CONNTRACKD(8) | CONNTRACKD(8) |
conntrackd - netfilter connection tracking user-space daemon
conntrackd [options]
conntrackd is the user-space daemon for the netfilter connection tracking system. This daemon synchronizes connection tracking states between several replica firewalls. Thus, conntrackd can be used to deploy highly available stateful firewalls.
The daemon supports Primary-Backup and Multiprimary setups and can also be used as statistics collector.
The options recognized by conntrackd can be divided into two different groups.
General options for the conntrackd daemon.
conntrackd can be used in client mode to request several information and operations to a running instance of the daemon.
The exit code is 0 for correct function. Errors cause an exit code of 1.
The following example are illustrative, for a real use in a firewall fail-over, check the primary-backup.sh script that comes with the sources.
This daemon requires a Linux kernel version >= 2.6.18. TCP window tracking support requires >= 2.6.22, otherwise you have to disable it. Helpers are fully supported since >= 2.6.25, however, if you use any previous version, depending on the protocol helper and your setup (e.g. if you setup performs NAT sequence adjustments or not), your help connection may be successfully recovered.
There are several unsupported stateful iptables matches such as recent, connbytes and the quota matches which gather internal information to operate. Since that information does not belong to the domain of the connection tracking system, connections affected by those matches may not be fully recovered during the takeover.
The daemon requires a Linux kernel version >= 2.6.26 to support kernel-space event filtering. Otherwise, all the event filtering is done in userspace with the corresponding extra overhead. If you are not using the Filter clause in the configuration file, ignore this notice.
Starting with the 1.4.4 release, conntrackd includes integration with systemd(1) to use an unit file of Type=notify and watchdog support.
During the 0.9.9 development, some important changes in the replication message format were introduced. Therefore, conntrackd >= 0.9.9 will not work appropriately with conntrackd <= 0.9.8.
This should not be a problem if you use the same conntrackd version in all the firewall replica nodes.
conntrackd.conf(5) conntrack(8) iptables(8)
nft(8)
http://conntrack-tools.netfilter.org
Please, report them to netfilter-devel@vger.kernel.org (subscription required) or file a bug in Netfilter's bugzilla (https://bugzilla.netfilter.org).
Pablo Neira Ayuso wrote and maintains the conntrackd tool
Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.
April 16, 2018 |