Updating upstream with merged content from netfilter conntrack-tools version 1.0.1

10 files changed, 568 insertions, 890 deletions

diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl
index b897318..4936a76 100644
--- a/doc/manual/conntrack-tools.tmpl
+++ b/doc/manual/conntrack-tools.tmpl
@@ -19,7 +19,7 @@
   </authorgroup>
 
   <copyright>
-   <year>2008</year>
+   <year>2008-2011</year>
    <holder>Pablo Neira Ayuso</holder>
   </copyright>
 
@@ -37,9 +37,8 @@
   <releaseinfo>
   This document details how to install and configure the
   <ulink url="http://conntrack-tools.netfilter.org">conntrack-tools</ulink>
-  0.9.8. This software is under development, for that reason, it is likely
-  that this document will evolve in the future to cover new features and
-  changes.</releaseinfo>
+  &gt;= 1.0.0. This document will evolve in the future to cover new features
+  and changes.</releaseinfo>
 
  </bookinfo>
 
@@ -198,7 +197,12 @@ conntrack v0.9.7 (conntrack-tools): 1 flow entries have been shown.
 conntrack v0.9.7 (conntrack-tools): 1 flow entries has been updated.
  </programlisting>
 
-<para>Delete one entry, this can be used to block traffic (you have to set <emphasis>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal</emphasis> to zero).</para>
+<para>Delete one entry, this can be used to block traffic if:</para>
+<itemizedlist>
+ <listitem><para>You have a stateful rule-set that blocks traffic in INVALID state.</para></listitem>
+ <listitem><para>You have set <emphasis>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose</emphasis> or <emphasis>/proc/sys/net/netfilter/nf_conntrack_tcp_loose</emphasis>, depending on your kernel version, to zero.</para></listitem>
+</itemizedlist>
+
 <programlisting>
  # conntrack -D -p tcp --dport 3486
  tcp      6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=1 secmark=0 use=1
@@ -341,6 +345,11 @@ conntrack v0.9.7 (conntrack-tools): 1 flow entries has been deleted.
 
 <sect2 id="sync-pb"><title>Active-Backup setup</title>
 
+ <note><title>Stateful firewall architectures</title>
+  <para>A good reading to extend the information about firewall architectures is <ulink url="http://1984.lsi.us.es/~pablo/docs/intcomp09.pdf">Demystifying cluster-based fault-tolerant firewalls</ulink> published in IEEE Internet Computing magazine.
+  </para>
+ </note>
+
  <para>In the Active-Backup setup, one of the stateful firewall replicas 
  filters traffic and the other acts as backup. If you use this approach, 
  you have to copy the script <emphasis>primary-backup.sh</emphasis> to:
@@ -507,6 +516,307 @@ conntrack v0.9.7 (conntrack-tools): 1 flow entries has been deleted.
 
