summaryrefslogtreecommitdiff
path: root/doc/sync/alarm/node2/conntrackd.conf
diff options
context:
space:
mode:
Diffstat (limited to 'doc/sync/alarm/node2/conntrackd.conf')
-rw-r--r--doc/sync/alarm/node2/conntrackd.conf170
1 files changed, 0 insertions, 170 deletions
diff --git a/doc/sync/alarm/node2/conntrackd.conf b/doc/sync/alarm/node2/conntrackd.conf
deleted file mode 100644
index 8f7abb2..0000000
--- a/doc/sync/alarm/node2/conntrackd.conf
+++ /dev/null
@@ -1,170 +0,0 @@
-#
-# Synchronizer settings
-#
-Sync {
- Mode ALARM {
- #
- # If a conntrack entry is not modified in <= 15 seconds, then
- # a message is broadcasted. This mechanism is used to
- # resynchronize nodes that just joined the multicast group
- #
- RefreshTime 15
-
- #
- # If we don't receive a notification about the state of
- # an entry in the external cache after N seconds, then
- # remove it.
- #
- CacheTimeout 180
-
- #
- # Entries committed to the connection tracking table
- # starts with a limited timeout of N seconds until the
- # takeover process is completed.
- #
- CommitTimeout 180
- }
-
- #
- # Multicast IP and interface where messages are
- # broadcasted (dedicated link). IMPORTANT: Make sure
- # that iptables accepts traffic for destination
- # 225.0.0.50, eg:
- #
- # iptables -I INPUT -d 225.0.0.50 -j ACCEPT
- # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
- #
- Multicast {
- IPv4_address 225.0.0.50
- IPv4_interface 192.168.100.200 # IP of dedicated link
- Interface eth2
- Group 3780
-
- # The multicast sender uses a buffer to enqueue the packets
- # that are going to be transmitted. The default size of this
- # socket buffer is available at /proc/sys/net/core/wmem_default.
- # This value determines the chances to have an overrun in the
- # sender queue. The overrun results packet loss, thus, losing
- # state information that would have to be retransmitted. If you
- # notice some packet loss, you may want to increase the size
- # of the sender buffer.
- #
- # McastSndSocketBuffer 1249280
-
- # The multicast receiver uses a buffer to enqueue the packets
- # that the socket is pending to handle. The default size of this
- # socket buffer is available at /proc/sys/net/core/rmem_default.
- # This value determines the chances to have an overrun in the
- # receiver queue. The overrun results packet loss, thus, losing
- # state information that would have to be retransmitted. If you
- # notice some packet loss, you may want to increase the size of
- # the receiver buffer.
- #
- # McastRcvSocketBuffer 1249280
- }
-
- # Enable/Disable message checksumming
- Checksum on
-
- # If you have a multiprimary setup (active-active) without connection
- # persistency, ie. you can't know which firewall handles a packet
- # that is part of a connection, then you need direct commit of
- # conntrack entries to the kernel conntrack table. OSPF setups must
- # set on this option. Default is Off.
- #
- # CacheWriteThrough On
-}
-
-#
-# General settings
-#
-General {
- #
- # Number of buckets in the caches: hash table
- #
- HashSize 8192
-
- #
- # Maximum number of conntracks:
- # it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
- #
- HashLimit 65535
-
- #
- # Logfile: on (/var/log/conntrackd.log), off, or a filename
- # Default: off
- #
- #LogFile on
-
- #
- # Syslog: on, off or a facility name (daemon (default) or local0..7)
- # Default: off
- #
- #Syslog on
-
- #
- # Lockfile
- #
- LockFile /var/lock/conntrack.lock
-
- #
- # Unix socket configuration
- #
- UNIX {
- Path /tmp/sync.sock
- Backlog 20
- }
-
- #
- # Netlink socket buffer size
- #
- SocketBufferSize 262142
-
- #
- # Increase the socket buffer up to maximum if required
- #
- SocketBufferSizeMaxGrown 655355
-
- #
- # Event filtering: This clause allows you to filter certain traffic,
- # There are currently three filter-sets: Protocol, Address and
- # State. The filter is attached to an action that can be: Accept or
- # Ignore. Thus, you can define the event filtering policy of the
- # filter-sets in positive or negative logic depending on your needs.
- #
- Filter {
- #
- # Accept only certain protocols: You may want to replicate
- # the state of flows depending on their layer 4 protocol.
- #
- Protocol Accept {
- TCP
- }
-
- #
- # Ignore traffic for a certain set of IP's: Usually all the
- # IP assigned to the firewall since local traffic must be
- # ignored, only forwarded connections are worth to replicate.
- #
- Address Ignore {
- IPv4_address 127.0.0.1 # loopback
- IPv4_address 192.168.0.2
- IPv4_address 192.168.1.2
- IPv4_address 192.168.100.200 # dedicated link ip
- IPv4_address 192.168.0.100 # virtual IP 1
- IPv4_address 192.168.1.100 # virtual IP 2
- }
-
- #
- # Uncomment this line below if you want to filter by flow state.
- # This option introduces a trade-off in the replication: it
- # reduces CPU consumption at the cost of having lazy backup
- # firewall replicas. The existing TCP states are: SYN_SENT,
- # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
- # TIME_WAIT, CLOSED, LISTEN.
- #
- # State Accept {
- # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
- # }
- }
-}