1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
#
# Synchronizer settings
#
Sync {
Mode ALARM {
#
# If a conntrack entry is not modified in <= 15 seconds, then
# a message is broadcasted. This mechanism is used to
# resynchronize nodes that just joined the multicast group
#
RefreshTime 15
#
# If we don't receive a notification about the state of
# an entry in the external cache after N seconds, then
# remove it.
#
CacheTimeout 180
#
# Entries committed to the connection tracking table
# starts with a limited timeout of N seconds until the
# takeover process is completed.
#
CommitTimeout 180
}
#
# Multicast IP and interface where messages are
# broadcasted (dedicated link). IMPORTANT: Make sure
# that iptables accepts traffic for destination
# 225.0.0.50, eg:
#
# iptables -I INPUT -d 225.0.0.50 -j ACCEPT
# iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
#
Multicast {
IPv4_address 225.0.0.50
IPv4_interface 192.168.100.100 # IP of dedicated link
Interface eth2
Group 3780
# The multicast sender uses a buffer to enqueue the packets
# that are going to be transmitted. The default size of this
# socket buffer is available at /proc/sys/net/core/wmem_default.
# This value determines the chances to have an overrun in the
# sender queue. The overrun results packet loss, thus, losing
# state information that would have to be retransmitted. If you
# notice some packet loss, you may want to increase the size
# of the sender buffer.
#
# McastSndSocketBuffer 1249280
# The multicast receiver uses a buffer to enqueue the packets
# that the socket is pending to handle. The default size of this
# socket buffer is available at /proc/sys/net/core/rmem_default.
# This value determines the chances to have an overrun in the
# receiver queue. The overrun results packet loss, thus, losing
# state information that would have to be retransmitted. If you
# notice some packet loss, you may want to increase the size of
# the receiver buffer.
#
# McastRcvSocketBuffer 1249280
}
# Enable/Disable message checksumming
Checksum on
# Uncomment this if you want to replicate just certain TCP states.
# This option introduces a tradeoff in the replication: it reduces
# CPU consumption and lost messages rate at the cost of having
# backup replicas that don't contain the current state that the active
# replica holds. TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
# FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE, LISTEN.
#
# Replicate ESTABLISHED TIME_WAIT for TCP
# If you have a multiprimary setup (active-active) without connection
# persistency, ie. you can't know which firewall handles a packet
# that is part of a connection, then you need direct commit of
# conntrack entries to the kernel conntrack table. OSPF setups must
# set on this option. Default is Off.
#
# CacheWriteThrough On
}
#
# General settings
#
General {
#
# Number of buckets in the caches: hash table
#
HashSize 8192
#
# Maximum number of conntracks:
# it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
#
HashLimit 65535
#
# Logfile: on, off, or a filename
# Default: on (/var/log/conntrackd.log)
#
#LogFile off
#
# Syslog: on, off or a facility name (daemon (default) or local0..7)
# Default: off
#
#Syslog on
#
# Lockfile
#
LockFile /var/lock/conntrack.lock
#
# Unix socket configuration
#
UNIX {
Path /tmp/sync.sock
Backlog 20
}
#
# Netlink socket buffer size
#
SocketBufferSize 262142
#
# Increase the socket buffer up to maximum if required
#
SocketBufferSizeMaxGrown 655355
}
#
# Ignore traffic for a certain set of IP's: Usually
# all the IP assigned to the firewall since local
# traffic must be ignored, just forwarded connections
# are worth to replicate
#
IgnoreTrafficFor {
IPv4_address 127.0.0.1 # loopback
IPv4_address 192.168.0.1
IPv4_address 192.168.1.1
IPv4_address 192.168.100.100 # dedicated link ip
IPv4_address 192.168.0.100 # virtual IP 1
IPv4_address 192.168.1.100 # virtual IP 2
}
#
# Do not replicate certain protocol traffic
#
IgnoreProtocol {
UDP
ICMP
IGMP
VRRP
# numeric numbers also valid
}
|