summaryrefslogtreecommitdiff
path: root/docs/configuration/service/conntrack-sync.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/service/conntrack-sync.rst')
-rw-r--r--docs/configuration/service/conntrack-sync.rst41
1 files changed, 23 insertions, 18 deletions
diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst
index c95cadc9..cebaa07c 100644
--- a/docs/configuration/service/conntrack-sync.rst
+++ b/docs/configuration/service/conntrack-sync.rst
@@ -39,36 +39,36 @@ Configuration
.. cfgcmd:: set service conntrack-sync accept-protocol
- Accept only certain protocols: You may want to replicate the state of flows
- depending on their layer 4 protocol.
+ Accept only certain protocols: You may want to replicate the state of flows
+ depending on their layer 4 protocol.
- Protocols are: tcp, sctp, dccp, udp, icmp and ipv6-icmp.
+ Protocols are: tcp, sctp, dccp, udp, icmp and ipv6-icmp.
.. cfgcmd:: set service conntrack-sync event-listen-queue-size <size>
- The daemon doubles the size of the netlink event socket buffer size if it
- detects netlink event message dropping. This clause sets the maximum buffer
- size growth that can be reached.
+ The daemon doubles the size of the netlink event socket buffer size if it
+ detects netlink event message dropping. This clause sets the maximum buffer
+ size growth that can be reached.
- Queue size for listening to local conntrack events in MB.
+ Queue size for listening to local conntrack events in MB.
.. cfgcmd:: set service conntrack-sync expect-sync <all|ftp|h323|nfs|sip|sqlnet>
- Protocol for which expect entries need to be synchronized.
+ Protocol for which expect entries need to be synchronized.
.. cfgcmd:: set service conntrack-sync failover-mechanism vrrp sync-group <group>
- Failover mechanism to use for conntrack-sync.
+ Failover mechanism to use for conntrack-sync.
- Only VRRP is supported. Required option.
+ Only VRRP is supported. Required option.
.. cfgcmd:: set service conntrack-sync ignore-address <x.x.x.x>
- IP addresses or networks for which local conntrack entries will not be synced
+ IP addresses or networks for which local conntrack entries will not be synced
.. cfgcmd:: set service conntrack-sync interface <name>
- Interface to use for syncing conntrack entries.
+ Interface to use for syncing conntrack entries.
.. cfgcmd:: set service conntrack-sync interface <name> port <port>
@@ -80,24 +80,29 @@ Configuration
.. cfgcmd:: set service conntrack-sync mcast-group <x.x.x.x>
- Multicast group to use for syncing conntrack entries.
+ Multicast group to use for syncing conntrack entries.
- Defaults to 225.0.0.50.
+ Defaults to 225.0.0.50.
.. cfgcmd:: set service conntrack-sync interface <name> peer <address>
- Peer to send unicast UDP conntrack sync entires to, if not using Multicast
- configuration from above above.
+ Peer to send unicast UDP conntrack sync entires to, if not using Multicast
+ configuration from above above.
.. cfgcmd:: set service conntrack-sync sync-queue-size <size>
- Queue size for syncing conntrack entries in MB.
+ Queue size for syncing conntrack entries in MB.
.. cfgcmd:: set service conntrack-sync disable-external-cache
This diable the external cache and directly injects the flow-states into the
in-kernel Connection Tracking System of the backup firewall.
+.. cfgcmd:: set service conntrack-sync startup-resync
+
+ Order conntrackd to request a complete conntrack table resync against
+ the other node at startup.
+
*********
Operation
*********
@@ -122,7 +127,7 @@ Operation
1006239392 10.35.101.221 172.31.120.21 icmp [1] 29
.. note::
-
+
If the table is empty and you have a warning message, it means
conntrack is not enabled. To enable conntrack, just create a NAT or a firewall
rule. :cfgcmd:`set firewall state-policy established action accept`