 </sect2>
 
+<sect2 id="sync-options"><title>Other configuration options</title>
+
+ <para>The daemon allows several configuration options that you may want to
+ enable. This section contains some information about them.</para>
+
+<sect3 id="sync-disable-external"><title>Disabling external cache</title>
+
+ <para>It is possible to disable the external cache. Thus,
+ <emphasis>conntrackd</emphasis> directly injects the flow-states into the
+ in-kernel Connection Tracking System of the backup firewall. You can do it
+ by enabling the <emphasis>DisableExternalCache</emphasis> option in the
+ <emphasis>conntrackd.conf</emphasis> configuration file:
+ </para>
+
+ <programlisting>
+Sync {
+	Mode FTFW {
+		 [...]
+		 DisableExternalCache Off
+	}
+}
+ </programlisting>
+
+ <para>You can also use this option with the NOTRACK and ALARM modes. This
+ increases CPU consumption in the backup firewall but now you do not need
+ to commit the flow-states during the master failures since they are already
+ in the in-kernel Connection Tracking table. Moreover, you save memory in
+ the backup firewall since you do not need to store the foreign flow-states
+ anymore.
+ </para>
+
+</sect3>
+
+<sect3 id="sync-disable-internal"><title>Disabling internal cache</title>
+
+ <para>You can also disable the internal cache by means of the
+ <emphasis>DisableInternalCache</emphasis> option in the
+ <emphasis>conntrackd.conf</emphasis> configuration file:
+ </para>
+
+ <programlisting>
+Sync {
+	Mode NOTRACK {
+		 [...]
+		 DisableInternalCache Off
+	}
+}
+ </programlisting>
+
+ <para>However, this option is only available for the NOTRACK mode. This
+ mode provides unreliable flow-state synchronization between firewalls.
+ Thus, if flow-states are lost during the synchronization, the protocol
+ provides no way to recover them.</para>
+
+</sect3>
+
+<sect3 id="sync-transport-protocol">
+<title>Using UDP, TCP or multicast for flow-state synchronization</title>
+
+ <para>You can use up to three different transport layer protocols to
+ synchronize flow-state changes between the firewalls: UDP, TCP and
+ Multicast. UDP and multicast are unreliable but together with the FT-FW
+ mode provide partial reliable flow-state synchronization.
+ </para>
+
+ <para>The preferred choice is FT-FW over UDP, or multicast alternatively.
+ TCP introduces latency in the flow-state synchronization due to the
+ congestion control. Under flow-state message are lost, the FIFO delivery
+ becomes also a problem since the backup firewall quickly gets out of
+ sync. For that reason, its use is discouraged. Note that using TCP only
+ makes sense with the NOTRACK mode.
+ </para>
+
+</sect3>
+
+<sect3 id="sync-redundant-link"><title>Redundant dedicated links</title>
+
+ <para>You can set redundant dedicated links without using bonding, you have
+ to configure as many redundant links as you want in the configuration file.
+ In case of failure of the master dedicated link, conntrackd failovers to one
+ of the backups. An example of this configuration is the following:
+ </para>
+
+ <programlisting>
+Sync {
+	Mode FTFW {
+		 [...]
+	}
+	# default master dedicated link
+        UDP Default {
+                IPv4_address 192.168.2.1
+                IPv4_Destination_Address 192.168.2.2
+                Port 3780
+                Interface eth3
+                SndSocketBuffer 24985600
+                RcvSocketBuffer 24985600
+                Checksum on
+        }
+	# backup dedicated link
+        UDP {
+               IPv4_address 192.168.1.3
+               IPv4_Destination_Address 192.168.1.4
+               Port 3780
+               Interface eth2
+               SndSocketBuffer 24985600
+               RcvSocketBuffer 24985600
+               Checksum on
+        }
+	[...]
+}
+ </programlisting>
+
+</sect3>
+
+<sect3 id="sync-iptables-filtering">
+<title>Filtering Connection tracking events with iptables</title>
+
+ <para>Since Linux kernel &gt;= 2.6.34, iptables provides the
+ <emphasis>CT</emphasis> iptables target that allows to reduce the
+ amount of Connection Tracking events that are delivered to user-space.
+ However, you will have to use a Linux kernel &gt;= 2.6.38 to profit
+ from this feature, since several aspects of the event filtering were
+ broken.</para>
+
+ <para>The following example shows how to only generate the
+ <emphasis>assured</emphasis> event:</para>
+
+ <programlisting>
+ # iptables -I PREROUTING -t raw -j CT --ctevents assured
+ </programlisting>
+
+ <note><title>Assured flows</title>
+ <para>One flow is assured if the firewall has seen traffic for it in
+ both directions.</para>
+ </note>
+
+ <para>Reducing the amount of events generated helps to reduce CPU
+ consumption in the active firewall.</para>
+
+</sect3>
+
+<sect3 id="sync-expect"><title>Synchronization of expectations</title>
+
+ <para>The connection tracking system provides helpers that allows you to
+ filter multi-flow application protocols like FTP, H.323 and SIP among many
+ others. These protocols usually split the control and data traffic in
+ different flows. Moreover, the control flow usually announces layer 3 and
+ 4 information to let the other peer know where the data flows will be
+ open. This sort of protocols require that the firewall inspects the
+ content of the packet, otherwise filtering by layer 3 and 4 selectors
+ like addresses and ports become a real nightmare. Netfilter already
+ provides the so-called <emphasis>helpers</emphasis> that track this
+ protocol  aspects to allow deploying appropriate filtering. These
+ helpers create <emphasis>expectation</emphasis> entries that
+ represent expected traffic that will arrive to the firewall according
+ to the inspected packets.</para>
+
+ <para>In case that you have enabled tracking of these protocols, you
+ may want to enable the state-synchronization of expectation as well.
+ Thus, established flows for this specific protocols will not suffer
+ any disruption.</para>
+
+ <para>To enable the expectation support in the configuration file, you
+ have to use the following option:</para>
+
+ <programlisting>
+Sync {
+       ...
+       Options {
+               ExpectationSync {
+                       ftp
+                       sip
+                       h323
+               }
+       }
+}</programlisting>
+
+ <para>The example above enables the synchronization of the expectations
+ for the FTP, SIP and H.323 helpers.</para>
+
+ <para>In my testbed, there are two firewalls in a primary-backup
+ configuration running keepalived. They use a couple of floating cluster
+ IP address (192.168.0.100 and 192.168.1.100) that are used by the client.
+ These firewalls protect one FTP server (192.168.1.2) that will be accessed
+ by one client.</para>
+
+ <para>In ASCII art, it looks like this:</para>
+
+ <programlisting>
+         192.168.0.100      192.168.1.100
+                  eth1      eth2
+                       fw-1
+                     /      \       FTP
+        client ------       ------ server
+      192.168.0.2    \      /   192.168.1.2
+                       fw-2
+ </programlisting>
+
+ <para>This is the rule-set for the firewalls:</para>
+
+ <programlisting>
+    -A FORWARD -m state --state RELATED -j ACCEPT
+    -A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT
+    -A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
+    -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT
+    -A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: "</programlisting>
+
+ <para>Before going ahead, make sure <emphasis>nf_conntrack_ftp</emphasis> is
+ loaded.</para>
+
+ <para>The following steps detail how to check that the expectation support
+ works fine with FTP traffic:</para>
+
+ <orderedlist>
+ <listitem>
+ <para>Switch to the client. Start one FTP control connection to one
+ server that is protected by the firewalls, enter passive mode:</para>
+
+ <programlisting>
+  (term-1) user@client$ nc 192.168.1.2 21
+   220 dummy FTP server
+   USER anonymous
+   331 Please specify the password.
+   PASS nothing
+   230 Login successful.
+   PASV
+   227 Entering Passive Mode (192,168,1,2,163,11).</programlisting>
+
+ <para>This means that port 163*256+11=41739 will be used for the data
+ traffic. I suggest you to read <ulink url="http://www.freefire.org/articles/ftpexample.php">djb's FTP protocol description</ulink> in case that you
+ don't understand how this calculation is done.</para>
+ </listitem>
+
+ <listitem>
+ <para> Switch to fw-1 (primary) to check that the expectation is in the
+ internal cache.</para>
+
+ <programlisting>
+ root@fw1# conntrackd -i exp
+ proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 helper=ftp [active since 5s]
+ </programlisting>
+ </listitem>
+
+ <listitem>
+ <para> Switch to fw-2 (backup) to check that the expectation has been
+ successfully replicated.</para>
+
+ <programlisting>
+ root@fw2# conntrackd -e exp
+ proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s]
+ </programlisting>
+ </listitem>
+
+ <listitem>
+ <para>Make the primary firewall fw-1 fail. Now fw-2 becomes primary.</para>
+ </listitem>
+
+ <listitem>
+ <para>Switch to fw-2 (primary) to commit the external cache into the
+ kernel. The logs should display that the commit was successful:</para>
+
+ <programlisting>
+ root@fw2# tail -100f /var/log/conntrackd.log
+ [Wed Dec  7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations
+ [Wed Dec  7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries
+ [Wed Dec  7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds</programlisting>
+ </listitem>
+
+ <listitem>
+ <para> Switch to the client. Open a new terminal and connect to the port that
+ has been announced by the server:</para>
+
+ <programlisting>
+ (term-2) user@client$ nc -vvv 192.168.1.2 41739
+ (UNKNOWN) [192.168.1.2] 41739 (?) open</programlisting>
+ </listitem>
+
+ <listitem>
+ <para>Switch to term-1 and ask for the file listing:</para>
+
+ <programlisting>
+ [...]
+ 227 Entering Passive Mode (192,168,1,2,163,11).
+ LIST</programlisting>
+ </listitem>
+
+ <listitem>
+ <para>Switch to term-2, it should display the listing. That means
+ everything has worked fine.</para>
+ </listitem>
+
+ </orderedlist>
+
+ <para>You may want to try disabling the expectation support and
+ repeating the steps to check that <emphasis>it does not work</emphasis>
+ without the state-synchronization.</para>
+
+</sect3>
+
+</sect2>
+
 <sect2 id="sync-trouble"><title>Troubleshooting</title>
 
  <para>Problems with <emphasis>conntrackd</emphasis>? The following list 
@@ -566,6 +876,151 @@ conntrack v0.9.7 (conntrack-tools): 1 flow entries has been deleted.
    </answer>
   </qandaentry>
 
