1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
#
# Synchronizer settings
#
Sync {
Mode PERSISTENT {
#
# If a conntrack entry is not modified in <= 15 seconds, then
# a message is broadcasted. This mechanism is used to
# resynchronize nodes that just joined the multicast group
#
RefreshTime 15
#
# If we don't receive a notification about the state of
# an entry in the external cache after N seconds, then
# remove it.
#
CacheTimeout 180
#
# Entries committed to the connection tracking table
# starts with a limited timeout of N seconds until the
# takeover process is completed.
#
CommitTimeout 180
}
#
# Multicast IP and interface where messages are
# broadcasted (dedicated link). IMPORTANT: Make sure
# that iptables accepts traffic for destination
# 225.0.0.50, eg:
#
# iptables -I INPUT -d 225.0.0.50 -j ACCEPT
# iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
#
Multicast {
IPv4_address 225.0.0.50
IPv4_interface 192.168.100.100 # IP of dedicated link
Interface eth2
Group 3780
}
# Enable/Disable message checksumming
Checksum on
# Uncomment this if you want to replicate just certain TCP states.
# This option introduces a tradeoff in the replication: it reduces
# CPU consumption and lost messages rate at the cost of having
# backup replicas that don't contain the current state that the active
# replica holds. TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
# FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE, LISTEN.
#
# Replicate ESTABLISHED TIME_WAIT for TCP
}
#
# General settings
#
General {
#
# Number of buckets in the caches: hash table
#
HashSize 8192
#
# Maximum number of conntracks:
# it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
#
HashLimit 65535
#
# Logfile: on, off, or a filename
# Default: on (/var/log/conntrackd.log)
#
#LogFile off
#
# Syslog: on, off or a facility name (daemon (default) or local0..7)
# Default: off
#
#Syslog on
#
# Lockfile
#
LockFile /var/lock/conntrack.lock
#
# Unix socket configuration
#
UNIX {
Path /tmp/sync.sock
Backlog 20
}
#
# Netlink socket buffer size
#
SocketBufferSize 262142
#
# Increase the socket buffer up to maximum if required
#
SocketBufferSizeMaxGrown 655355
}
#
# Ignore traffic for a certain set of IP's: Usually
# all the IP assigned to the firewall since local
# traffic must be ignored, just forwarded connections
# are worth to replicate
#
IgnoreTrafficFor {
IPv4_address 127.0.0.1 # loopback
IPv4_address 192.168.0.1
IPv4_address 192.168.1.1
IPv4_address 192.168.100.100 # dedicated link ip
IPv4_address 192.168.0.100 # virtual IP 1
IPv4_address 192.168.1.100 # virtual IP 2
}
#
# Do not replicate certain protocol traffic
#
IgnoreProtocol {
UDP
ICMP
IGMP
VRRP
# numeric numbers also valid
}
|