is  passed  as  parameter,  it  shows  existing child
              processes (if any).  If "queue" is passed as parameter, it shows
              queue statistics.

       -R     Force a resync against the kernel connection tracking table

       -t     Reset the in-kernel timers (See PurgeTimeout clause)

       -v     Display version information.

       -h     Display help information.

DIAGNOSTICS

       The  exit  code is 0 for correct function. Errors cause an exit code of
       1.

EXAMPLES

       The following example are illustrative, for a real use  in  a  firewall
       fail-over,  check  the  primary-backup.sh  script  that  comes with the
       sources.

       conntrackd -d
              Runs conntrackd in daemon and synchronization mode

       conntrackd -i
              Dumps the states held in the internal cache, i.e. those  handled
              by this firewall

       conntrackd -e
              Dumps  the states held in the external cache, i.e. those handled
              by other replica firewalls

       conntrackd -c
              Commits the external cache into the kernel  connection  tracking
              system. This is used to inject the state so that the connections
              can be recovered during the failover.

DEPENDENCIES

       This daemon requires a Linux  kernel  version  >=  2.6.18.  TCP  window
       tracking  support requires >= 2.6.22, otherwise you have to disable it.
       Helpers are fully supported since >= 2.6.25, however, if  you  use  any
       previous version, depending on the protocol helper and your setup (e.g.
       if you setup performs NAT  sequence  adjustments  or  not),  your  help
       connection may be successfully recovered.

       There are several unsupported stateful iptables matches such as recent,
       connbytes and the quota matches which gather  internal  information  to
       operate.  Since  that  information does not belong to the domain of the
       connection tracking system, connections affected by those  matches  may
       not be fully recovered during the takeover.

       The daemon requires a Linux kernel version >= 2.6.26 to support kernel-
       space event filtering. Otherwise, all the event filtering  is  done  in
       userspace  with  the corresponding extra overhead. If you are not using
       the Filter clause in the configuration file, ignore this notice.

INCOMPATIBILITIES

       During the 0.9.9 development, some important changes in the replication
       message format were introduced. Therefore, conntrackd >= 0.9.9 will not
       work  appropriately  with  conntrackd  <=  0.9.8.  This should not be a
       problem if you use the same conntrackd  version  in  all  the  firewall
       replica nodes.

SEE ALSO

       conntrack(8),iptables(8)
       See http://conntrack-tools.netfilter.org

BUGS

       Please, report them to netfilter-devel@vger.kernel.org or file a bug in
       Netfilter’s bugzilla (https://bugzilla.netfilter.org).

AUTHORS

       Pablo Neira Ayuso wrote and maintains the conntrackd tool

       Please  send  bug  reports  to   <netfilter-devel@lists.netfilter.org>.
       Subscription is required.

       Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.

                                 Oct 21, 2008