1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
#
# General settings
#
General {
#
# Set the nice value of the daemon. This value goes from -20
# (most favorable scheduling) to 19 (least favorable). Using a
# negative value reduces the chances to lose state-change events.
# Default is 0. See man nice(1) for more information.
#
Nice -1
#
# Select a different scheduler for the daemon, you can select between
# RR and FIFO and the process priority (minimum is 0, maximum is 99).
# See man sched_setscheduler(2) for more information. Using a RT
# scheduler reduces the chances to overrun the Netlink buffer.
#
# Scheduler {
# Type FIFO
# Priority 99
# }
#
# Number of buckets in the caches: hash table
#
HashSize 8192
#
# Maximum number of conntracks:
# it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
#
HashLimit 65535
#
# Logfile: on (/var/log/conntrackd.log), off, or a filename
# Default: off
#
#LogFile on
#
# Syslog: on, off or a facility name (daemon (default) or local0..7)
# Default: off
#
#Syslog on
#
# Lockfile
#
LockFile /var/lock/conntrack.lock
#
# Unix socket configuration
#
UNIX {
Path /var/run/conntrackd.ctl
Backlog 20
}
#
# Netlink socket buffer size
#
NetlinkBufferSize 262142
#
# Increase the socket buffer up to maximun if required
#
NetlinkBufferSizeMaxGrowth 655355
#
# Event filtering: This clause allows you to filter certain traffic,
# There are currently three filter-sets: Protocol, Address and
# State. The filter is attached to an action that can be: Accept or
# Ignore. Thus, you can define the event filtering policy of the
# filter-sets in positive or negative logic depending on your needs.
#
Filter {
#
# Accept only certain protocols: You may want to log the
# state of flows depending on their layer 4 protocol.
#
Protocol Accept {
TCP
# UDP
}
#
# Ignore traffic for a certain set of IP's.
#
Address Ignore {
IPv4_address 127.0.0.1 # loopback
# IPv6_address ::1
}
#
# Uncomment this line below if you want to filter by flow state.
# The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
# FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED, LISTEN.
#
# State Accept {
# ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
# }
}
}
Stats {
#
# If you enable this option, the daemon writes the information about
# destroyed connections to a logfile. Default is off.
# Logfile: on, off, or a filename
# Default file: (/var/log/conntrackd-stats.log)
#
LogFile on
# If you want reliable event reporting over Netlink, set on this
# option. If you set on this clause, it is a good idea to set off
# NetlinkOverrunResync. This option is off by default and you need
# a Linux kernel >= 2.6.31.
#
# NetlinkEventsReliable Off
#
# By default, the daemon receives state updates following an
# event-driven model. You can modify this behaviour by switching to
# polling mode with the PollSecs clause. This clause tells conntrackd
# to dump the states in the kernel every N seconds. With regards to
# synchronization mode, the polling mode can only guarantee that
# long-lifetime states are recovered. The main advantage of this method
# is the reduction in the state replication at the cost of reducing the
# chances of recovering connections.
#
# PollSecs 15
#
# Enable connection logging via Syslog. Default is off.
# Syslog: on, off or a facility name (daemon (default) or local0..7)
# If you set the facility, use the same as in the General clause,
# otherwise you'll get a warning message.
#
#Syslog on
}
|