#
# Synchronizer settings
#
Sync {
	Mode ALARM {
		#
		# If a conntrack entry is not modified in <= 15 seconds, then
		# a message is broadcasted. This mechanism is used to
		# resynchronize nodes that just joined the multicast group
		#
		RefreshTime 15
	
		#
		# If we don't receive a notification about the state of 
		# an entry in the external cache after N seconds, then
		# remove it.
		#
		CacheTimeout 180

		#
		# Entries committed to the connection tracking table 
		# starts with a limited timeout of N seconds until the
		# takeover process is completed.
		#
		CommitTimeout 180

		#
		# If the firewall replica goes from primary to backup,
		# the conntrackd -t command is invoked in the script. 
		# This command resets the timers of the conntracks that
		# live in the kernel to this new value. This is useful
		# to purge the connection tracking table of zombie entries
		# and avoid clashes with old entries if you trigger 
		# several consecutive hand-overs.
		#
		PurgeTimeout 15
	}

	#
	# Multicast IP and interface where messages are
	# broadcasted (dedicated link). IMPORTANT: Make sure
	# that iptables accepts traffic for destination
	# 225.0.0.50, eg:
	#
	#	iptables -I INPUT -d 225.0.0.50 -j ACCEPT
	#	iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
	#
	Multicast {
		# 
		# Multicast address: The address that you use as destination
		# in the synchronization messages. You do not have to add
		# this IP to any of your existing interfaces. If any doubt,
		# do not modify this value.
		#
		IPv4_address 225.0.0.50

		#
		# The multicast group that identifies the cluster. If any
		# doubt, do not modify this value.
		#
		Group 3780

		#
		# IP address of the interface that you are going to use to
		# send the synchronization messages. Remember that you must
		# use a dedicated link for the synchronization messages.
		#
		IPv4_interface 192.168.100.100

		#
		# The name of the interface that you are going to use to
		# send the synchronization messages.
		#
		Interface eth2

		# The multicast sender uses a buffer to enqueue the packets
		# that are going to be transmitted. The default size of this
		# socket buffer is available at /proc/sys/net/core/wmem_default.
		# This value determines the chances to have an overrun in the
		# sender queue. The overrun results packet loss, thus, losing
		# state information that would have to be retransmitted. If you
		# notice some packet loss, you may want to increase the size
		# of the sender buffer.
		#
		# McastSndSocketBuffer 1249280

		# The multicast receiver uses a buffer to enqueue the packets
		# that the socket is pending to handle. The default size of this
		# socket buffer is available at /proc/sys/net/core/rmem_default.
		# This value determines the chances to have an overrun in the
		# receiver queue. The overrun results packet loss, thus, losing
		# state information that would have to be retransmitted. If you
		# notice some packet loss, you may want to increase the size of
		# the receiver buffer.
		#
		# McastRcvSocketBuffer 1249280

		# 
		# Enable/Disable message checksumming. This is a good
		# property to achieve fault-tolerance. In case of doubt, do
		# not modify this value.
		#
		Checksum on
	}
}

#
# General settings
#
General {
	#
	# Number of buckets in the caches: hash table.
	#
	HashSize 16384

	#
	# Maximum number of conntracks: 
	# it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
	#
	HashLimit 65536

	#
	# Logfile: on (/var/log/conntrackd.log), off, or a filename
	# Default: off
	#
	LogFile on

	#
	# Syslog: on, off or a facility name (daemon (default) or local0..7)
	# Default: off
	#
	#Syslog on

	#
	# Lockfile
	# 
	LockFile /var/lock/conntrack.lock

	#
	# Unix socket configuration
	#
	UNIX {
		Path /var/run/conntrackd.ctl
		Backlog 20
	}

	#
	# Netlink socket buffer size
	#
	SocketBufferSize 262142

	#
	# Increase the socket buffer up to maximum if required
	#
	SocketBufferSizeMaxGrown 655355

	#
	# Event filtering: This clause allows you to filter certain traffic,
	# There are currently three filter-sets: Protocol, Address and
	# State. The filter is attached to an action that can be: Accept or
	# Ignore. Thus, you can define the event filtering policy of the
	# filter-sets in positive or negative logic depending on your needs.
	# You can select if conntrackd filters the event messages from 
	# user-space or kernel-space. The kernel-space event filtering
	# saves some CPU cycles by avoiding the copy of the event message
	# from kernel-space to user-space. The kernel-space event filtering
	# is prefered, however, you require a Linux kernel >= 2.6.29 to
	# filter from kernel-space. If you want to select kernel-space 
	# event filtering, use the keyword 'Kernelspace' instead of 
	# 'Userspace'.
	#
	Filter from Userspace {
		#
		# Accept only certain protocols: You may want to replicate
		# the state of flows depending on their layer 4 protocol.
		#
		Protocol Accept {
			TCP
		}

		#
		# Ignore traffic for a certain set of IP's: Usually all the
		# IP assigned to the firewall since local traffic must be
		# ignored, only forwarded connections are worth to replicate.
		# Note that these values depends on the local IPs that are
		# assigned to the firewall.
		#
		Address Ignore {
			IPv4_address 127.0.0.1 # loopback
			IPv4_address 192.168.0.100 # virtual IP 1
			IPv4_address 192.168.1.100 # virtual IP 2
			IPv4_address 192.168.0.1
			IPv4_address 192.168.1.1
			IPv4_address 192.168.100.100 # dedicated link ip
			#
			# You can also specify networks in format IP/cidr.
			# IPv4_address 192.168.0.0/24
		}

		#
		# Uncomment this line below if you want to filter by flow state.
		# This option introduces a trade-off in the replication: it
		# reduces CPU consumption at the cost of having lazy backup 
		# firewall replicas. The existing TCP states are: SYN_SENT,
		# SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
		# TIME_WAIT, CLOSED, LISTEN.
		#
		# State Accept {
		#	ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
		# }
	}
}