Man Pages

conntrackd(8) - phpMan conntrackd(8) - phpMan

Command: man perldoc info search(apropos)  

CONNTRACKD(8)                                                    CONNTRACKD(8)

       conntrackd - netfilter connection tracking user-space daemon

       conntrackd [options]

       conntrackd is the user-space daemon for the netfilter connection tracking system. This daemon synchronizes con-
       nection tracking states between several replica firewalls. Thus, conntrackd can be used to deploy highly avail-
       able  stateful  firewalls.  The  daemon supports Primary-Backup and Multiprimary setups. The daemon can also be
       used as statistics collector.

       The options recognized by conntrackd can be divided into several different groups.

       These options specify the particular operation mode in which conntrackd runs. Only one of them can be specified
       at any given time.

       -d     Run conntrackd in daemon mode.

       conntrackd can be used in client mode to request several information and operations to a running daemon

       -i [ct|expect]"
              Dump the internal cache, i.e. show local states

       -e [ct|expect]"
              Dump the external cache, i.e. show foreign states

       -x     Display output in XML format. This option is only valid in combination with "-i" and "-e" parameters.

       -f [|internal|external]
              Flush the internal and/or external cache

       -F [ct|expect]
              Flush  the  kernel conntrack table (if you use a Linux kernel >= 2.6.29, this option will not flush your
              internal and external cache).

       -c     Commit external cache to conntrack table.

       -B     Force a bulk send to other replica firewalls. With this command, you will ask  conntrackd  to  send  the
              state-entries that it owns to others.

       -n     Request resync with other node (only FT-FW and NOTRACK modes).

       -k     Kill the daemon

       -s [|network|cache|runtime|link|rsqueue|process|queue|ct|expect]
              Dump  statistics. If no parameter is passed, it displays the general statistics.  If "network" is passed
              as parameter it displays the networking statistics.  If "cache" is passed as  parameter,  it  shows  the
              extended  cache  statistics.  If "runtime" is passed as parameter, it shows the run-time statistics.  If
              "process" is passed as parameter, it shows existing child processes (if any).  If "queue" is  passed  as
              parameter,  it  shows  queue  statistics.   If  "ct"  is passed, it displays the general statistics.  If
              "expect" is passed as parameter, it shows expectation statistics.

       -R [ct|expect]
              Force a resync against the kernel connection tracking table

       -t     Reset the in-kernel timers (See PurgeTimeout clause)

       -v     Display version information.

       -h     Display help information.

       -C config file
              Configuration file path.

              The exit code is 0 for correct function. Errors cause an exit code of 1.

       The following example are illustrative, for a real use in a firewall  fail-over,  check  the
       script that comes with the sources.

       conntrackd -d
              Runs conntrackd in daemon and synchronization mode

       conntrackd -i
              Dumps the states held in the internal cache, i.e. those handled by this firewall

       conntrackd -e
              Dumps the states held in the external cache, i.e. those handled by other replica firewalls

       conntrackd -c
              Commits  the external cache into the kernel connection tracking system. This is used to inject the state
              so that the connections can be recovered during the failover.

       This daemon requires a Linux kernel version >= 2.6.18. TCP window tracking support requires >=  2.6.22,  other-
       wise you have to disable it. Helpers are fully supported since >= 2.6.25, however, if you use any previous ver-
       sion, depending on the protocol helper and your setup (e.g. if you setup performs NAT sequence  adjustments  or
       not), your help connection may be successfully recovered.

       There  are  several unsupported stateful iptables matches such as recent, connbytes and the quota matches which
       gather internal information to operate. Since that information does not belong to the domain of the  connection
       tracking system, connections affected by those matches may not be fully recovered during the takeover.

       The  daemon  requires  a Linux kernel version >= 2.6.26 to support kernel-space event filtering. Otherwise, all
       the event filtering is done in userspace with the corresponding extra overhead. If you are not using the Filter
       clause in the configuration file, ignore this notice.

       During  the 0.9.9 development, some important changes in the replication message format were introduced. There-
       fore, conntrackd >= 0.9.9 will not work appropriately with conntrackd <= 0.9.8. This should not be a problem if
       you use the same conntrackd version in all the firewall replica nodes.


       Please,   report   them   to   or   file   a   bug  in  Netfilter's  bugzilla

       Pablo Neira Ayuso wrote and maintains the conntrackd tool

       Please send bug reports to <>. Subscription is required.

       Man page written by Pablo Neira Ayuso <>.

                                 Oct 21, 2008                    CONNTRACKD(8)