# # General settings # General { # # Set the nice value of the daemon. This value goes from -20 # (most favorable scheduling) to 19 (least favorable). Using a # negative value reduces the chances to lose state-change events. # Default is 0. See man nice(1) for more information. # Nice -1 # # Select a different scheduler for the daemon, you can select between # RR and FIFO and the process priority (minimum is 0, maximum is 99). # See man sched_setscheduler(2) for more information. Using a RT # scheduler reduces the chances to overrun the Netlink buffer. # # Scheduler { # Type FIFO # Priority 99 # } # # Number of buckets in the caches: hash table # HashSize 8192 # # Maximum number of conntracks: # it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max # HashLimit 65535 # # Logfile: on (/var/log/conntrackd.log), off, or a filename # Default: off # #LogFile on # # Syslog: on, off or a facility name (daemon (default) or local0..7) # Default: off # #Syslog on # # Lockfile # LockFile /var/lock/conntrack.lock # # Unix socket configuration # UNIX { Path /var/run/conntrackd.ctl Backlog 20 } # # Netlink socket buffer size # NetlinkBufferSize 262142 # # Increase the socket buffer up to maximun if required # NetlinkBufferSizeMaxGrowth 655355 # # By default, the daemon receives state updates following an # event-driven model. You can modify this behaviour by switching to # polling mode with the PollSecs clause. This clause tells conntrackd # to dump the states in the kernel every N seconds. With regards to # synchronization mode, the polling mode can only guarantee that # long-lifetime states are recovered. The main advantage of this method # is the reduction in the state replication at the cost of reducing the # chances of recovering connections. # # PollSecs 15 # # Event filtering: This clause allows you to filter certain traffic, # There are currently three filter-sets: Protocol, Address and # State. The filter is attached to an action that can be: Accept or # Ignore. Thus, you can define the event filtering policy of the # filter-sets in positive or negative logic depending on your needs. # Filter { # # Accept only certain protocols: You may want to log the # state of flows depending on their layer 4 protocol. # Protocol Accept { TCP # UDP } # # Ignore traffic for a certain set of IP's. # Address Ignore { IPv4_address 127.0.0.1 # loopback # IPv6_address ::1 } # # Uncomment this line below if you want to filter by flow state. # The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED, # FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED, LISTEN. # # State Accept { # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP # } } } Stats { # # If you enable this option, the daemon writes the information about # destroyed connections to a logfile. Default is off. # Logfile: on, off, or a filename # Default file: (/var/log/conntrackd-stats.log) # LogFile on # If you want reliable event reporting over Netlink, set on this # option. If you set on this clause, it is a good idea to set off # NetlinkOverrunResync. This option is off by default and you need # a Linux kernel >= 2.6.31. # # NetlinkEventsReliable Off # # Enable connection logging via Syslog. Default is off. # Syslog: on, off or a facility name (daemon (default) or local0..7) # If you set the facility, use the same as in the General clause, # otherwise you'll get a warning message. # #Syslog on }