[packages/conntrack-tools] - updated config file to match current options - release 2

qboosh qboosh at pld-linux.org
Wed Jul 2 18:20:59 CEST 2014 

commit 3983b66e28149edca9ead8c659882ef5cc187b83
Author: Jakub Bogusz <qboosh at pld-linux.org>
Date:   Wed Jul 2 18:25:26 2014 +0200

    - updated config file to match current options
    - release 2

 conntrack-tools.conf | 108 +++++++++++++++++++++++++++++++++++++--------------
 conntrack-tools.spec |   2 +-
 2 files changed, 80 insertions(+), 30 deletions(-)
---
diff --git a/conntrack-tools.spec b/conntrack-tools.spec
index 6951cd3..9dc2001 100644
--- a/conntrack-tools.spec
+++ b/conntrack-tools.spec
@@ -2,7 +2,7 @@ Summary:	The userspace connection tracking table administration program
 Summary(pl.UTF-8):	Program przestrzeni użytkownika do zarządzania tablicą śledzenia połączeń
 Name:		conntrack-tools
 Version:	1.4.2
-Release:	1
+Release:	2
 License:	GPL v2
 Group:		Applications/Networking
 Source0:	http://www.netfilter.org/projects/conntrack-tools/files/%{name}-%{version}.tar.bz2
diff --git a/conntrack-tools.conf b/conntrack-tools.conf
index e514ac0..c4ba16e 100644
--- a/conntrack-tools.conf
+++ b/conntrack-tools.conf
@@ -3,24 +3,50 @@
 #
 General {
 	#
+	# Set the nice value of the daemon. This value goes from -20
+	# (most favorable scheduling) to 19 (least favorable). Using a
+	# negative value reduces the chances to lose state-change events.
+	# Default is 0. See man nice(1) for more information.
+	#
+	#Nice -1
+
+	#
+	# Select a different scheduler for the daemon, you can select between
+	# RR and FIFO and the process priority (minimum is 0, maximum is 99).
+	# See man sched_setscheduler(2) for more information. Using a RT
+	# scheduler reduces the chances to overrun the Netlink buffer.
+	#
+	# Scheduler {
+	# 	Type FIFO
+	# 	Priority 99
+	# }
+
+	#
 	# Number of buckets in the caches: hash table
 	#
 	HashSize 8192
 
 	#
-	# Maximum number of conntracks: 
+	# Maximum number of conntracks:
 	# it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
 	#
 	HashLimit 65535
 
 	#
-	# Logfile
+	# Logfile: on (/var/log/conntrackd.log), off, or a filename
+	# Default: off
 	#
 	LogFile /var/log/conntrackd.log
 
 	#
+	# Syslog: on, off or a facility name (daemon (default) or local0..7)
+	# Default: off
+	#
+	#Syslog on
+
+	#
 	# Lockfile
-	# 
+	#
 	LockFile /var/lock/conntrack.lock
 
 	#
@@ -34,36 +60,60 @@ General {
 	#
 	# Netlink socket buffer size
 	#
-	SocketBufferSize 262142
+	NetlinkBufferSize 262142
 
 	#
 	# Increase the socket buffer up to maximun if required
 	#
-	SocketBufferSizeMaxGrown 655355
-}
+	NetlinkBufferSizeMaxGrowth 655355
 
-#
-# Ignore traffic for a certain set of IP's: Usually
-# all the IP assigned to the firewall since local
-# traffic must be ignored, just forwarded connections
-# are worth to replicate
-#
-IgnoreTrafficFor {
-	IPv4_address 127.0.0.1 # loopback
-}
+	#
+	# By default, the daemon receives state updates following an
+	# event-driven model. You can modify this behaviour by switching to
+	# polling mode with the PollSecs clause. This clause tells conntrackd
+	# to dump the states in the kernel every N seconds. With regards to
+	# synchronization mode, the polling mode can only guarantee that
+	# long-lifetime states are recovered. The main advantage of this method
+	# is the reduction in the state replication at the cost of reducing the
+	# chances of recovering connections.
+	#
+	# PollSecs 15
 
-#
-# Do not replicate certain protocol traffic 
-#
-IgnoreProtocol {
-	UDP
-#	ICMP
-#	IGMP
-#	VRRP
-	# numeric numbers also valid
-}
+	#
+	# Event filtering: This clause allows you to filter certain traffic,
+	# There are currently three filter-sets: Protocol, Address and
+	# State. The filter is attached to an action that can be: Accept or
+	# Ignore. Thus, you can define the event filtering policy of the
+	# filter-sets in positive or negative logic depending on your needs.
+	#
+	Filter {
+		#
+		# Accept only certain protocols: You may want to log the
+		# state of flows depending on their layer 4 protocol.
+		#
+		Protocol Accept {
+			TCP
+			# UDP
+			# ICMP
+			# IGMP
+			# VRRP
+		}
 
-#
-# Strip NAT traffic
-#
-StripNAT
+		#
+		# Ignore traffic for a certain set of IP's.
+		#
+		Address Ignore {
+			IPv4_address 127.0.0.1 # loopback
+			# IPv6_address ::1
+		}
+
+		#
+		# Uncomment this line below if you want to filter by flow state.
+		# The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
+		# FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED, LISTEN.
+		#
+		# State Accept {
+		#	ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
+		# }
+	}
+}
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/conntrack-tools.git/commitdiff/3983b66e28149edca9ead8c659882ef5cc187b83

More information about the pld-cvs-commit mailing list