up to 1.4.8

[packages/conntrack-tools.git] / conntrack-tools.conf

#
# General settings
#
General {
        #
        # Set the nice value of the daemon. This value goes from -20
        # (most favorable scheduling) to 19 (least favorable). Using a
        # negative value reduces the chances to lose state-change events.
        # Default is 0. See man nice(1) for more information.
        #
        #Nice -1

        #
        # Select a different scheduler for the daemon, you can select between
        # RR and FIFO and the process priority (minimum is 0, maximum is 99).
        # See man sched_setscheduler(2) for more information. Using a RT
        # scheduler reduces the chances to overrun the Netlink buffer.
        #
        # Scheduler {
        #       Type FIFO
        #       Priority 99
        # }

        #
        # Number of buckets in the caches: hash table
        #
        HashSize 8192

        #
        # Maximum number of conntracks:
        # it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
        #
        HashLimit 65535

        #
        # Logfile: on (/var/log/conntrackd.log), off, or a filename
        # Default: off
        #
        LogFile /var/log/conntrackd.log

        #
        # Syslog: on, off or a facility name (daemon (default) or local0..7)
        # Default: off
        #
        #Syslog on

        #
        # Lockfile
        #
        LockFile /var/lock/conntrack.lock

        #
        # Unix socket configuration
        #
        UNIX {
                Path /tmp/sync.sock
                Backlog 20
        }

        #
        # Netlink socket buffer size
        #
        NetlinkBufferSize 262142

        #
        # Increase the socket buffer up to maximun if required
        #
        NetlinkBufferSizeMaxGrowth 655355

        #
        # By default, the daemon receives state updates following an
        # event-driven model. You can modify this behaviour by switching to
        # polling mode with the PollSecs clause. This clause tells conntrackd
        # to dump the states in the kernel every N seconds. With regards to
        # synchronization mode, the polling mode can only guarantee that
        # long-lifetime states are recovered. The main advantage of this method
        # is the reduction in the state replication at the cost of reducing the
        # chances of recovering connections.
        #
        # PollSecs 15

        #
        # Event filtering: This clause allows you to filter certain traffic,
        # There are currently three filter-sets: Protocol, Address and
        # State. The filter is attached to an action that can be: Accept or
        # Ignore. Thus, you can define the event filtering policy of the
        # filter-sets in positive or negative logic depending on your needs.
        #
        Filter {
                #
                # Accept only certain protocols: You may want to log the
                # state of flows depending on their layer 4 protocol.
                #
                Protocol Accept {
                        TCP
                        # UDP
                        # ICMP
                        # IGMP
                        # VRRP
                }

                #
                # Ignore traffic for a certain set of IP's.
                #
                Address Ignore {
                        IPv4_address 127.0.0.1 # loopback
                        # IPv6_address ::1
                }

                #
                # Uncomment this line below if you want to filter by flow state.
                # The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
                # FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED, LISTEN.
                #
                # State Accept {
                #       ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
                # }
        }
}