summaryrefslogtreecommitdiff
path: root/doc/sync/alarm/node2/conntrackd.conf
blob: fb1213033da267c33bbf8ddd94663918f672b4bb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
#
# Synchronizer settings
#
Sync {
	Mode ALARM {
		#
		# If a conntrack entry is not modified in <= 15 seconds, then
		# a message is broadcasted. This mechanism is used to
		# resynchronize nodes that just joined the multicast group
		#
		RefreshTime 15
	
		#
		# If we don't receive a notification about the state of 
		# an entry in the external cache after N seconds, then
		# remove it.
		#
		CacheTimeout 180

		#
		# Entries committed to the connection tracking table 
		# starts with a limited timeout of N seconds until the
		# takeover process is completed.
		#
		CommitTimeout 180
	}

	#
	# Multicast IP and interface where messages are
	# broadcasted (dedicated link). IMPORTANT: Make sure
	# that iptables accepts traffic for destination
	# 225.0.0.50, eg:
	#
	#	iptables -I INPUT -d 225.0.0.50 -j ACCEPT
	#	iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
	#
	Multicast {
		IPv4_address 225.0.0.50
		IPv4_interface 192.168.100.200 # IP of dedicated link
		Interface eth2
		Group 3780
	}

	# Enable/Disable message checksumming
	Checksum on

	# Uncomment this if you want to replicate just certain TCP states.
	# This option introduces a tradeoff in the replication: it reduces
	# CPU consumption and lost messages rate at the cost of having 
	# backup replicas that don't contain the current state that the active 
	# replica holds. TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
	# FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE, LISTEN.
	# 
	# Replicate ESTABLISHED TIME_WAIT for TCP

	# If you have a multiprimary setup (active-active) without connection
	# persistency, ie. you can't know which firewall handles a packet
	# that is part of a connection, then you need direct commit of
	# conntrack entries to the kernel conntrack table. OSPF setups must
	# set on this option. Default is Off.
	#
	# CacheWriteThrough On
}

#
# General settings
#
General {
	#
	# Number of buckets in the caches: hash table
	#
	HashSize 8192

	#
	# Maximum number of conntracks: 
	# it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
	#
	HashLimit 65535

	#
	# Logfile: on, off, or a filename
	# Default: on (/var/log/conntrackd.log)
	#
	#LogFile off

	#
	# Syslog: on, off or a facility name (daemon (default) or local0..7)
	# Default: off
	#
	#Syslog on

	#
	# Lockfile
	# 
	LockFile /var/lock/conntrack.lock

	#
	# Unix socket configuration
	#
	UNIX {
		Path /tmp/sync.sock
		Backlog 20
	}

	#
	# Netlink socket buffer size
	#
	SocketBufferSize 262142

	#
	# Increase the socket buffer up to maximum if required
	#
	SocketBufferSizeMaxGrown 655355
}

#
# Ignore traffic for a certain set of IP's: Usually
# all the IP assigned to the firewall since local
# traffic must be ignored, just forwarded connections
# are worth to replicate
#
IgnoreTrafficFor {
	IPv4_address 127.0.0.1 # loopback
	IPv4_address 192.168.0.2
	IPv4_address 192.168.1.2
	IPv4_address 192.168.100.200 # dedicated link ip
	IPv4_address 192.168.0.200 # virtual IP 1
	IPv4_address 192.168.1.200 # virtual IP 2
}

#
# Do not replicate certain protocol traffic 
#
IgnoreProtocol {
	UDP
	ICMP
	IGMP
	VRRP
	# numeric numbers also valid
}