cache iterators: rework cache_reset_timers

This patch adds the clause PurgeTimeout that sets the new timer
when conntrackd -t is called. This command is particularly useful
when the sysadmin triggers hand-overs between several nodes without
rebooting as it reduces the timers of the remaining entries in
the kernel. Thus, avoiding clashes between new and old entries that
may trigger INVALID packets.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 11 insertions, 0 deletions

diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index 6fec9a1..8f4d952 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -16,6 +16,17 @@ Sync {
 		#
 		CommitTimeout 180
 
+		#
+		# If the firewall replica goes from primary to backup,
+		# the conntrackd -t command is invoked in the script. 
+		# This command resets the timers of the conntracks that
+		# live in the kernel to this new value. This is useful
+		# to purge the connection tracking table of zombie entries
+		# and avoid clashes with old entries if you trigger 
+		# several consecutive hand-overs.
+		#
+		PurgeTimeout 15
+
 		# Set Acknowledgement window size
 		ACKWindowSize 20
 	}