summaryrefslogtreecommitdiff
path: root/data/templates/conntrackd
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/conntrackd')
-rw-r--r--data/templates/conntrackd/conntrackd.conf.tmpl109
-rw-r--r--data/templates/conntrackd/conntrackd.op-mode.tmpl13
2 files changed, 122 insertions, 0 deletions
diff --git a/data/templates/conntrackd/conntrackd.conf.tmpl b/data/templates/conntrackd/conntrackd.conf.tmpl
new file mode 100644
index 000000000..17ee529bf
--- /dev/null
+++ b/data/templates/conntrackd/conntrackd.conf.tmpl
@@ -0,0 +1,109 @@
+# autogenerated by conntrack_sync.py
+
+# Synchronizer settings
+Sync {
+ Mode FTFW {
+ DisableExternalCache {{ 'on' if disable_external_cache is defined else 'off' }}
+ }
+{% for iface, iface_config in interface.items() %}
+{% if loop.first %}
+{% if iface_config.peer is defined and iface_config.peer is not none %}
+ UDP {
+{% if listen_address is defined and listen_address is not none %}
+ IPv4_address {{ listen_address }}
+{% endif %}
+ IPv4_Destination_Address {{ iface_config.peer }}
+ Port 3780
+{% else %}
+{% set ip_address = iface | get_ipv4 %}
+ Multicast {
+ IPv4_address {{ mcast_group }}
+ Group 3780
+ IPv4_interface {{ ip_address[0] | ip_from_cidr }}
+{% endif %}
+ Interface {{ iface }}
+{% endif %}
+{% endfor %}
+ SndSocketBuffer {{ sync_queue_size | int *1024 *1024 }}
+ RcvSocketBuffer {{ sync_queue_size | int *1024 *1024 }}
+ Checksum on
+ }
+{% if expect_sync is defined and expect_sync is not none %}
+ Options {
+{% if 'all' in expect_sync %}
+ ExpectationSync on
+{% else %}
+ ExpectationSync {
+{% for protocol in expect_sync %}
+ {{ protocol }}
+{% endfor %}
+ }
+{% endif %}
+ }
+{% endif %}
+}
+Helper {
+ Type rpc inet tcp {
+ QueueNum 3
+ Policy rpc {
+ ExpectMax 1
+ ExpectTimeout 300
+ }
+ }
+ Type rpc inet udp {
+ QueueNum 4
+ Policy rpc {
+ ExpectMax 1
+ ExpectTimeout 300
+ }
+ }
+ Type tns inet tcp {
+ QueueNum 5
+ Policy tns {
+ ExpectMax 1
+ ExpectTimeout 300
+ }
+ }
+}
+
+# General settings
+General {
+ HashSize {{ hash_size }}
+ HashLimit {{ table_size | int *2 }}
+ LogFile off
+ Syslog on
+ LockFile /var/lock/conntrack.lock
+ UNIX {
+ Path /var/run/conntrackd.ctl
+ }
+ NetlinkBufferSize {{ 2 *1024 *1024 }}
+ NetlinkBufferSizeMaxGrowth {{ event_listen_queue_size | int *1024 *1024 }}
+ NetlinkOverrunResync off
+ NetlinkEventsReliable on
+{% if ignore_address is defined or accept_protocol is defined %}
+ Filter From Userspace {
+{% if ignore_address is defined and ignore_address is not none %}
+ Address Ignore {
+{% for address in ignore_address if address | is_ipv4 %}
+ IPv4_address {{ address }}
+{% endfor %}
+{% for address in ignore_address if address | is_ipv6 %}
+ IPv6_address {{ address }}
+{% endfor %}
+ }
+{% endif %}
+{% if accept_protocol is defined and accept_protocol is not none %}
+ Protocol Accept {
+{% for protocol in accept_protocol %}
+{% if protocol == 'icmp6' %}
+ IPv6-ICMP
+{% else %}
+ {{ protocol | upper }}
+{% endif %}
+{% endfor %}
+ }
+{% endif %}
+ }
+{% endif %}
+}
+
diff --git a/data/templates/conntrackd/conntrackd.op-mode.tmpl b/data/templates/conntrackd/conntrackd.op-mode.tmpl
new file mode 100644
index 000000000..82a4b09ad
--- /dev/null
+++ b/data/templates/conntrackd/conntrackd.op-mode.tmpl
@@ -0,0 +1,13 @@
+Source Destination Protocol
+{% for parsed in data if parsed.flow is defined and parsed.flow.meta is defined %}
+{% for key in parsed.flow.meta %}
+{% if key['@direction'] == 'original' %}
+{% set saddr = key.layer3.src | bracketize_ipv6 %}
+{% set sport = key.layer4.sport %}
+{% set daddr = key.layer3.dst | bracketize_ipv6 %}
+{% set dport = key.layer4.dport %}
+{% set protocol = key.layer4['@protoname'] %}
+{{ "%-48s" | format(saddr ~ ':' ~ sport) }} {{ "%-48s" | format(daddr ~ ':' ~ dport) }} {{ protocol }}
+{% endif %}
+{% endfor %}
+{% endfor %}