summaryrefslogtreecommitdiff
path: root/doc/sync/alarm/node2/conntrackd.conf
diff options
context:
space:
mode:
Diffstat (limited to 'doc/sync/alarm/node2/conntrackd.conf')
-rw-r--r--doc/sync/alarm/node2/conntrackd.conf140
1 files changed, 140 insertions, 0 deletions
diff --git a/doc/sync/alarm/node2/conntrackd.conf b/doc/sync/alarm/node2/conntrackd.conf
new file mode 100644
index 0000000..fb12130
--- /dev/null
+++ b/doc/sync/alarm/node2/conntrackd.conf
@@ -0,0 +1,140 @@
+#
+# Synchronizer settings
+#
+Sync {
+ Mode ALARM {
+ #
+ # If a conntrack entry is not modified in <= 15 seconds, then
+ # a message is broadcasted. This mechanism is used to
+ # resynchronize nodes that just joined the multicast group
+ #
+ RefreshTime 15
+
+ #
+ # If we don't receive a notification about the state of
+ # an entry in the external cache after N seconds, then
+ # remove it.
+ #
+ CacheTimeout 180
+
+ #
+ # Entries committed to the connection tracking table
+ # starts with a limited timeout of N seconds until the
+ # takeover process is completed.
+ #
+ CommitTimeout 180
+ }
+
+ #
+ # Multicast IP and interface where messages are
+ # broadcasted (dedicated link). IMPORTANT: Make sure
+ # that iptables accepts traffic for destination
+ # 225.0.0.50, eg:
+ #
+ # iptables -I INPUT -d 225.0.0.50 -j ACCEPT
+ # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
+ #
+ Multicast {
+ IPv4_address 225.0.0.50
+ IPv4_interface 192.168.100.200 # IP of dedicated link
+ Interface eth2
+ Group 3780
+ }
+
+ # Enable/Disable message checksumming
+ Checksum on
+
+ # Uncomment this if you want to replicate just certain TCP states.
+ # This option introduces a tradeoff in the replication: it reduces
+ # CPU consumption and lost messages rate at the cost of having
+ # backup replicas that don't contain the current state that the active
+ # replica holds. TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
+ # FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE, LISTEN.
+ #
+ # Replicate ESTABLISHED TIME_WAIT for TCP
+
+ # If you have a multiprimary setup (active-active) without connection
+ # persistency, ie. you can't know which firewall handles a packet
+ # that is part of a connection, then you need direct commit of
+ # conntrack entries to the kernel conntrack table. OSPF setups must
+ # set on this option. Default is Off.
+ #
+ # CacheWriteThrough On
+}
+
+#
+# General settings
+#
+General {
+ #
+ # Number of buckets in the caches: hash table
+ #
+ HashSize 8192
+
+ #
+ # Maximum number of conntracks:
+ # it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
+ #
+ HashLimit 65535
+
+ #
+ # Logfile: on, off, or a filename
+ # Default: on (/var/log/conntrackd.log)
+ #
+ #LogFile off
+
+ #
+ # Syslog: on, off or a facility name (daemon (default) or local0..7)
+ # Default: off
+ #
+ #Syslog on
+
+ #
+ # Lockfile
+ #
+ LockFile /var/lock/conntrack.lock
+
+ #
+ # Unix socket configuration
+ #
+ UNIX {
+ Path /tmp/sync.sock
+ Backlog 20
+ }
+
+ #
+ # Netlink socket buffer size
+ #
+ SocketBufferSize 262142
+
+ #
+ # Increase the socket buffer up to maximum if required
+ #
+ SocketBufferSizeMaxGrown 655355
+}
+
+#
+# Ignore traffic for a certain set of IP's: Usually
+# all the IP assigned to the firewall since local
+# traffic must be ignored, just forwarded connections
+# are worth to replicate
+#
+IgnoreTrafficFor {
+ IPv4_address 127.0.0.1 # loopback
+ IPv4_address 192.168.0.2
+ IPv4_address 192.168.1.2
+ IPv4_address 192.168.100.200 # dedicated link ip
+ IPv4_address 192.168.0.200 # virtual IP 1
+ IPv4_address 192.168.1.200 # virtual IP 2
+}
+
+#
+# Do not replicate certain protocol traffic
+#
+IgnoreProtocol {
+ UDP
+ ICMP
+ IGMP
+ VRRP
+ # numeric numbers also valid
+}