+ <qandaentry>
+   <question>
+    <para>
+    Does conntrackd support TCP flow-recovery with window tracking enabled?
+    </para>
+   </question>
+   <answer>
+    <para>
+    Yes, but you require a Linux kernel &gt;= 2.6.36 and the conntrack-tools &gt;= 0.9.15. To enable it, check the TCPWindowTracking clause in the example configuration files.
+    </para>
+   </answer>
+  </qandaentry>
+
+ <qandaentry>
+   <question>
+    <para>
+    Does conntrackd support the H.323 and SIP connection tracking helpers?
+    </para>
+   </question>
+   <answer>
+    <para>
+    Yes, conntrackd includes expectation support since version 1.2.0.
+    </para>
+   </answer>
+  </qandaentry>
+
+  <qandaentry>
+   <question>
+    <para>
+    Is there any way to set up a more verbose mode in the log message for debugging?
+    </para>
+   </question>
+   <answer>
+    <para>
+    No, but conntrackd provides lots of information that you can look up in
+    runtime via -s option.</para>
+
+    <para>You can check network statistics to find anomalies:</para>
+    <programlisting>
+# conntrackd -s network
+    network statistics:
+        recv:
+                Malformed messages:                        0
+                Wrong protocol version:                    0
+                Malformed header:                          0
+                Malformed payload:                         0
+                Bad message type:                          0
+                Truncated message:                         0
+                Bad message size:                          0
+        send:
+                Malformed messages:                        0
+
+sequence tracking statistics:
+        recv:
+                Packets lost:                          42726
+                Packets before:                            0
+
+UDP traffic (active device=eth3):
+              564232 Bytes sent              1979844 Bytes recv
+                2844 Pckts sent                 8029 Pckts recv
+                   0 Error send                    0 Error recv
+    </programlisting>
+
+    <para>You can check cache statistics:</para>
+    <programlisting>
+# conntrackd -s cache
+cache:internal  active objects:                    0
+        active/total entries:                      0/           0
+        creation OK/failed:                    11068/           0
+                no memory available:               0
+                no space left in cache:            0
+        update OK/failed:                       4128/           0
+                entry not found:                   0
+        deletion created/failed:               11068/           0
+                entry not found:                   0
+
+cache:external  active objects:                    0
+        active/total entries:                      0/           0
+        creation OK/failed:                    10521/           0
+                no memory available:               0
+                no space left in cache:            0
+        update OK/failed:                       8832/           0
+                entry not found:                   0
+        deletion created/failed:               10521/           0
+                entry not found:                   0
+    </programlisting>
+
+    <para>You can check runtime miscelaneous statistics:</para>
+    <programlisting>
+# conntrackd -s runtime
+daemon uptime: 14 min
+
+netlink stats:
+        events received:                       24736
+        events filtered:                           0
+        events unknown type:                       0
+        catch event failed:                        0
+        dump unknown type:                         0
+        netlink overrun:                           0
+        flush kernel table:                        1
+        resync with kernel table:                  0
+        current buffer size (in bytes):      8000000
+
+runtime stats:
+        child process failed:                      0
+                child process segfault:            0
+                child process termsig:             0
+        select failed:                             0
+        wait failed:                               0
+        local read failed:                         0
+        local unknown request:                     0
+    </programlisting>
+
+    <para>You can check dedicated link statistics:</para>
+    <programlisting>
+# conntrackd -s link
+UDP traffic device=eth3 status=RUNNING role=ACTIVE:
+              566848 Bytes sent              1982612 Bytes recv
+                3018 Pckts sent                 8203 Pckts recv
+                   0 Error send                    0 Error recv
+    </programlisting>
+
+    <para>You can check network queue statistics:</para>
+    <programlisting>
+# conntrackd -s queue
+allocated queue nodes:                     1
+
+queue txqueue:
+current elements:                          0
+maximum elements:                 2147483647
+not enough space errors:                   0
+
+queue errorq:
+current elements:                          0
+maximum elements:                        128
+not enough space errors:                   0
+
+queue rsqueue:
+current elements:                          1
+maximum elements:                     131072
+not enough space errors:                   0
+    </programlisting>
+   </answer>
+  </qandaentry>
+
  </qandaset>
 
 </sect2>
diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf
index 0941f64..16d7a80 100644
--- a/doc/stats/conntrackd.conf
+++ b/doc/stats/conntrackd.conf
@@ -67,6 +67,18 @@ General {
 	#
 	NetlinkBufferSizeMaxGrowth 655355
 
+	# 
+	# By default, the daemon receives state updates following an
+	# event-driven model. You can modify this behaviour by switching to
+	# polling mode with the PollSecs clause. This clause tells conntrackd
+	# to dump the states in the kernel every N seconds. With regards to
+	# synchronization mode, the polling mode can only guarantee that
+	# long-lifetime states are recovered. The main advantage of this method
+	# is the reduction in the state replication at the cost of reducing the
+	# chances of recovering connections.
+	#
+	# PollSecs 15
+
 	#
 	# Event filtering: This clause allows you to filter certain traffic,
 	# There are currently three filter-sets: Protocol, Address and
@@ -81,6 +93,7 @@ General {
 		#
 		Protocol Accept {
 			TCP
+			# UDP
 		}
 
