summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2009-12-23 20:31:10 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2009-12-23 20:31:10 +0100
commitf49cfb7598c0433d3cb3dc3d829b510a205313f4 (patch)
tree81e09ce1c8dfab08218881fecea5b46389f531d0
parentba8f0e07adc2e124fdb34a8a8f86fcce42a939d8 (diff)
downloadconntrack-tools-f49cfb7598c0433d3cb3dc3d829b510a205313f4.tar.gz
conntrack-tools-f49cfb7598c0433d3cb3dc3d829b510a205313f4.zip
conntrackd: document internal cache disabling and TCP-based synchronization
This patch documents the internal cache disabling feature that is available for the NOTRACK mode. I have also added an example on how to set up a TCP-based state-synchronization. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--doc/sync/notrack/README3
-rw-r--r--doc/sync/notrack/conntrackd.conf62
2 files changed, 61 insertions, 4 deletions
diff --git a/doc/sync/notrack/README b/doc/sync/notrack/README
index 99b2f33..b064e21 100644
--- a/doc/sync/notrack/README
+++ b/doc/sync/notrack/README
@@ -1,2 +1,3 @@
This directory contains the files for the NOTRACK replication protocol. This
-protocol provides best effort delivery. Therefore, it is unreliable.
+protocol provides best effort delivery. Therefore, it is unreliable unless
+that you select TCP-based state-synchronization.
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index 5b9ebbb..f8bccc4 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -25,7 +25,14 @@ Sync {
# trigger several consecutive hand-overs. Default is 60 seconds.
#
# PurgeTimeout 60
-
+
+ #
+ # This clause allows you to disable the internal cache. Thus,
+ # the synchronization messages are directly send through
+ # the dedicated link. This option is set of off by default.
+ #
+ # DisableInternalCache Off
+
#
# This clause allows you to disable the external cache. Thus,
# the state entries are directly injected into the kernel
@@ -136,8 +143,7 @@ Sync {
#
# You can use Unicast UDP instead of Multicast to propagate events.
# Note that you cannot use unicast UDP and Multicast at the same
- # time, you can only select one. You can also select TCP in notrack
- # mode.
+ # time, you can only select one.
#
# UDP {
#
@@ -186,6 +192,56 @@ Sync {
# Checksum on
# }
+ #
+ # You can also use Unicast TCP to propagate events. Thus, the NOTRACK
+ # mode becomes reliable.
+ #
+ # TCP {
+ #
+ # TCP address that this firewall uses to listen to events.
+ #
+ # IPv4_address 192.168.2.100
+ #
+ # or you may want to use an IPv6 address:
+ #
+ # IPv6_address fe80::215:58ff:fe28:5a27
+
+ #
+ # Destination TCP address that receives events, ie. the other
+ # firewall's dedicated link address.
+ #
+ # IPv4_Destination_Address 192.168.2.101
+ #
+ # or you may want to use an IPv6 address:
+ #
+ # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
+
+ #
+ # TCP port used
+ #
+ # Port 3780
+
+ #
+ # The name of the interface that you are going to use to
+ # send the synchronization messages.
+ #
+ # Interface eth2
+
+ #
+ # The sender socket buffer size
+ #
+ # SndSocketBuffer 1249280
+
+ #
+ # The receiver socket buffer size
+ #
+ # RcvSocketBuffer 1249280
+
+ #
+ # Enable/Disable message checksumming.
+ #
+ # Checksum on
+ # }
}
#