Provided by: conntrackd_1.4.3-3_amd64 bug

NAME
       conntrackd - netfilter connection tracking user-space daemon


SYNOPSIS
       conntrackd [options]


DESCRIPTION
       conntrackd  is  the  user-space  daemon  for  the  netfilter  connection  tracking  system.  This  daemon
       synchronizes connection tracking states between several replica firewalls. Thus, conntrackd can  be  used
       to  deploy  highly  available  stateful  firewalls.  The  daemon supports Primary-Backup and Multiprimary
       setups. The daemon can also be used as statistics collector.


OPTIONS
       The options recognized by conntrackd can be divided into several different groups.

   MODES
       These options specify the particular operation mode in which conntrackd runs. Only one  of  them  can  be
       specified at any given time.

       -d     Run conntrackd in daemon mode.

   CLIENT COMMANDS
       conntrackd can be used in client mode to request several information and operations to a running daemon

       -i [ct|expect]"
              Dump the internal cache, i.e. show local states

       -e [ct|expect]"
              Dump the external cache, i.e. show foreign states

       -x     Display  output  in  XML  format.  This  option  is  only  valid in combination with "-i" and "-e"
              parameters.

       -f [|internal|external]
              Flush the internal and/or external cache

       -F [ct|expect]
              Flush the kernel conntrack table (if you use a Linux kernel >= 2.6.29, this option will not  flush
              your internal and external cache).

       -c     Commit external cache to conntrack table.

       -B     Force  a  bulk send to other replica firewalls. With this command, you will ask conntrackd to send
              the state-entries that it owns to others.

       -n     Request resync with other node (only FT-FW and NOTRACK modes).

       -k     Kill the daemon

       -s [|network|cache|runtime|link|rsqueue|process|queue|ct|expect]
              Dump statistics. If no parameter is passed, it displays the general statistics.  If  "network"  is
              passed  as parameter it displays the networking statistics.  If "cache" is passed as parameter, it
              shows the extended cache statistics.  If "runtime" is passed as parameter, it shows  the  run-time
              statistics.   If "process" is passed as parameter, it shows existing child processes (if any).  If
              "queue" is passed as parameter, it shows queue statistics.  If "ct" is  passed,  it  displays  the
              general statistics.  If "expect" is passed as parameter, it shows expectation statistics.

       -R [ct|expect]
              Force a resync against the kernel connection tracking table

       -t     Reset the in-kernel timers (See PurgeTimeout clause)

       -v     Display version information.

       -h     Display help information.

       -C config file
              Configuration file path.

       DIAGNOSTICS
              The exit code is 0 for correct function. Errors cause an exit code of 1.


EXAMPLES
       The  following  example  are  illustrative,  for  a  real use in a firewall fail-over, check the primary-
       backup.sh script that comes with the sources.

       conntrackd -d
              Runs conntrackd in daemon and synchronization mode

       conntrackd -i
              Dumps the states held in the internal cache, i.e. those handled by this firewall

       conntrackd -e
              Dumps the states held in the external cache, i.e. those handled by other replica firewalls

       conntrackd -c
              Commits the external cache into the kernel connection tracking system. This is used to inject  the
              state so that the connections can be recovered during the failover.


DEPENDENCIES
       This  daemon  requires  a Linux kernel version >= 2.6.18. TCP window tracking support requires >= 2.6.22,
       otherwise you have to disable it. Helpers are fully supported since >= 2.6.25, however, if  you  use  any
       previous  version,  depending  on  the  protocol  helper  and  your setup (e.g. if you setup performs NAT
       sequence adjustments or not), your help connection may be successfully recovered.

       There are several unsupported stateful iptables matches such as recent, connbytes and the quota matches
       which gather internal information to operate. Since that information does not belong to the domain of the
       connection tracking system, connections affected by those matches may not be fully recovered during the
       takeover.

       The daemon requires a Linux kernel version >= 2.6.26 to support kernel-space event filtering. Otherwise,
       all the event filtering is done in userspace with the corresponding extra overhead. If you are not using
       the Filter clause in the configuration file, ignore this notice.


INCOMPATIBILITIES
       During the 0.9.9 development, some important changes in the replication message format  were  introduced.
       Therefore, conntrackd >= 0.9.9 will not work appropriately with conntrackd <= 0.9.8. This should not be a
       problem if you use the same conntrackd version in all the firewall replica nodes.


SEE ALSO
       conntrack(8),iptables(8)
       See http://conntrack-tools.netfilter.org


BUGS
       Please,   report   them  to  netfilter-devel@vger.kernel.org  or  file  a  bug  in  Netfilter's  bugzilla
       (https://bugzilla.netfilter.org).


AUTHORS
       Pablo Neira Ayuso wrote and maintains the conntrackd tool

       Please send bug reports to <netfilter-devel@lists.netfilter.org>. Subscription is required.

       Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.

                                                  Sep 25, 2014                                     CONNTRACKD(8)