 		#
@@ -118,18 +131,6 @@ Stats {
 	#
 	# NetlinkEventsReliable Off
 
-	# 
-	# By default, the daemon receives state updates following an
-	# event-driven model. You can modify this behaviour by switching to
-	# polling mode with the PollSecs clause. This clause tells conntrackd
-	# to dump the states in the kernel every N seconds. With regards to
-	# synchronization mode, the polling mode can only guarantee that
-	# long-lifetime states are recovered. The main advantage of this method
-	# is the reduction in the state replication at the cost of reducing the
-	# chances of recovering connections.
-	#
-	# PollSecs 15
-
 	#
 	# Enable connection logging via Syslog. Default is off.
 	# Syslog: on, off or a facility name (daemon (default) or local0..7)
diff --git a/doc/stats/conntrackd.conf.orig b/doc/stats/conntrackd.conf.orig
deleted file mode 100644
index 1f1a697..0000000
--- a/doc/stats/conntrackd.conf.orig
+++ /dev/null
@@ -1,121 +0,0 @@
-#
-# General settings
-#
-General {
-	#
-	# Set the nice value of the daemon. This value goes from -20
-	# (most favorable scheduling) to 19 (least favorable). Using a
-	# negative value reduces the chances to lose state-change events.
-	# Default is 0. See man nice(1) for more information.
-	#
-	Nice -1
-
-	#
-	# Number of buckets in the caches: hash table
-	#
-	HashSize 8192
-
-	#
-	# Maximum number of conntracks: 
-	# it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
-	#
-	HashLimit 65535
-
-	#
-	# Logfile: on (/var/log/conntrackd.log), off, or a filename
-	# Default: off
-	#
-	#LogFile on
-
-	#
-	# Syslog: on, off or a facility name (daemon (default) or local0..7)
-	# Default: off
-	#
-	#Syslog on
-
-	#
-	# Lockfile
-	# 
-	LockFile /var/lock/conntrack.lock
-
-	#
-	# Unix socket configuration
-	#
-	UNIX {
-		Path /var/run/conntrackd.ctl
-		Backlog 20
-	}
-
-	#
-	# Netlink socket buffer size
-	#
-	NetlinkBufferSize 262142
-
-	#
-	# Increase the socket buffer up to maximun if required
-	#
-	NetlinkBufferSizeMaxGrowth 655355
-
-	#
-	# Event filtering: This clause allows you to filter certain traffic,
-	# There are currently three filter-sets: Protocol, Address and
-	# State. The filter is attached to an action that can be: Accept or
-	# Ignore. Thus, you can define the event filtering policy of the
-	# filter-sets in positive or negative logic depending on your needs.
-	#
-	Filter {
-		#
-		# Accept only certain protocols: You may want to log the
-		# state of flows depending on their layer 4 protocol.
-		#
-		Protocol Accept {
-			TCP
-		}
-
-		#
-		# Ignore traffic for a certain set of IP's.
-		#
-		Address Ignore {
-			IPv4_address 127.0.0.1 # loopback
-		}
-
-		#
-		# Uncomment this line below if you want to filter by flow state.
-		# The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
-		# FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED, LISTEN.
-		#
-		# State Accept {
-		#	ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
-		# }
-	}
-}
-
-Stats {
-	#
-	# If you enable this option, the daemon writes the information about
-	# destroyed connections to a logfile. Default is off.
-	# Logfile: on, off, or a filename
-	# Default file: (/var/log/conntrackd-stats.log)
-	#
-	LogFile on
-
-	# 
-	# By default, the daemon receives state updates following an
-	# event-driven model. You can modify this behaviour by switching to
-	# polling mode with the PollSecs clause. This clause tells conntrackd
-	# to dump the states in the kernel every N seconds. With regards to
-	# synchronization mode, the polling mode can only guarantee that
-	# long-lifetime states are recovered. The main advantage of this method
-	# is the reduction in the state replication at the cost of reducing the
-	# chances of recovering connections.
-	#
-	# PollSecs 15
-
-	#
-	# Enable connection logging via Syslog. Default is off.
-	# Syslog: on, off or a facility name (daemon (default) or local0..7)
-	# If you set the facility, use the same as in the General clause, 
-	# otherwise you'll get a warning message.
-	#
-	#Syslog on
-}
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index 3424e39..deed291 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -180,6 +180,34 @@ Sync {
 		#
 		# Checksum on
 	# }
+
+	#
+	# Other unsorted options that are related to the synchronization.
+	#
+	# Options {
+		#
+		# TCP state-entries have window tracking disabled by default,
+		# you can enable it with this option. As said, default is off.
+		# This feature requires a Linux kernel >= 2.6.36.
+		#
+		# TCPWindowTracking Off
+
+		# Set this option on if you want to enable the synchronization
+		# of expectations. You have to specify the list of helpers that
+		# you want to enable. Default is off.
+		#
+		# ExpectationSync {
+		#       ftp
+		#       h323
+		#       sip
+		# }
+		#
+		# You can use this alternatively:
+		#
+		# ExpectationSync On
+		#
+		# If you want to synchronize expectations of all helpers.
+	# }
 }
 
 #
@@ -332,7 +360,9 @@ General {
 			TCP
 			SCTP
 			DCCP
+			# UDP
 			# ICMP # This requires a Linux kernel >= 2.6.31
+			# IPv6-ICMP # This requires a Linux kernel >= 2.6.31
 		}
 
