summaryrefslogtreecommitdiff
path: root/docs/configuration/service/conntrack-sync.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/service/conntrack-sync.rst')
-rw-r--r--docs/configuration/service/conntrack-sync.rst35
1 files changed, 24 insertions, 11 deletions
diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst
index a7cd7060..468b39d9 100644
--- a/docs/configuration/service/conntrack-sync.rst
+++ b/docs/configuration/service/conntrack-sync.rst
@@ -37,14 +37,14 @@ Most examples below show Multicast, but unicast can be specified by using the
Configuration
*************
- .. cfgcmd:: set service conntrack-sync accept-protocol
+.. cfgcmd:: set service conntrack-sync accept-protocol
Accept only certain protocols: You may want to replicate the state of flows
depending on their layer 4 protocol.
Protocols are: tcp, sctp, dccp, udp, icmp and ipv6-icmp.
- .. cfgcmd:: set service conntrack-sync event-listen-queue-size <size>
+.. cfgcmd:: set service conntrack-sync event-listen-queue-size <size>
The daemon doubles the size of the netlink event socket buffer size if it
detects netlink event message dropping. This clause sets the maximum buffer
@@ -52,39 +52,52 @@ Configuration
Queue size for listening to local conntrack events in MB.
- .. cfgcmd:: set service conntrack-sync expect-sync <all|ftp|h323|nfs|sip|sqlnet>
+.. cfgcmd:: set service conntrack-sync expect-sync <all|ftp|h323|nfs|sip|sqlnet>
Protocol for which expect entries need to be synchronized.
- .. cfgcmd:: set service conntrack-sync failover-mechanism vrrp sync-group <group>
+.. cfgcmd:: set service conntrack-sync failover-mechanism vrrp sync-group <group>
Failover mechanism to use for conntrack-sync.
Only VRRP is supported. Required option.
- .. cfgcmd:: set service conntrack-sync ignore-address <x.x.x.x>
+.. cfgcmd:: set service conntrack-sync ignore-address <x.x.x.x>
IP addresses or networks for which local conntrack entries will not be synced
- .. cfgcmd:: set service conntrack-sync interface <name>
+.. cfgcmd:: set service conntrack-sync interface <name>
Interface to use for syncing conntrack entries.
- .. cfgcmd:: set service conntrack-sync mcast-group <x.x.x.x>
+.. cfgcmd:: set service conntrack-sync interface <name> port <port>
+
+ Port number used by connection.
+
+.. cfgcmd:: set service conntrack-sync listen-address <ipv4address>
+
+ Local IPv4 addresses for service to listen on.
+
+.. cfgcmd:: set service conntrack-sync mcast-group <x.x.x.x>
Multicast group to use for syncing conntrack entries.
Defaults to 225.0.0.50.
- .. cfgcmd:: set service conntrack-sync interface <name> peer <address>
+.. cfgcmd:: set service conntrack-sync interface <name> peer <address>
Peer to send unicast UDP conntrack sync entires to, if not using Multicast
configuration from above above.
- .. cfgcmd:: set service conntrack-sync sync-queue-size <size>
+.. cfgcmd:: set service conntrack-sync sync-queue-size <size>
Queue size for syncing conntrack entries in MB.
+.. cfgcmd:: set service conntrack-sync disable-external-cache
+
+ This diable the external cache and directly injects the flow-states into the
+ in-kernel Connection Tracking System of the backup firewall.
+
*********
Operation
*********
@@ -114,11 +127,11 @@ Operation
conntrack is not enabled. To enable conntrack, just create a NAT or a firewall
rule. :cfgcmd:`set firewall state-policy established action accept`
-.. opcmd:: show conntrack-sync external-cache
+.. opcmd:: show conntrack-sync cache external
Show connection syncing external cache entries
-.. opcmd:: show conntrack-sync internal-cache
+.. opcmd:: show conntrack-sync cache internal
Show connection syncing internal cache entries