# General settings
#
General {
+ #
+ # Set the nice value of the daemon. This value goes from -20
+ # (most favorable scheduling) to 19 (least favorable). Using a
+ # negative value reduces the chances to lose state-change events.
+ # Default is 0. See man nice(1) for more information.
+ #
+ #Nice -1
+
+ #
+ # Select a different scheduler for the daemon, you can select between
+ # RR and FIFO and the process priority (minimum is 0, maximum is 99).
+ # See man sched_setscheduler(2) for more information. Using a RT
+ # scheduler reduces the chances to overrun the Netlink buffer.
+ #
+ # Scheduler {
+ # Type FIFO
+ # Priority 99
+ # }
+
#
# Number of buckets in the caches: hash table
#
HashSize 8192
#
- # Maximum number of conntracks:
+ # Maximum number of conntracks:
# it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
#
HashLimit 65535
#
- # Logfile
+ # Logfile: on (/var/log/conntrackd.log), off, or a filename
+ # Default: off
#
LogFile /var/log/conntrackd.log
+ #
+ # Syslog: on, off or a facility name (daemon (default) or local0..7)
+ # Default: off
+ #
+ #Syslog on
+
#
# Lockfile
- #
+ #
LockFile /var/lock/conntrack.lock
#
#
# Netlink socket buffer size
#
- SocketBufferSize 262142
+ NetlinkBufferSize 262142
#
# Increase the socket buffer up to maximun if required
#
- SocketBufferSizeMaxGrown 655355
-}
+ NetlinkBufferSizeMaxGrowth 655355
-#
-# Ignore traffic for a certain set of IP's: Usually
-# all the IP assigned to the firewall since local
-# traffic must be ignored, just forwarded connections
-# are worth to replicate
-#
-IgnoreTrafficFor {
- IPv4_address 127.0.0.1 # loopback
-}
+ #
+ # By default, the daemon receives state updates following an
+ # event-driven model. You can modify this behaviour by switching to
+ # polling mode with the PollSecs clause. This clause tells conntrackd
+ # to dump the states in the kernel every N seconds. With regards to
+ # synchronization mode, the polling mode can only guarantee that
+ # long-lifetime states are recovered. The main advantage of this method
+ # is the reduction in the state replication at the cost of reducing the
+ # chances of recovering connections.
+ #
+ # PollSecs 15
-#
-# Do not replicate certain protocol traffic
-#
-IgnoreProtocol {
- UDP
-# ICMP
-# IGMP
-# VRRP
- # numeric numbers also valid
-}
+ #
+ # Event filtering: This clause allows you to filter certain traffic,
+ # There are currently three filter-sets: Protocol, Address and
+ # State. The filter is attached to an action that can be: Accept or
+ # Ignore. Thus, you can define the event filtering policy of the
+ # filter-sets in positive or negative logic depending on your needs.
+ #
+ Filter {
+ #
+ # Accept only certain protocols: You may want to log the
+ # state of flows depending on their layer 4 protocol.
+ #
+ Protocol Accept {
+ TCP
+ # UDP
+ # ICMP
+ # IGMP
+ # VRRP
+ }
-#
-# Strip NAT traffic
-#
-StripNAT
+ #
+ # Ignore traffic for a certain set of IP's.
+ #
+ Address Ignore {
+ IPv4_address 127.0.0.1 # loopback
+ # IPv6_address ::1
+ }
+
+ #
+ # Uncomment this line below if you want to filter by flow state.
+ # The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
+ # FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED, LISTEN.
+ #
+ # State Accept {
+ # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
+ # }
+ }
+}