 		#
diff --git a/doc/sync/alarm/conntrackd.conf.orig b/doc/sync/alarm/conntrackd.conf.orig
deleted file mode 100644
index ca6e661..0000000
--- a/doc/sync/alarm/conntrackd.conf.orig
+++ /dev/null
@@ -1,348 +0,0 @@
-#
-# Synchronizer settings
-#
-Sync {
-	Mode ALARM {
-		#
-		# If a conntrack entry is not modified in <= 15 seconds, then
-		# a message is broadcasted. This mechanism is used to
-		# resynchronize nodes that just joined the multicast group
-		#
-		RefreshTime 15
-	
-		#
-		# If we don't receive a notification about the state of 
-		# an entry in the external cache after N seconds, then
-		# remove it.
-		#
-		CacheTimeout 180
-
-		#
-		# This parameter allows you to set an initial fixed timeout
-		# for the committed entries when this node goes from backup
-		# to primary. This mechanism provides a way to purge entries
-		# that were not recovered appropriately after the specified
-		# fixed timeout. If you set a low value, TCP entries in
-		# Established states with no traffic may hang. For example,
-		# an SSH connection without KeepAlive enabled. If not set,
-		# the daemon uses an approximate timeout value calculation
-		# mechanism. By default, this option is not set.
-		#
-		# CommitTimeout 180
-
-		#
-		# If the firewall replica goes from primary to backup,
-		# the conntrackd -t command is invoked in the script. 
-		# This command schedules a flush of the table in N seconds.
-		# This is useful to purge the connection tracking table of
-		# zombie entries and avoid clashes with old entries if you
-		# trigger several consecutive hand-overs. Default is 60 seconds
-		#
-		# PurgeTimeout 60
-	}
-
-	#
-	# Multicast IP and interface where messages are
-	# broadcasted (dedicated link). IMPORTANT: Make sure
-	# that iptables accepts traffic for destination
-	# 225.0.0.50, eg:
-	#
-	#	iptables -I INPUT -d 225.0.0.50 -j ACCEPT
-	#	iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
-	#
-	Multicast {
-		# 
-		# Multicast address: The address that you use as destination
-		# in the synchronization messages. You do not have to add
-		# this IP to any of your existing interfaces. If any doubt,
-		# do not modify this value.
-		#
-		IPv4_address 225.0.0.50
-
-		#
-		# The multicast group that identifies the cluster. If any
-		# doubt, do not modify this value.
-		#
-		Group 3780
-
-		#
-		# IP address of the interface that you are going to use to
-		# send the synchronization messages. Remember that you must
-		# use a dedicated link for the synchronization messages.
-		#
-		IPv4_interface 192.168.100.100
-
-		#
-		# The name of the interface that you are going to use to
-		# send the synchronization messages.
-		#
-		Interface eth2
-
-		# The multicast sender uses a buffer to enqueue the packets
-		# that are going to be transmitted. The default size of this
-		# socket buffer is available at /proc/sys/net/core/wmem_default.
-		# This value determines the chances to have an overrun in the
-		# sender queue. The overrun results packet loss, thus, losing
-		# state information that would have to be retransmitted. If you
-		# notice some packet loss, you may want to increase the size
-		# of the sender buffer. The default size is usually around
-		# ~100 KBytes which is fairly small for busy firewalls.
-		#
-		SndSocketBuffer 1249280
-
-		# The multicast receiver uses a buffer to enqueue the packets
-		# that the socket is pending to handle. The default size of this
-		# socket buffer is available at /proc/sys/net/core/rmem_default.
-		# This value determines the chances to have an overrun in the
-		# receiver queue. The overrun results packet loss, thus, losing
-		# state information that would have to be retransmitted. If you
-		# notice some packet loss, you may want to increase the size of
-		# the receiver buffer. The default size is usually around
-		# ~100 KBytes which is fairly small for busy firewalls.
-		#
-		RcvSocketBuffer 1249280
-
-		# 
-		# Enable/Disable message checksumming. This is a good
-		# property to achieve fault-tolerance. In case of doubt, do
-		# not modify this value.
-		#
-		Checksum on
-	}
-	#
-	# You can specify more than one dedicated link. Thus, if one dedicated
-	# link fails, conntrackd can fail-over to another. Note that adding
-	# more than one dedicated link does not mean that state-updates will
-	# be sent to all of them. There is only one active dedicated link at
-	# a given moment. The `Default' keyword indicates that this interface
-	# will be selected as the initial dedicated link. You can have 
-	# up to 4 redundant dedicated links. Note: Use different multicast 
-	# groups for every redundant link.
-	#
-	# Multicast Default {
-	#	IPv4_address 225.0.0.51
-	#	Group 3781
-	#	IPv4_interface 192.168.100.101
-	#	Interface eth3
-	#	# SndSocketBuffer 1249280
-	#	# RcvSocketBuffer 1249280
-	#	Checksum on
-	# }
-
-	#
-	# You can use Unicast UDP instead of Multicast to propagate events.
-	# Note that you cannot use unicast UDP and Multicast at the same
-	# time, you can only select one.
-	# 
-	# UDP {
-		# 
-		# UDP address that this firewall uses to listen to events.
-		#
-		# IPv4_address 192.168.2.100
-		#
-		# or you may want to use an IPv6 address:
-		#
-		# IPv6_address fe80::215:58ff:fe28:5a27
-
-		#
-		# Destination UDP address that receives events, ie. the other
-		# firewall's dedicated link address.
-		#
-		# IPv4_Destination_Address 192.168.2.101
-		#
-		# or you may want to use an IPv6 address:
-		#
-		# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
-
-		#
-		# UDP port used
-		#
-		# Port 3780
-
-		#
-		# The name of the interface that you are going to use to
-		# send the synchronization messages.
-		#
-		# Interface eth2
-
-		# 
-		# The sender socket buffer size
-		#
-		# SndSocketBuffer 1249280
-
-		#
-		# The receiver socket buffer size
-		#
-		# RcvSocketBuffer 1249280
-
-		# 
-		# Enable/Disable message checksumming. 
-		#
-		# Checksum on
-	# }
-}
-
-#
-# General settings
-#
-General {
-	#
-	# Set the nice value of the daemon, this value goes from -20
-	# (most favorable scheduling) to 19 (least favorable). Using a
-	# very low value reduces the chances to lose state-change events.
-	# Default is 0 but this example file sets it to most favourable
-	# scheduling as this is generally a good idea. See man nice(1) for
-	# more information.
-	#
-	Nice -20
-
-	#
-	# Number of buckets in the cache hashtable. The bigger it is,
-	# the closer it gets to O(1) at the cost of consuming more memory.
-	# Read some documents about tuning hashtables for further reference.
-	#
-	HashSize 32768
-
-	#
-	# Maximum number of conntracks, it should be double of: 
-	# $ cat /proc/sys/net/netfilter/nf_conntrack_max
