[conntrack-tools] conntrackd: document internal cache disabling and TCP-based synchronization

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Wed Dec 23 20:42:26 CET 2009 

Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=f49cfb7598c0433d3cb3dc3d829b510a205313f4
commit f49cfb7598c0433d3cb3dc3d829b510a205313f4
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Wed Dec 23 20:31:10 2009 +0100
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Wed Dec 23 20:31:10 2009 +0100

    conntrackd: document internal cache disabling and TCP-based synchronization
    
    This patch documents the internal cache disabling feature that
    is available for the NOTRACK mode. I have also added an example
    on how to set up a TCP-based state-synchronization.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  f49cfb7598c0433d3cb3dc3d829b510a205313f4 (commit)
      from  ba8f0e07adc2e124fdb34a8a8f86fcce42a939d8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f49cfb7598c0433d3cb3dc3d829b510a205313f4
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Dec 23 20:31:10 2009 +0100

    conntrackd: document internal cache disabling and TCP-based synchronization
    
    This patch documents the internal cache disabling feature that
    is available for the NOTRACK mode. I have also added an example
    on how to set up a TCP-based state-synchronization.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 doc/sync/notrack/README          |    3 +-
 doc/sync/notrack/conntrackd.conf |   62 ++++++++++++++++++++++++++++++++++++--
 2 files changed, 61 insertions(+), 4 deletions(-)
This patch documents the internal cache disabling feature that
is available for the NOTRACK mode. I have also added an example
on how to set up a TCP-based state-synchronization.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/doc/sync/notrack/README b/doc/sync/notrack/README
index 99b2f33..b064e21 100644
--- a/doc/sync/notrack/README
+++ b/doc/sync/notrack/README
@@ -1,2 +1,3 @@
 This directory contains the files for the NOTRACK replication protocol. This
-protocol provides best effort delivery. Therefore, it is unreliable.
+protocol provides best effort delivery. Therefore, it is unreliable unless
+that you select TCP-based state-synchronization.
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index 5b9ebbb..f8bccc4 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -25,7 +25,14 @@ Sync {
 		# trigger several consecutive hand-overs. Default is 60 seconds.
 		#
 		# PurgeTimeout 60
-	
+
+		#
+		# This clause allows you to disable the internal cache. Thus,
+		# the synchronization messages are directly send through
+		# the dedicated link. This option is set of off by default.
+		#
+		# DisableInternalCache Off
+
 		#	
 		# This clause allows you to disable the external cache. Thus,
 		# the state entries are directly injected into the kernel
@@ -136,8 +143,7 @@ Sync {
 	#
 	# You can use Unicast UDP instead of Multicast to propagate events.
 	# Note that you cannot use unicast UDP and Multicast at the same
-	# time, you can only select one. You can also select TCP in notrack
-	# mode.
+	# time, you can only select one.
 	# 
 	# UDP {
 		# 
@@ -186,6 +192,56 @@ Sync {
 		# Checksum on
 	# }
 
+	#
+	# You can also use Unicast TCP to propagate events. Thus, the NOTRACK
+	# mode becomes reliable.
+	# 
+	# TCP {
+		# 
+		# TCP address that this firewall uses to listen to events.
+		#
+		# IPv4_address 192.168.2.100
+		#
+		# or you may want to use an IPv6 address:
+		#
+		# IPv6_address fe80::215:58ff:fe28:5a27
+
+		#
+		# Destination TCP address that receives events, ie. the other
+		# firewall's dedicated link address.
+		#
+		# IPv4_Destination_Address 192.168.2.101
+		#
+		# or you may want to use an IPv6 address:
+		#
+		# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
+
+		#
+		# TCP port used
+		#
+		# Port 3780
+
+		#
+		# The name of the interface that you are going to use to
+		# send the synchronization messages.
+		#
+		# Interface eth2
+
+		# 
+		# The sender socket buffer size
+		#
+		# SndSocketBuffer 1249280
+
+		#
+		# The receiver socket buffer size
+		#
+		# RcvSocketBuffer 1249280
+
+		# 
+		# Enable/Disable message checksumming. 
+		#
+		# Checksum on
+	# }
 }
 
 #

More information about the netfilter-cvslog mailing list