conntrackd: add `DisableExternalCache' clause

This patch adds the clause `DisableExternalCache' that allows you
to disable the external cache and to directly inject the entries
into the kernel conntrack table. As a result, the CPU consumption
of conntrackd increases. This clause can only be used with the
FT-FW and the notrack synchronization modes, but not with the
alarm mode.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 13 insertions, 0 deletions

diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index 6968025..9cdb2c7 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -170,6 +170,19 @@ Sync {
 		#
 		# Checksum on
 	# }
+
+	#
+	# This clause allows you to disable the external cache. Thus, the
+	# state entries are directly injected into the kernel conntrack
+	# table. As a result, you save memory in user-space but you consume
+	# slots in the kernel conntrack table for backup state entries.
+	# Moreover, disabling the external cache means more CPU consumption.
+	# You need a Linux kernel >= 2.6.29 to use this feature. By default,
+	# this clause is set off. If you are installing conntrackd for first
+	# time, please read the user manual and I encourage you to consider
+	# using the fail-over scripts instead of enabling this option!
+	#
+	# DisableExternalCache Off
 }
 
 #