1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
#
# Synchronizer settings
#
Sync {
Mode NACK {
#
# Size of the buffer that hold destroy messages for
# possible resends (in bytes)
#
ResendBufferSize 262144
#
# Entries committed to the connection tracking table
# starts with a limited timeout of N seconds until the
# takeover process is completed.
#
CommitTimeout 180
# Set Acknowledgement window size
ACKWindowSize 20
}
#
# Multicast IP and interface where messages are
# broadcasted (dedicated link). IMPORTANT: Make sure
# that iptables accepts traffic for destination
# 225.0.0.50, eg:
#
# iptables -I INPUT -d 225.0.0.50 -j ACCEPT
# iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
#
Multicast {
IPv4_address 225.0.0.50
IPv4_interface 192.168.100.100 # IP of dedicated link
Interface eth2
Group 3780
}
# Enable/Disable message checksumming
Checksum on
# Uncomment this if you want to replicate just certain TCP states.
# This option introduces a tradeoff in the replication: it reduces
# CPU consumption and lost messages rate at the cost of having
# backup replicas that don't contain the current state that the active
# replica holds. TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
# FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE, LISTEN.
#
# Replicate ESTABLISHED TIME_WAIT for TCP
# If you have a multiprimary setup (active-active) without connection
# persistency, ie. you can't know which firewall handles a packet
# that is part of a connection, then you need direct commit of
# conntrack entries to the kernel conntrack table. OSPF setups must
# set on this option. Default is Off.
#
# CacheWriteThrough On
}
#
# General settings
#
General {
#
# Number of buckets in the caches: hash table
#
HashSize 8192
#
# Maximum number of conntracks:
# it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
#
HashLimit 65535
#
# Logfile: on, off, or a filename
# Default: on (/var/log/conntrackd.log)
#
#LogFile off
#
# Syslog: on, off or a facility name (daemon (default) or local0..7)
# Default: off
#
#Syslog on
#
# Lockfile
#
LockFile /var/lock/conntrack.lock
#
# Unix socket configuration
#
UNIX {
Path /tmp/sync.sock
Backlog 20
}
#
# Netlink socket buffer size
#
SocketBufferSize 262142
#
# Increase the socket buffer up to maximum if required
#
SocketBufferSizeMaxGrown 655355
}
#
# Ignore traffic for a certain set of IP's: Usually
# all the IP assigned to the firewall since local
# traffic must be ignored, just forwarded connections
# are worth to replicate
#
IgnoreTrafficFor {
IPv4_address 127.0.0.1 # loopback
IPv4_address 192.168.0.1
IPv4_address 192.168.1.1
IPv4_address 192.168.100.100 # dedicated link ip
IPv4_address 192.168.0.100 # virtual IP 1
IPv4_address 192.168.1.100 # virtual IP 2
}
#
# Do not replicate certain protocol traffic
#
IgnoreProtocol {
UDP
ICMP
IGMP
VRRP
# numeric numbers also valid
}
|