[-]
[+]
|
Changed |
conntrack-tools.spec
|
|
[-]
[+]
|
Added |
conntrackd
^
|
@@ -0,0 +1,283 @@
+#!/bin/sh
+#
+# Template SUSE system startup script for example service/daemon conntrackd
+# Copyright (C) 1995--2005 Kurt Garloff, SUSE / Novell Inc.
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or (at
+# your option) any later version.
+#
+# This library is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307,
+# USA.
+#
+# /etc/init.d/conntrackd
+# and its symbolic link
+# /(usr/)sbin/rcconntrackd
+#
+# Template system startup script for some example service/daemon conntrackd
+#
+# LSB compatible service control script; see http://www.linuxbase.org/spec/
+#
+# Note: This template uses functions rc_XXX defined in /etc/rc.status on
+# UnitedLinux/SUSE/Novell based Linux distributions. If you want to base your
+# script on this template and ensure that it works on non UL based LSB
+# compliant Linux distributions, you either have to provide the rc.status
+# functions from UL or change the script to work without them.
+# See skeleton.compat for a template that works with other distros as well.
+#
+### BEGIN INIT INFO
+# Provides: conntrackd
+# Required-Start: $syslog $remote_fs
+# Should-Start: $time ypbind smtp
+# Required-Stop: $syslog $remote_fs
+# Should-Stop: ypbind smtp
+# Default-Start: 3 5
+# Default-Stop: 0 1 2 6
+# Short-Description: conntrackd XYZ daemon providing ZYX
+# Description: Start conntrackd to allow XY and provide YZ
+# continued on second line by '#<TAB>'
+# should contain enough info for the runlevel editor
+# to give admin some idea what this service does and
+# what it's needed for ...
+# (The Short-Description should already be a good hint.)
+### END INIT INFO
+#
+# Any extensions to the keywords given above should be preceeded by
+# X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB.
+#
+# Notes on Required-Start/Should-Start:
+# * There are two different issues that are solved by Required-Start
+# and Should-Start
+# (a) Hard dependencies: This is used by the runlevel editor to determine
+# which services absolutely need to be started to make the start of
+# this service make sense. Example: nfsserver should have
+# Required-Start: $portmap
+# Also, required services are started before the dependent ones.
+# The runlevel editor will warn about such missing hard dependencies
+# and suggest enabling. During system startup, you may expect an error,
+# if the dependency is not fulfilled.
+# (b) Specifying the init script ordering, not real (hard) dependencies.
+# This is needed by insserv to determine which service should be
+# started first (and at a later stage what services can be started
+# in parallel). The tag Should-Start: is used for this.
+# It tells, that if a service is available, it should be started
+# before. If not, never mind.
+# * When specifying hard dependencies or ordering requirements, you can
+# use names of services (contents of their Provides: section)
+# or pseudo names starting with a $. The following ones are available
+# according to LSB (1.1):
+# $local_fs all local file systems are mounted
+# (most services should need this!)
+# $remote_fs all remote file systems are mounted
+# (note that /usr may be remote, so
+# many services should Require this!)
+# $syslog system logging facility up
+# $network low level networking (eth card, ...)
+# $named hostname resolution available
+# $netdaemons all network daemons are running
+# The $netdaemons pseudo service has been removed in LSB 1.2.
+# For now, we still offer it for backward compatibility.
+# These are new (LSB 1.2):
+# $time the system time has been set correctly
+# $portmap SunRPC portmapping service available
+# UnitedLinux extensions:
+# $ALL indicates that a script should be inserted
+# at the end
+# * The services specified in the stop tags
+# (Required-Stop/Should-Stop)
+# specify which services need to be still running when this service
+# is shut down. Often the entries there are just copies or a subset
+# from the respective start tag.
+# * Should-Start/Stop are now part of LSB as of 2.0,
+# formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop.
+# insserv does support both variants.
