diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-12-23 20:31:10 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-12-23 20:31:10 +0100 |
commit | f49cfb7598c0433d3cb3dc3d829b510a205313f4 (patch) | |
tree | 81e09ce1c8dfab08218881fecea5b46389f531d0 | |
parent | ba8f0e07adc2e124fdb34a8a8f86fcce42a939d8 (diff) | |
download | conntrack-tools-f49cfb7598c0433d3cb3dc3d829b510a205313f4.tar.gz conntrack-tools-f49cfb7598c0433d3cb3dc3d829b510a205313f4.zip |
conntrackd: document internal cache disabling and TCP-based synchronization
This patch documents the internal cache disabling feature that
is available for the NOTRACK mode. I have also added an example
on how to set up a TCP-based state-synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | doc/sync/notrack/README | 3 | ||||
-rw-r--r-- | doc/sync/notrack/conntrackd.conf | 62 |
2 files changed, 61 insertions, 4 deletions
diff --git a/doc/sync/notrack/README b/doc/sync/notrack/README index 99b2f33..b064e21 100644 --- a/doc/sync/notrack/README +++ b/doc/sync/notrack/README @@ -1,2 +1,3 @@ This directory contains the files for the NOTRACK replication protocol. This -protocol provides best effort delivery. Therefore, it is unreliable. +protocol provides best effort delivery. Therefore, it is unreliable unless +that you select TCP-based state-synchronization. diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 5b9ebbb..f8bccc4 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -25,7 +25,14 @@ Sync { # trigger several consecutive hand-overs. Default is 60 seconds. # # PurgeTimeout 60 - + + # + # This clause allows you to disable the internal cache. Thus, + # the synchronization messages are directly send through + # the dedicated link. This option is set of off by default. + # + # DisableInternalCache Off + # # This clause allows you to disable the external cache. Thus, # the state entries are directly injected into the kernel @@ -136,8 +143,7 @@ Sync { # # You can use Unicast UDP instead of Multicast to propagate events. # Note that you cannot use unicast UDP and Multicast at the same - # time, you can only select one. You can also select TCP in notrack - # mode. + # time, you can only select one. # # UDP { # @@ -186,6 +192,56 @@ Sync { # Checksum on # } + # + # You can also use Unicast TCP to propagate events. Thus, the NOTRACK + # mode becomes reliable. + # + # TCP { + # + # TCP address that this firewall uses to listen to events. + # + # IPv4_address 192.168.2.100 + # + # or you may want to use an IPv6 address: + # + # IPv6_address fe80::215:58ff:fe28:5a27 + + # + # Destination TCP address that receives events, ie. the other + # firewall's dedicated link address. + # + # IPv4_Destination_Address 192.168.2.101 + # + # or you may want to use an IPv6 address: + # + # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c + + # + # TCP port used + # + # Port 3780 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + # Interface eth2 + + # + # The sender socket buffer size + # + # SndSocketBuffer 1249280 + + # + # The receiver socket buffer size + # + # RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. + # + # Checksum on + # } } # |