-	# since the daemon may keep some dead entries cached for possible
-	# retransmission during state synchronization.
-	#
-	HashLimit 131072
-
-	#
-	# Logfile: on (/var/log/conntrackd.log), off, or a filename
-	# Default: off
-	#
-	LogFile on
-
-	#
-	# Syslog: on, off or a facility name (daemon (default) or local0..7)
-	# Default: off
-	#
-	#Syslog on
-
-	#
-	# Lockfile
-	# 
-	LockFile /var/lock/conntrack.lock
-
-	#
-	# Unix socket configuration
-	#
-	UNIX {
-		Path /var/run/conntrackd.ctl
-		Backlog 20
-	}
-
-	#
-	# Netlink event socket buffer size. If you do not specify this clause,
-	# the default buffer size value in /proc/net/core/rmem_default is
-	# used. This default value is usually around 100 Kbytes which is
-	# fairly small for busy firewalls. This leads to event message dropping
-	# and high CPU consumption. This example configuration file sets the
-	# size to 2 MBytes to avoid this sort of problems.
-	#
-	NetlinkBufferSize 2097152
-
-	#
-	# The daemon doubles the size of the netlink event socket buffer size
-	# if it detects netlink event message dropping. This clause sets the
-	# maximum buffer size growth that can be reached. This example file
-	# sets the size to 8 MBytes.
-	#
-	NetlinkBufferSizeMaxGrowth 8388608
-
-	#
-	# If the daemon detects that Netlink is dropping state-change events,
-	# it automatically schedules a resynchronization against the Kernel
-	# after 30 seconds (default value). Resynchronizations are expensive
-	# in terms of CPU consumption since the daemon has to get the full
-	# kernel state-table and purge state-entries that do not exist anymore.
-	# Be careful of setting a very small value here. You have the following
-	# choices: On (enabled, use default 30 seconds value), Off (disabled)
-	# or Value (in seconds, to set a specific amount of time). If not
-	# specified, the daemon assumes that this option is enabled.
-	#
-	# NetlinkOverrunResync On
-
-	# 
-	# By default, the daemon receives state updates following an
-	# event-driven model. You can modify this behaviour by switching to
-	# polling mode with the PollSecs clause. This clause tells conntrackd
-	# to dump the states in the kernel every N seconds. With regards to
-	# synchronization mode, the polling mode can only guarantee that
-	# long-lifetime states are recovered. The main advantage of this method
-	# is the reduction in the state replication at the cost of reducing the
-	# chances of recovering connections.
-	#
-	# PollSecs 15
-
-	#
-	# The daemon prioritizes the handling of state-change events coming
-	# from the core. With this clause, you can set the maximum number of
-	# state-change events (those coming from kernel-space) that the daemon
-	# will handle after which it will handle other events coming from the
-	# network or userspace. A low value improves interactivity (in terms of
-	# real-time behaviour) at the cost of extra CPU consumption.
-	# Default (if not set) is 100.
-	#
-	# EventIterationLimit 100
-
-	#
-	# Event filtering: This clause allows you to filter certain traffic,
-	# There are currently three filter-sets: Protocol, Address and
-	# State. The filter is attached to an action that can be: Accept or
-	# Ignore. Thus, you can define the event filtering policy of the
-	# filter-sets in positive or negative logic depending on your needs.
-	# You can select if conntrackd filters the event messages from 
-	# user-space or kernel-space. The kernel-space event filtering
-	# saves some CPU cycles by avoiding the copy of the event message
-	# from kernel-space to user-space. The kernel-space event filtering
-	# is prefered, however, you require a Linux kernel >= 2.6.29 to
-	# filter from kernel-space. If you want to select kernel-space 
-	# event filtering, use the keyword 'Kernelspace' instead of 
-	# 'Userspace'.
-	#
-	Filter From Userspace {
-		#
-		# Accept only certain protocols: You may want to replicate
-		# the state of flows depending on their layer 4 protocol.
-		#
-		Protocol Accept {
-			TCP
-		}
-
-		#
-		# Ignore traffic for a certain set of IP's: Usually all the
-		# IP assigned to the firewall since local traffic must be
-		# ignored, only forwarded connections are worth to replicate.
-		# Note that these values depends on the local IPs that are
-		# assigned to the firewall.
-		#
-		Address Ignore {
-			IPv4_address 127.0.0.1 # loopback
-			IPv4_address 192.168.0.100 # virtual IP 1
-			IPv4_address 192.168.1.100 # virtual IP 2
-			IPv4_address 192.168.0.1
-			IPv4_address 192.168.1.1
-			IPv4_address 192.168.100.100 # dedicated link ip
-			#
-			# You can also specify networks in format IP/cidr.
-			# IPv4_address 192.168.0.0/24
-		}
-
-		#
-		# Uncomment this line below if you want to filter by flow state.
-		# This option introduces a trade-off in the replication: it
-		# reduces CPU consumption at the cost of having lazy backup 
-		# firewall replicas. The existing TCP states are: SYN_SENT,
-		# SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
-		# TIME_WAIT, CLOSED, LISTEN.
-		#
-		# State Accept {
-		#	ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
-		# }
-	}
-}
diff --git a/doc/sync/alarm/conntrackd.conf.rej b/doc/sync/alarm/conntrackd.conf.rej
deleted file mode 100644
index 108546f..0000000
--- a/doc/sync/alarm/conntrackd.conf.rej
+++ /dev/null
@@ -1,30 +0,0 @@
-*************** Sync {
-*** 23,36 ****
-  
-  		#
-  		# If the firewall replica goes from primary to backup,
-- 		# the conntrackd -t command is invoked in the script. 
-- 		# This command resets the timers of the conntracks that
-- 		# live in the kernel to this new value. This is useful
-- 		# to purge the connection tracking table of zombie entries
-- 		# and avoid clashes with old entries if you trigger 
-- 		# several consecutive hand-overs.
-  		#
-- 		PurgeTimeout 15
-  
-  		# Set the acknowledgement window size. If you decrease this
-  		# value, the number of acknowlegdments increases. More
---- 23,35 ----
-  
-  		#
-  		# If the firewall replica goes from primary to backup,
-+ 		# the conntrackd -t command is invoked in the script.
-+ 		# This command schedules a flush of the table in N seconds.
-+ 		# This is useful to purge the connection tracking table of
-+ 		# zombie entries and avoid clashes with old entries if you
-+ 		# trigger several consecutive hand-overs. Default is 60 seconds.
-  		#
-+ 		# PurgeTimeout 60
-  
-  		# Set the acknowledgement window size. If you decrease this
-  		# value, the number of acknowlegdments increases. More
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index df10aca..0304f0f 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -204,6 +204,33 @@ Sync {
 		# Checksum on
 	# }
 
