Provided by: conntrackd_1.4.3-3_i386 bug

NAME

       conntrackd - netfilter connection tracking user-space daemon

SYNOPSIS

       conntrackd [options]

DESCRIPTION

       conntrackd  is  the  user-space  daemon  for  the  netfilter connection
       tracking system. This daemon synchronizes  connection  tracking  states
       between  several  replica  firewalls.  Thus,  conntrackd can be used to
       deploy  highly  available  stateful  firewalls.  The  daemon   supports
       Primary-Backup  and Multiprimary setups. The daemon can also be used as
       statistics collector.

OPTIONS

       The options recognized  by  conntrackd  can  be  divided  into  several
       different groups.

   MODES
       These options specify the particular operation mode in which conntrackd
       runs. Only one of them can be specified at any given time.

       -d     Run conntrackd in daemon mode.

   CLIENT COMMANDS
       conntrackd can be used in client mode to  request  several  information
       and operations to a running daemon

       -i [ct|expect]"
              Dump the internal cache, i.e. show local states

       -e [ct|expect]"
              Dump the external cache, i.e. show foreign states

       -x     Display  output  in  XML  format.  This  option is only valid in
              combination with "-i" and "-e" parameters.

       -f [|internal|external]
              Flush the internal and/or external cache

       -F [ct|expect]
              Flush the kernel conntrack table (if you use a Linux  kernel  >=
              2.6.29,  this  option  will not flush your internal and external
              cache).

       -c     Commit external cache to conntrack table.

       -B     Force a bulk send to other replica firewalls. With this command,
              you  will  ask conntrackd to send the state-entries that it owns
              to others.

       -n     Request resync with other node (only FT-FW and NOTRACK modes).

       -k     Kill the daemon

       -s [|network|cache|runtime|link|rsqueue|process|queue|ct|expect]
              Dump statistics. If no parameter  is  passed,  it  displays  the
              general  statistics.   If  "network"  is  passed as parameter it
              displays the networking statistics.  If  "cache"  is  passed  as
              parameter, it shows the extended cache statistics.  If "runtime"
              is passed as parameter, it shows the  run-time  statistics.   If
              "process"  is  passed  as  parameter,  it  shows  existing child
              processes (if any).  If "queue" is passed as parameter, it shows
              queue  statistics.   If  "ct" is passed, it displays the general
              statistics.  If  "expect"  is  passed  as  parameter,  it  shows
              expectation statistics.

       -R [ct|expect]
              Force a resync against the kernel connection tracking table

       -t     Reset the in-kernel timers (See PurgeTimeout clause)

       -v     Display version information.

       -h     Display help information.

       -C config file
              Configuration file path.

       DIAGNOSTICS
              The  exit  code  is 0 for correct function. Errors cause an exit
              code of 1.

EXAMPLES

       The following example are illustrative, for a real use  in  a  firewall
       fail-over,  check  the  primary-backup.sh  script  that  comes with the
       sources.

       conntrackd -d
              Runs conntrackd in daemon and synchronization mode

       conntrackd -i
              Dumps the states held in the internal cache, i.e. those  handled
              by this firewall

       conntrackd -e
              Dumps  the states held in the external cache, i.e. those handled
              by other replica firewalls

       conntrackd -c
              Commits the external cache into the kernel  connection  tracking
              system. This is used to inject the state so that the connections
              can be recovered during the failover.

DEPENDENCIES

       This daemon requires a Linux  kernel  version  >=  2.6.18.  TCP  window
       tracking  support requires >= 2.6.22, otherwise you have to disable it.
       Helpers are fully supported since >= 2.6.25, however, if  you  use  any
       previous version, depending on the protocol helper and your setup (e.g.
       if you setup performs NAT  sequence  adjustments  or  not),  your  help
       connection may be successfully recovered.

       There are several unsupported stateful iptables matches such as recent,
       connbytes and the quota matches which gather  internal  information  to
       operate.  Since  that  information does not belong to the domain of the
       connection tracking system, connections affected by those  matches  may
       not be fully recovered during the takeover.

       The daemon requires a Linux kernel version >= 2.6.26 to support kernel-
       space event filtering. Otherwise, all the event filtering  is  done  in
       userspace  with  the corresponding extra overhead. If you are not using
       the Filter clause in the configuration file, ignore this notice.

INCOMPATIBILITIES

       During the 0.9.9 development, some important changes in the replication
       message format were introduced. Therefore, conntrackd >= 0.9.9 will not
       work appropriately with conntrackd <=  0.9.8.  This  should  not  be  a
       problem  if  you  use  the  same conntrackd version in all the firewall
       replica nodes.

SEE ALSO

       conntrack(8),iptables(8)
       See http://conntrack-tools.netfilter.org

BUGS

       Please, report them to netfilter-devel@vger.kernel.org or file a bug in
       Netfilter's bugzilla (https://bugzilla.netfilter.org).

AUTHORS

       Pablo Neira Ayuso wrote and maintains the conntrackd tool

       Please   send  bug  reports  to  <netfilter-devel@lists.netfilter.org>.
       Subscription is required.

       Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.

                                 Sep 25, 2014                    CONNTRACKD(8)