+# * X-UnitedLinux-Default-Enabled: yes/no is used at installation time
+# (%fillup_and_insserv macro in %post of many RPMs) to specify whether
+# a startup script should default to be enabled after installation.
+# It's not used by insserv.
+#
+# Note on runlevels:
+# 0 - halt/poweroff 6 - reboot
+# 1 - single user 2 - multiuser without network exported
+# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm)
+#
+# Note on script names:
+# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html
+# A registry has been set up to manage the init script namespace.
+# http://www.lanana.org/
+# Please use the names already registered or register one or use a
+# vendor prefix.
+
+
+# Check for missing binaries (stale symlinks should not happen)
+# Note: Special treatment of stop for LSB conformance
+conntrackd_BIN=/usr/sbin/conntrackd
+test -x $conntrackd_BIN || { echo "$conntrackd_BIN not installed";
+ if [ "$1" = "stop" ]; then exit 0;
+ else exit 5; fi; }
+
+# Check for existence of needed config file and read it
+#conntrackd_CONFIG=/etc/sysconfig/conntrackd
+#test -r $conntrackd_CONFIG || { echo "$conntrackd_CONFIG not existing";
+# if [ "$1" = "stop" ]; then exit 0;
+# else exit 6; fi; }
+#
+## Read config
+#. $conntrackd_CONFIG
+
+# Source LSB init functions
+# providing start_daemon, killproc, pidofproc,
+# log_success_msg, log_failure_msg and log_warning_msg.
+# This is currently not used by UnitedLinux based distributions and
+# not needed for init scripts for UnitedLinux only. If it is used,
+# the functions from rc.status should not be sourced or used.
+#. /lib/lsb/init-functions
+
+# Shell functions sourced from /etc/rc.status:
+# rc_check check and set local and overall rc status
+# rc_status check and set local and overall rc status
+# rc_status -v be verbose in local rc status and clear it afterwards
+# rc_status -v -r ditto and clear both the local and overall rc status
+# rc_status -s display "skipped" and exit with status 3
+# rc_status -u display "unused" and exit with status 3
+# rc_failed set local and overall rc status to failed
+# rc_failed <num> set local and overall rc status to <num>
+# rc_reset clear both the local and overall rc status
+# rc_exit exit appropriate to overall rc status
+# rc_active checks whether a service is activated by symlinks
+. /etc/rc.status
+
+# Reset status of this service
+rc_reset
+
+# Return values acc. to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - user had insufficient privileges
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
+#
+# Note that starting an already running service, stopping
+# or restarting a not-running service as well as the restart
+# with force-reload (in case signaling is not supported) are
+# considered a success.
+
+case "$1" in
+ start)
+ echo -n "Starting conntrackd "
+ ## Start daemon with startproc(8). If this fails
+ ## the return value is set appropriately by startproc.
+ /sbin/startproc $conntrackd_BIN
+
+ # Remember status and be verbose
+ rc_status -v
+ ;;
+ stop)
+ echo -n "Shutting down conntrackd "
+ ## Stop daemon with killproc(8) and if this fails
+ ## killproc sets the return value according to LSB.
+
+ /sbin/killproc -TERM $conntrackd_BIN
+
+ # Remember status and be verbose
+ rc_status -v
+ ;;
+ try-restart|condrestart)
+ ## Do a restart only if the service was active before.
+ ## Note: try-restart is now part of LSB (as of 1.9).
|
[-]
[+]
|
Added |
conntrackd.conf
^
|
@@ -0,0 +1,157 @@
+#
+# Synchronizer settings
+#
+Sync {
+ Mode FTFW {
+ #
+ # Size of the buffer that hold destroy messages for
+ # possible resends (in bytes)
+ #
+ ResendQueueSize 262144
+
+ #
+ # Entries committed to the connection tracking table
+ # starts with a limited timeout of N seconds until the
+ # takeover process is completed.