+	# 
+	# Other unsorted options that are related to the synchronization.
+	# 
+	# Options {
+		#
+		# TCP state-entries have window tracking disabled by default,
+		# you can enable it with this option. As said, default is off.
+		# This feature requires a Linux kernel >= 2.6.36.
+		#
+		# TCPWindowTracking Off
+
+		# Set this option on if you want to enable the synchronization
+		# of expectations. You have to specify the list of helpers that
+		# you want to enable. Default is off.
+		#
+		# ExpectationSync {
+		#	ftp
+		#	h323
+		#	sip
+		# }
+		#
+		# You can use this alternatively:
+		#
+		# ExpectationSync On
+		#
+		# If you want to synchronize expectations of all helpers.
+	# }
 }
 
 #
@@ -357,7 +384,9 @@ General {
 			TCP
 			SCTP
 			DCCP
+			# UDP
 			# ICMP # This requires a Linux kernel >= 2.6.31
+			# IPv6-ICMP # This requires a Linux kernel >= 2.6.31
 		}
 
 		#
diff --git a/doc/sync/ftfw/conntrackd.conf.orig b/doc/sync/ftfw/conntrackd.conf.orig
deleted file mode 100644
index c1208f9..0000000
--- a/doc/sync/ftfw/conntrackd.conf.orig
+++ /dev/null
@@ -1,370 +0,0 @@
-#
-# Synchronizer settings
-#
-Sync {
-	Mode FTFW {
-		#
-		# Size of the resend queue (in objects). This is the maximum
-		# number of objects that can be stored waiting to be confirmed
-		# via acknoledgment. If you keep this value low, the daemon
-		# will have less chances to recover state-changes under message
-		# omission. On the other hand, if you keep this value high,
-		# the daemon will consume more memory to store dead objects.
-		# Default is 131072 objects.
-		#
-		# ResendQueueSize 131072
-
-		#
-		# This parameter allows you to set an initial fixed timeout
-		# for the committed entries when this node goes from backup
-		# to primary. This mechanism provides a way to purge entries
-		# that were not recovered appropriately after the specified
-		# fixed timeout. If you set a low value, TCP entries in
-		# Established states with no traffic may hang. For example,
-		# an SSH connection without KeepAlive enabled. If not set,
-		# the daemon uses an approximate timeout value calculation
-		# mechanism. By default, this option is not set.
-		#
-		# CommitTimeout 180
-
-		#
-		# If the firewall replica goes from primary to backup,
-		# the conntrackd -t command is invoked in the script. 
-		# This command schedules a flush of the table in N seconds.
-		# This is useful to purge the connection tracking table of
-		# zombie entries and avoid clashes with old entries if you
-		# trigger several consecutive hand-overs. Default is 60 seconds.
-		#
-		# PurgeTimeout 60
-
-		# Set the acknowledgement window size. If you decrease this
-		# value, the number of acknowlegdments increases. More
-		# acknowledgments means more overhead as conntrackd has to
-		# handle more control messages. On the other hand, if you
-		# increase this value, the resend queue gets more populated.
-		# This results in more overhead in the queue releasing.
-		# The following value is based on some practical experiments
-		# measuring the cycles spent by the acknowledgment handling
-		# with oprofile. If not set, default window size is 300.
-		#
-		# ACKWindowSize 300
-	}
-
-	#
-	# Multicast IP and interface where messages are
-	# broadcasted (dedicated link). IMPORTANT: Make sure
-	# that iptables accepts traffic for destination
-	# 225.0.0.50, eg:
-	#
-	#	iptables -I INPUT -d 225.0.0.50 -j ACCEPT
-	#	iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
-	#
-	Multicast {
-		# 
-		# Multicast address: The address that you use as destination
-		# in the synchronization messages. You do not have to add
-		# this IP to any of your existing interfaces. If any doubt,
-		# do not modify this value.
-		#
-		IPv4_address 225.0.0.50
-
-		#
-		# The multicast group that identifies the cluster. If any
-		# doubt, do not modify this value.
-		#
-		Group 3780
-
-		#
-		# IP address of the interface that you are going to use to
-		# send the synchronization messages. Remember that you must
-		# use a dedicated link for the synchronization messages.
-		#
-		IPv4_interface 192.168.100.100
-
-		#
-		# The name of the interface that you are going to use to
-		# send the synchronization messages.
-		#
-		Interface eth2
-
-		# The multicast sender uses a buffer to enqueue the packets
-		# that are going to be transmitted. The default size of this
-		# socket buffer is available at /proc/sys/net/core/wmem_default.
-		# This value determines the chances to have an overrun in the
-		# sender queue. The overrun results packet loss, thus, losing
-		# state information that would have to be retransmitted. If you
-		# notice some packet loss, you may want to increase the size
-		# of the sender buffer. The default size is usually around
-		# ~100 KBytes which is fairly small for busy firewalls.
-		#
-		SndSocketBuffer 1249280
-
-		# The multicast receiver uses a buffer to enqueue the packets
-		# that the socket is pending to handle. The default size of this
-		# socket buffer is available at /proc/sys/net/core/rmem_default.
-		# This value determines the chances to have an overrun in the
-		# receiver queue. The overrun results packet loss, thus, losing
-		# state information that would have to be retransmitted. If you
-		# notice some packet loss, you may want to increase the size of
-		# the receiver buffer. The default size is usually around
-		# ~100 KBytes which is fairly small for busy firewalls.
-		#
-		RcvSocketBuffer 1249280
-
-		# 
-		# Enable/Disable message checksumming. This is a good
-		# property to achieve fault-tolerance. In case of doubt, do
-		# not modify this value.
-		#
-		Checksum on
-	}
-	#
-	# You can specify more than one dedicated link. Thus, if one dedicated
-	# link fails, conntrackd can fail-over to another. Note that adding
-	# more than one dedicated link does not mean that state-updates will
-	# be sent to all of them. There is only one active dedicated link at
-	# a given moment. The `Default' keyword indicates that this interface
-	# will be selected as the initial dedicated link. You can have 
-	# up to 4 redundant dedicated links. Note: Use different multicast 
-	# groups for every redundant link.
-	#
-	# Multicast Default {
-	#	IPv4_address 225.0.0.51
-	#	Group 3781
-	#	IPv4_interface 192.168.100.101
-	#	Interface eth3
-	#	# SndSocketBuffer 1249280
-	#	# RcvSocketBuffer 1249280
-	#	Checksum on
-	# }
-
-	#
-	# You can use Unicast UDP instead of Multicast to propagate events.
-	# Note that you cannot use unicast UDP and Multicast at the same
-	# time, you can only select one.
-	# 
-	# UDP {
-		# 
-		# UDP address that this firewall uses to listen to events.
-		#
-		# IPv4_address 192.168.2.100
-		#
-		# or you may want to use an IPv6 address:
-		#
-		# IPv6_address fe80::215:58ff:fe28:5a27
-
-		#
-		# Destination UDP address that receives events, ie. the other
-		# firewall's dedicated link address.
-		#
-		# IPv4_Destination_Address 192.168.2.101
-		#
-		# or you may want to use an IPv6 address:
-		#
-		# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
-
-		#
-		# UDP port used
-		#
-		# Port 3780
-
-		#
-		# The name of the interface that you are going to use to
-		# send the synchronization messages.
-		#
-		# Interface eth2
-
-		# 
-		# The sender socket buffer size
-		#
-		# SndSocketBuffer 1249280
-
-		#
-		# The receiver socket buffer size
-		#
-		# RcvSocketBuffer 1249280
-
-		# 
-		# Enable/Disable message checksumming. 
-		#
-		# Checksum on
-	# }
-}
-
-#
-# General settings
-#
-General {
-	#
-	# Set the nice value of the daemon, this value goes from -20
-	# (most favorable scheduling) to 19 (least favorable). Using a
