Changes - j0ke.net Open Build Service

Changes of Revision 4

[-] [+]	Changed	conntrack-tools.spec
@@ -8,6 +8,8 @@ URL: http://conntrack-tools.netfilter.org/ Source: http://netfilter.org/projects/%name/files/%name-%version.tar.bz2 +Source1: conntrackd +Source2: conntrackd.conf Obsoletes: netfilter-toolsuite BuildRequires: bison flex pkg-config BuildRequires: libnfnetlink-devel libnetfilter_conntrack-devel @@ -49,12 +51,16 @@ mkdir -p "$b"; %__make install DESTDIR="$b"; find "$b" -type f -iname ".la" -print0 \| xargs -0 rm -f; +%__install -D -m755 %{S:1} %{buildroot}%{_sysconfdir}/init.d/conntrackd +%__install -D -m644 %{S:2} %{buildroot}%{_sysconfdir}/conntrackd/conntrackd.conf %clean rm -Rf "%buildroot"; %files %defattr(-,root,root) +%config(noreplace) %{_sysconfdir}/conntrackd/conntrackd.conf +%{_sysconfdir}/init.d/conntrackd %_sbindir/ %_mandir//
[-] [+]	Added	conntrackd ^
@@ -0,0 +1,283 @@ +#!/bin/sh +# +# Template SUSE system startup script for example service/daemon conntrackd +# Copyright (C) 1995--2005 Kurt Garloff, SUSE / Novell Inc. +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or (at +# your option) any later version. +# +# This library is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, +# USA. +# +# /etc/init.d/conntrackd +# and its symbolic link +# /(usr/)sbin/rcconntrackd +# +# Template system startup script for some example service/daemon conntrackd +# +# LSB compatible service control script; see http://www.linuxbase.org/spec/ +# +# Note: This template uses functions rc_XXX defined in /etc/rc.status on +# UnitedLinux/SUSE/Novell based Linux distributions. If you want to base your +# script on this template and ensure that it works on non UL based LSB +# compliant Linux distributions, you either have to provide the rc.status +# functions from UL or change the script to work without them. +# See skeleton.compat for a template that works with other distros as well. +# +### BEGIN INIT INFO +# Provides: conntrackd +# Required-Start: $syslog $remote_fs +# Should-Start: $time ypbind smtp +# Required-Stop: $syslog $remote_fs +# Should-Stop: ypbind smtp +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: conntrackd XYZ daemon providing ZYX +# Description: Start conntrackd to allow XY and provide YZ +# continued on second line by '#<TAB>' +# should contain enough info for the runlevel editor +# to give admin some idea what this service does and +# what it's needed for ... +# (The Short-Description should already be a good hint.) +### END INIT INFO +# +# Any extensions to the keywords given above should be preceeded by +# X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB. +# +# Notes on Required-Start/Should-Start: +# * There are two different issues that are solved by Required-Start +# and Should-Start +# (a) Hard dependencies: This is used by the runlevel editor to determine +# which services absolutely need to be started to make the start of +# this service make sense. Example: nfsserver should have +# Required-Start: $portmap +# Also, required services are started before the dependent ones. +# The runlevel editor will warn about such missing hard dependencies +# and suggest enabling. During system startup, you may expect an error, +# if the dependency is not fulfilled. +# (b) Specifying the init script ordering, not real (hard) dependencies. +# This is needed by insserv to determine which service should be +# started first (and at a later stage what services can be started +# in parallel). The tag Should-Start: is used for this. +# It tells, that if a service is available, it should be started +# before. If not, never mind. +# * When specifying hard dependencies or ordering requirements, you can +# use names of services (contents of their Provides: section) +# or pseudo names starting with a $. The following ones are available +# according to LSB (1.1): +# $local_fs all local file systems are mounted +# (most services should need this!) +# $remote_fs all remote file systems are mounted +# (note that /usr may be remote, so +# many services should Require this!) +# $syslog system logging facility up +# $network low level networking (eth card, ...) +# $named hostname resolution available +# $netdaemons all network daemons are running +# The $netdaemons pseudo service has been removed in LSB 1.2. +# For now, we still offer it for backward compatibility. +# These are new (LSB 1.2): +# $time the system time has been set correctly +# $portmap SunRPC portmapping service available +# UnitedLinux extensions: +# $ALL indicates that a script should be inserted +# at the end +# * The services specified in the stop tags +# (Required-Stop/Should-Stop) +# specify which services need to be still running when this service +# is shut down. Often the entries there are just copies or a subset +# from the respective start tag. +# * Should-Start/Stop are now part of LSB as of 2.0, +# formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop. +# insserv does support both variants. +# * X-UnitedLinux-Default-Enabled: yes/no is used at installation time +# (%fillup_and_insserv macro in %post of many RPMs) to specify whether +# a startup script should default to be enabled after installation. +# It's not used by insserv. +# +# Note on runlevels: +# 0 - halt/poweroff 6 - reboot +# 1 - single user 2 - multiuser without network exported +# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) +# +# Note on script names: +# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html +# A registry has been set up to manage the init script namespace. +# http://www.lanana.org/ +# Please use the names already registered or register one or use a +# vendor prefix. + + +# Check for missing binaries (stale symlinks should not happen) +# Note: Special treatment of stop for LSB conformance +conntrackd_BIN=/usr/sbin/conntrackd +test -x $conntrackd_BIN \|\| { echo "$conntrackd_BIN not installed"; + if [ "$1" = "stop" ]; then exit 0; + else exit 5; fi; } + +# Check for existence of needed config file and read it +#conntrackd_CONFIG=/etc/sysconfig/conntrackd +#test -r $conntrackd_CONFIG \|\| { echo "$conntrackd_CONFIG not