+ #
+ CommitTimeout 180
+
+ # Set Acknowledgement window size
+ ACKWindowSize 20
+ }
+
+ #
+ # Multicast IP and interface where messages are
+ # broadcasted (dedicated link). IMPORTANT: Make sure
+ # that iptables accepts traffic for destination
+ # 225.0.0.50, eg:
+ #
+ # iptables -I INPUT -d 225.0.0.50 -j ACCEPT
+ # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
+ #
+ Multicast {
+ IPv4_address 225.0.0.50
+ IPv4_interface 10.0.0.145 # IP of dedicated link
+ Interface eth1
+ Group 3780
+ # Enable/Disable message checksumming
+ Checksum on
+ # The multicast sender uses a buffer to enqueue the packets
+ # that are going to be transmitted. The default size of this
+ # socket buffer is available at /proc/sys/net/core/wmem_default.
+ # This value determines the chances to have an overrun in the
+ # sender queue. The overrun results packet loss, thus, losing
+ # state information that would have to be retransmitted. If you
+ # notice some packet loss, you may want to increase the size
+ # of the sender buffer.
+ #
+ # McastSndSocketBuffer 1249280
+ #
+ # The multicast receiver uses a buffer to enqueue the packets
+ # that the socket is pending to handle. The default size of this
+ # socket buffer is available at /proc/sys/net/core/rmem_default.
+ # This value determines the chances to have an overrun in the
+ # receiver queue. The overrun results packet loss, thus, losing
+ # state information that would have to be retransmitted. If you
+ # notice some packet loss, you may want to increase the size of
+ # the receiver buffer.
+ #
+ # McastRcvSocketBuffer 1249280
+ }
+
+ # Uncomment this if you want to replicate just certain TCP states.
+ # This option introduces a tradeoff in the replication: it reduces
+ # CPU consumption and lost messages rate at the cost of having
+ # backup replicas that don't contain the current state that the active
+ # replica holds. TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
+ # FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE, LISTEN.
+ #
+ # Replicate ESTABLISHED TIME_WAIT for TCP
+
+ # If you have a multiprimary setup (active-active) without connection
+ # persistency, ie. you can't know which firewall handles a packet
+ # that is part of a connection, then you need direct commit of
+ # conntrack entries to the kernel conntrack table. OSPF setups must
+ # set on this option. Default is Off.
+ #
+ # CacheWriteThrough On
+}
+
+#
+# General settings
+#
+General {
+ #
+ # Number of buckets in the caches: hash table
+ #
+ HashSize 8192
+
+ #
+ # Maximum number of conntracks:
+ # it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
+ #
+ HashLimit 65535
+
+ #
+ # Logfile: on, off, or a filename
+ # Default: on (/var/log/conntrackd.log)
+ #
+ #LogFile off
+
+ #
+ # Syslog: on, off or a facility name (daemon (default) or local0..7)
+ # Default: off
+ #
+ Syslog on
+
+ #
+ # Lockfile
+ #
+ LockFile /var/lock/conntrack.lock
+
+ #
+ # Unix socket configuration
+ #
+ UNIX {
+ Path /tmp/sync.sock
+ Backlog 20
+ }
+
+ #
+ # Netlink socket buffer size
+ #
+ SocketBufferSize 262142
+
+ #
+ # Increase the socket buffer up to maximum if required
+ #
+ SocketBufferSizeMaxGrown 655355
+
+
+ #
+ # Ignore traffic for a certain set of IP's: Usually
+ # all the IP assigned to the firewall since local
+ # traffic must be ignored, just forwarded connections
+ # are worth to replicate
+ #
+ Filter {
+ Address Ignore {
+ IPv4_address 127.0.0.1 # loopback
+ }
+ Protocol Ignore {
+ ICMP
+ IGMP
+ VRRP
+ }
+ }
+}
+#
+# Do not replicate certain protocol traffic
+#
+#IgnoreProtocol {
+# UDP
+# ICMP
+# IGMP
+# VRRP
+# # numeric numbers also valid
+#}
|