-	# very low value reduces the chances to lose state-change events.
-	# Default is 0 but this example file sets it to most favourable
-	# scheduling as this is generally a good idea. See man nice(1) for
-	# more information.
-	#
-	Nice -20
-
-	#
-	# Select a different scheduler for the daemon, you can select between
-	# RR and FIFO and the process priority (minimum is 0, maximum is 99).
-	# See man sched_setscheduler(2) for more information. Using a RT
-	# scheduler reduces the chances to overrun the Netlink buffer.
-	#
-	# Scheduler {
-	#	Type FIFO
-	#	Priority 99
-	# }
-
-	#
-	# Number of buckets in the cache hashtable. The bigger it is,
-	# the closer it gets to O(1) at the cost of consuming more memory.
-	# Read some documents about tuning hashtables for further reference.
-	#
-	HashSize 32768
-
-	#
-	# Maximum number of conntracks, it should be double of: 
-	# $ cat /proc/sys/net/netfilter/nf_conntrack_max
-	# since the daemon may keep some dead entries cached for possible
-	# retransmission during state synchronization.
-	#
-	HashLimit 131072
-
-	#
-	# Logfile: on (/var/log/conntrackd.log), off, or a filename
-	# Default: off
-	#
-	LogFile on
-
-	#
-	# Syslog: on, off or a facility name (daemon (default) or local0..7)
-	# Default: off
-	#
-	#Syslog on
-
-	#
-	# Lockfile
-	# 
-	LockFile /var/lock/conntrack.lock
-
-	#
-	# Unix socket configuration
-	#
-	UNIX {
-		Path /var/run/conntrackd.ctl
-		Backlog 20
-	}
-
-	#
-	# Netlink event socket buffer size. If you do not specify this clause,
-	# the default buffer size value in /proc/net/core/rmem_default is
-	# used. This default value is usually around 100 Kbytes which is
-	# fairly small for busy firewalls. This leads to event message dropping
-	# and high CPU consumption. This example configuration file sets the
-	# size to 2 MBytes to avoid this sort of problems.
-	#
-	NetlinkBufferSize 2097152
-
-	#
-	# The daemon doubles the size of the netlink event socket buffer size
-	# if it detects netlink event message dropping. This clause sets the
-	# maximum buffer size growth that can be reached. This example file
-	# sets the size to 8 MBytes.
-	#
-	NetlinkBufferSizeMaxGrowth 8388608
-
-	#
-	# If the daemon detects that Netlink is dropping state-change events,
-	# it automatically schedules a resynchronization against the Kernel
-	# after 30 seconds (default value). Resynchronizations are expensive
-	# in terms of CPU consumption since the daemon has to get the full
-	# kernel state-table and purge state-entries that do not exist anymore.
-	# Be careful of setting a very small value here. You have the following
-	# choices: On (enabled, use default 30 seconds value), Off (disabled)
-	# or Value (in seconds, to set a specific amount of time). If not
-	# specified, the daemon assumes that this option is enabled.
-	#
-	# NetlinkOverrunResync On
-
-	# 
-	# By default, the daemon receives state updates following an
-	# event-driven model. You can modify this behaviour by switching to
-	# polling mode with the PollSecs clause. This clause tells conntrackd
-	# to dump the states in the kernel every N seconds. With regards to
-	# synchronization mode, the polling mode can only guarantee that
-	# long-lifetime states are recovered. The main advantage of this method
-	# is the reduction in the state replication at the cost of reducing the
-	# chances of recovering connections.
-	#
-	# PollSecs 15
-
-	#
-	# The daemon prioritizes the handling of state-change events coming
-	# from the core. With this clause, you can set the maximum number of
-	# state-change events (those coming from kernel-space) that the daemon
-	# will handle after which it will handle other events coming from the
-	# network or userspace. A low value improves interactivity (in terms of
-	# real-time behaviour) at the cost of extra CPU consumption.
-	# Default (if not set) is 100.
-	#
-	# EventIterationLimit 100
-
-	#
-	# Event filtering: This clause allows you to filter certain traffic,
-	# There are currently three filter-sets: Protocol, Address and
-	# State. The filter is attached to an action that can be: Accept or
-	# Ignore. Thus, you can define the event filtering policy of the
-	# filter-sets in positive or negative logic depending on your needs.
-	# You can select if conntrackd filters the event messages from 
-	# user-space or kernel-space. The kernel-space event filtering
-	# saves some CPU cycles by avoiding the copy of the event message
-	# from kernel-space to user-space. The kernel-space event filtering
-	# is prefered, however, you require a Linux kernel >= 2.6.29 to
-	# filter from kernel-space. If you want to select kernel-space 
-	# event filtering, use the keyword 'Kernelspace' instead of 
-	# 'Userspace'.
-	#
-	Filter From Userspace {
-		#
-		# Accept only certain protocols: You may want to replicate
-		# the state of flows depending on their layer 4 protocol.
-		#
-		Protocol Accept {
-			TCP
-			SCTP
-			DCCP
-		}
-
-		#
-		# Ignore traffic for a certain set of IP's: Usually all the
-		# IP assigned to the firewall since local traffic must be
-		# ignored, only forwarded connections are worth to replicate.
-		# Note that these values depends on the local IPs that are
-		# assigned to the firewall.
-		#
-		Address Ignore {
-			IPv4_address 127.0.0.1 # loopback
-			IPv4_address 192.168.0.100 # virtual IP 1
-			IPv4_address 192.168.1.100 # virtual IP 2
-			IPv4_address 192.168.0.1
-			IPv4_address 192.168.1.1
-			IPv4_address 192.168.100.100 # dedicated link ip
-			#
-			# You can also specify networks in format IP/cidr.
-			# IPv4_address 192.168.0.0/24
-		}
-
-		#
-		# Uncomment this line below if you want to filter by flow state.
-		# This option introduces a trade-off in the replication: it
-		# reduces CPU consumption at the cost of having lazy backup 
-		# firewall replicas. The existing TCP states are: SYN_SENT,
-		# SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
-		# TIME_WAIT, CLOSED, LISTEN.
-		#
-		# State Accept {
-		#	ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
-		# }
-	}
-}
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index f8bccc4..34e7b32 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -242,6 +242,34 @@ Sync {
 		#
 		# Checksum on
 	# }
+
+	#
+	# Other unsorted options that are related to the synchronization.
+	#
+	# Options {
+		#
+		# TCP state-entries have window tracking disabled by default,
+		# you can enable it with this option. As said, default is off.
+		# This feature requires a Linux kernel >= 2.6.36.
+		#
+		# TCPWindowTracking Off
+
+		# Set this option on if you want to enable the synchronization
+		# of expectations. You have to specify the list of helpers that
+		# you want to enable. Default is off.
+		#
+		# ExpectationSync {
+		#       ftp
+		#       h323
+		#       sip
+		# }
+		#
+		# You can use this alternatively:
+		#
+		# ExpectationSync On
+		#
+		# If you want to synchronize expectations of all helpers.
+	# }
 }
 
 #
@@ -394,7 +422,9 @@ General {
 			TCP
 			SCTP
 			DCCP
+			# UDP
 			# ICMP # This requires a Linux kernel >= 2.6.31
+			# IPv6-ICMP # This requires a Linux kernel >= 2.6.31
 		}
 
 		#
diff --git a/doc/sync/primary-backup.sh b/doc/sync/primary-backup.sh
index 34c1cfa..fb74adc 100755
--- a/doc/sync/primary-backup.sh
+++ b/doc/sync/primary-backup.sh
@@ -1,9 +1,11 @@
 #!/bin/sh
-# 
-# (C) 2008 by Pablo Neira Ayuso <pablo@netfilter.org>
 #
-# This software may be used and distributed according to the terms
-# of the GNU General Public License, incorporated herein by reference.
+# (C) 2006-2011 by Pablo Neira Ayuso <pablo@netfilter.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
 #
 # Description:
 #