[conntrack-tools] conntrackd: document internal cache disabling and TCP-based synchronization
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Wed Dec 23 20:42:26 CET 2009
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=f49cfb7598c0433d3cb3dc3d829b510a205313f4
commit f49cfb7598c0433d3cb3dc3d829b510a205313f4
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Wed Dec 23 20:31:10 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Wed Dec 23 20:31:10 2009 +0100
conntrackd: document internal cache disabling and TCP-based synchronization
This patch documents the internal cache disabling feature that
is available for the NOTRACK mode. I have also added an example
on how to set up a TCP-based state-synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via f49cfb7598c0433d3cb3dc3d829b510a205313f4 (commit)
from ba8f0e07adc2e124fdb34a8a8f86fcce42a939d8 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f49cfb7598c0433d3cb3dc3d829b510a205313f4
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Wed Dec 23 20:31:10 2009 +0100
conntrackd: document internal cache disabling and TCP-based synchronization
This patch documents the internal cache disabling feature that
is available for the NOTRACK mode. I have also added an example
on how to set up a TCP-based state-synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
doc/sync/notrack/README | 3 +-
doc/sync/notrack/conntrackd.conf | 62 ++++++++++++++++++++++++++++++++++++--
2 files changed, 61 insertions(+), 4 deletions(-)
This patch documents the internal cache disabling feature that
is available for the NOTRACK mode. I have also added an example
on how to set up a TCP-based state-synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/doc/sync/notrack/README b/doc/sync/notrack/README
index 99b2f33..b064e21 100644
--- a/doc/sync/notrack/README
+++ b/doc/sync/notrack/README
@@ -1,2 +1,3 @@
This directory contains the files for the NOTRACK replication protocol. This
-protocol provides best effort delivery. Therefore, it is unreliable.
+protocol provides best effort delivery. Therefore, it is unreliable unless
+that you select TCP-based state-synchronization.
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index 5b9ebbb..f8bccc4 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -25,7 +25,14 @@ Sync {
# trigger several consecutive hand-overs. Default is 60 seconds.
#
# PurgeTimeout 60
-
+
+ #
+ # This clause allows you to disable the internal cache. Thus,
+ # the synchronization messages are directly send through
+ # the dedicated link. This option is set of off by default.
+ #
+ # DisableInternalCache Off
+
#
# This clause allows you to disable the external cache. Thus,
# the state entries are directly injected into the kernel
@@ -136,8 +143,7 @@ Sync {
#
# You can use Unicast UDP instead of Multicast to propagate events.
# Note that you cannot use unicast UDP and Multicast at the same
- # time, you can only select one. You can also select TCP in notrack
- # mode.
+ # time, you can only select one.
#
# UDP {
#
@@ -186,6 +192,56 @@ Sync {
# Checksum on
# }
+ #
+ # You can also use Unicast TCP to propagate events. Thus, the NOTRACK
+ # mode becomes reliable.
+ #
+ # TCP {
+ #
+ # TCP address that this firewall uses to listen to events.
+ #
+ # IPv4_address 192.168.2.100
+ #
+ # or you may want to use an IPv6 address:
+ #
+ # IPv6_address fe80::215:58ff:fe28:5a27
+
+ #
+ # Destination TCP address that receives events, ie. the other
+ # firewall's dedicated link address.
+ #
+ # IPv4_Destination_Address 192.168.2.101
+ #
+ # or you may want to use an IPv6 address:
+ #
+ # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
+
+ #
+ # TCP port used
+ #
+ # Port 3780
+
+ #
+ # The name of the interface that you are going to use to
+ # send the synchronization messages.
+ #
+ # Interface eth2
+
+ #
+ # The sender socket buffer size
+ #
+ # SndSocketBuffer 1249280
+
+ #
+ # The receiver socket buffer size
+ #
+ # RcvSocketBuffer 1249280
+
+ #
+ # Enable/Disable message checksumming.
+ #
+ # Checksum on
+ # }
}
#
More information about the netfilter-cvslog
mailing list