existing"; +# if [ "$1" = "stop" ]; then exit 0; +# else exit 6; fi; } +# +## Read config +#. $conntrackd_CONFIG + +# Source LSB init functions +# providing start_daemon, killproc, pidofproc, +# log_success_msg, log_failure_msg and log_warning_msg. +# This is currently not used by UnitedLinux based distributions and +# not needed for init scripts for UnitedLinux only. If it is used, +# the functions from rc.status should not be sourced or used. +#. /lib/lsb/init-functions + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v be verbose in local rc status and clear it afterwards +# rc_status -v -r ditto and clear both the local and overall rc status +# rc_status -s display "skipped" and exit with status 3 +# rc_status -u display "unused" and exit with status 3 +# rc_failed set local and overall rc status to failed +# rc_failed <num> set local and overall rc status to <num> +# rc_reset clear both the local and overall rc status +# rc_exit exit appropriate to overall rc status +# rc_active checks whether a service is activated by symlinks +. /etc/rc.status + +# Reset status of this service +rc_reset + +# Return values acc. to LSB for all commands but status: +# 0 - success +# 1 - generic or unspecified error +# 2 - invalid or excess argument(s) +# 3 - unimplemented feature (e.g. "reload") +# 4 - user had insufficient privileges +# 5 - program is not installed +# 6 - program is not configured +# 7 - program is not running +# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) +# +# Note that starting an already running service, stopping +# or restarting a not-running service as well as the restart +# with force-reload (in case signaling is not supported) are +# considered a success. + +case "$1" in + start) + echo -n "Starting conntrackd " + ## Start daemon with startproc(8). If this fails + ## the return value is set appropriately by startproc. + /sbin/startproc $conntrackd_BIN + + # Remember status and be verbose + rc_status -v + ;; + stop) + echo -n "Shutting down conntrackd " + ## Stop daemon with killproc(8) and if this fails + ## killproc sets the return value according to LSB. + + /sbin/killproc -TERM $conntrackd_BIN + + # Remember status and be verbose + rc_status -v + ;; + try-restart\|condrestart) + ## Do a restart only if the service was active before. + ## Note: try-restart is now part of LSB (as of 1.9).
[-] [+]	Added	conntrackd.conf ^
@@ -0,0 +1,157 @@ +# +# Synchronizer settings +# +Sync { + Mode FTFW { + # + # Size of the buffer that hold destroy messages for + # possible resends (in bytes) + # + ResendQueueSize 262144 + + # + # Entries committed to the connection tracking table + # starts with a limited timeout of N seconds until the + # takeover process is completed. + # + CommitTimeout 180 + + # Set Acknowledgement window size + ACKWindowSize 20 + } + + # + # Multicast IP and interface where messages are + # broadcasted (dedicated link). IMPORTANT: Make sure + # that iptables accepts traffic for destination + # 225.0.0.50, eg: + # + # iptables -I INPUT -d 225.0.0.50 -j ACCEPT + # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT + # + Multicast { + IPv4_address 225.0.0.50 + IPv4_interface 10.0.0.145 # IP of dedicated link + Interface eth1 + Group 3780 + # Enable/Disable message checksumming + Checksum on + # The multicast sender uses a buffer to enqueue the packets + # that are going to be transmitted. The default size of this + # socket buffer is available at /proc/sys/net/core/wmem_default. + # This value determines the chances to have an overrun in the + # sender queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size + # of the sender buffer. + # + # McastSndSocketBuffer 1249280 + # + # The multicast receiver uses a buffer to enqueue the packets + # that the socket is pending to handle. The default size of this + # socket buffer is available at /proc/sys/net/core/rmem_default. + # This value determines the chances to have an overrun in the + # receiver queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size of + # the receiver buffer. + # + # McastRcvSocketBuffer 1249280 + } + + # Uncomment this if you want to replicate just certain TCP states. + # This option introduces a tradeoff in the replication: it reduces + # CPU consumption and lost messages rate at the cost of having + # backup replicas that don't contain the current state that the active + # replica holds. TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED, + # FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE, LISTEN. + # + # Replicate ESTABLISHED TIME_WAIT for TCP + + # If you have a multiprimary setup (active-active) without connection + # persistency, ie. you can't know which firewall handles a packet + # that is part of a connection, then you need direct commit of + # conntrack entries to the kernel conntrack table. OSPF setups must + # set on this option. Default is Off. + # + # CacheWriteThrough On +} + +# +# General settings +# +General { + # + # Number of buckets in the caches: hash table + # + HashSize 8192 + + # + # Maximum number of conntracks: + # it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max + # + HashLimit 65535 + + # + # Logfile: on, off, or a filename + # Default: on (/var/log/conntrackd.log) + # + #LogFile off + + # + # Syslog: on, off or a facility name (daemon (default) or local0..7) + # Default: off + # + Syslog on + + # + # Lockfile + # + LockFile /var/lock/conntrack.lock + + # + # Unix socket configuration + # + UNIX { + Path /tmp/sync.sock + Backlog 20 + } + + # + # Netlink socket buffer size + # + SocketBufferSize 262142 + + # + # Increase the socket buffer up to maximum if required + # + SocketBufferSizeMaxGrown 655355 + + + # + # Ignore traffic for a certain set of IP's: Usually + # all the IP assigned to the firewall since local + # traffic must be ignored, just forwarded connections + # are worth to replicate + # + Filter { + Address Ignore { + IPv4_address 127.0.0.1 # loopback + } + Protocol Ignore { + ICMP + IGMP + VRRP + } + } +} +# +# Do not replicate certain protocol traffic +# +#IgnoreProtocol { +# UDP +# ICMP +# IGMP +# VRRP +# # numeric numbers also valid +#}