Scroll to navigation

CONNTRACKD(8) CONNTRACKD(8)

NAME

conntrackd - netfilter connection tracking user-space daemon

SYNOPSIS

conntrackd [options]

DESCRIPTION

conntrackd is the user-space daemon for the netfilter connection tracking system. This daemon synchronizes connection tracking states between several replica firewalls. Thus, conntrackd can be used to deploy highly available stateful firewalls. The daemon supports Primary-Backup and Multiprimary setups. The daemon can also be used as statistics collector.

OPTIONS

The options recognized by conntrackd can be divided into several different groups.

MODES

These options specify the particular operation mode in which conntrackd runs. Only one of them can be specified at any given time.

Run conntrackd in daemon mode.

CLIENT COMMANDS

conntrackd can be used in client mode to request several information and operations to a running daemon

Dump the internal cache, i.e. show local states
Dump the external cache, i.e. show foreign states
Display output in XML format. This option is only valid in combination with "-i" and "-e" parameters.
Flush the internal and/or external cache
Flush the kernel conntrack table (if you use a Linux kernel >= 2.6.29, this option will not flush your internal and external cache).
Commit external cache to conntrack table.
Force a bulk send to other replica firewalls. With this command, you will ask conntrackd to send the state-entries that it owns to others.
Request resync with other node (only FT-FW and NOTRACK modes).
Kill the daemon
Dump statistics. If no parameter is passed, it displays the general statistics. If "network" is passed as parameter it displays the networking statistics. If "cache" is passed as parameter, it shows the extended cache statistics. If "runtime" is passed as parameter, it shows the run-time statistics. If "process" is passed as parameter, it shows existing child processes (if any). If "queue" is passed as parameter, it shows queue statistics. If "ct" is passed, it displays the general statistics. If "expect" is passed as parameter, it shows expectation statistics.
Force a resync against the kernel connection tracking table
Reset the in-kernel timers (See PurgeTimeout clause)
Display version information.
Display help information.
Configuration file path. See conntrackd.conf(5) for details.

DIAGNOSTICS

The exit code is 0 for correct function. Errors cause an exit code of 1.

EXAMPLES

The following example are illustrative, for a real use in a firewall fail-over, check the primary-backup.sh script that comes with the sources.

Runs conntrackd in daemon and synchronization mode
Dumps the states held in the internal cache, i.e. those handled by this firewall
Dumps the states held in the external cache, i.e. those handled by other replica firewalls
Commits the external cache into the kernel connection tracking system. This is used to inject the state so that the connections can be recovered during the failover.

DEPENDENCIES

This daemon requires a Linux kernel version >= 2.6.18. TCP window tracking support requires >= 2.6.22, otherwise you have to disable it. Helpers are fully supported since >= 2.6.25, however, if you use any previous version, depending on the protocol helper and your setup (e.g. if you setup performs NAT sequence adjustments or not), your help connection may be successfully recovered.

INCOMPATIBILITIES

During the 0.9.9 development, some important changes in the replication message format were introduced. Therefore, conntrackd >= 0.9.9 will not work appropriately with conntrackd <= 0.9.8. This should not be a problem if you use the same conntrackd version in all the firewall replica nodes.

SEE ALSO

conntrack(8),iptables(8),conntrackd.conf(5)
See http://conntrack-tools.netfilter.org

BUGS

Please, report them to netfilter-devel@vger.kernel.org or file a bug in Netfilter's bugzilla (https://bugzilla.netfilter.org).

AUTHORS

Pablo Neira Ayuso wrote and maintains the conntrackd tool

Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.

November 19, 2015