diff --git a/data/templates/conntrackd/conntrackd.conf.j2 b/data/templates/conntrackd/conntrackd.conf.j2 index 669b20877..30e619daf 100644 --- a/data/templates/conntrackd/conntrackd.conf.j2 +++ b/data/templates/conntrackd/conntrackd.conf.j2 @@ -1,113 +1,114 @@ ### autogenerated by service_conntrack-sync.py ### # Synchronizer settings Sync { Mode FTFW { DisableExternalCache {{ 'on' if disable_external_cache is vyos_defined else 'off' }} + StartupResync {{ 'on' if startup_resync is vyos_defined else 'off' }} } {% for iface, iface_config in interface.items() %} {% if iface_config.peer is vyos_defined %} UDP { {% if listen_address is vyos_defined %} {% for address in listen_address %} IPv4_address {{ address }} {% endfor %} {% endif %} IPv4_Destination_Address {{ iface_config.peer }} Port {{ iface_config.port if iface_config.port is vyos_defined else '3780' }} Interface {{ iface }} SndSocketBuffer {{ sync_queue_size | int *1024 *1024 }} RcvSocketBuffer {{ sync_queue_size | int *1024 *1024 }} Checksum on } {% else %} Multicast { {% set ip_address = iface | get_ipv4 %} IPv4_address {{ mcast_group }} Group {{ iface_config.port if iface_config.port is vyos_defined else '3780' }} IPv4_interface {{ ip_address[0] | ip_from_cidr }} Interface {{ iface }} SndSocketBuffer {{ sync_queue_size | int *1024 *1024 }} RcvSocketBuffer {{ sync_queue_size | int *1024 *1024 }} Checksum on } {% endif %} {% endfor %} {% if expect_sync is vyos_defined %} Options { {% if 'all' in expect_sync %} ExpectationSync on {% else %} ExpectationSync { {% for protocol in expect_sync %} {{ protocol }} {% endfor %} } {% endif %} } {% endif %} } Helper { Type rpc inet tcp { QueueNum 3 Policy rpc { ExpectMax 1 ExpectTimeout 300 } } Type rpc inet udp { QueueNum 4 Policy rpc { ExpectMax 1 ExpectTimeout 300 } } Type tns inet tcp { QueueNum 5 Policy tns { ExpectMax 1 ExpectTimeout 300 } } } # General settings General { HashSize {{ hash_size }} HashLimit {{ table_size | int *2 }} LogFile off Syslog {{ 'off' if disable_syslog is vyos_defined else 'on' }} LockFile /var/lock/conntrack.lock UNIX { Path /var/run/conntrackd.ctl } NetlinkBufferSize {{ 2 *1024 *1024 }} NetlinkBufferSizeMaxGrowth {{ event_listen_queue_size | int *1024 *1024 }} NetlinkOverrunResync off NetlinkEventsReliable on {% if ignore_address is vyos_defined or accept_protocol is vyos_defined %} Filter From Userspace { {% if ignore_address is vyos_defined %} Address Ignore { {% for address in ignore_address if address | is_ipv4 %} IPv4_address {{ address }} {% endfor %} {% for address in ignore_address if address | is_ipv6 %} IPv6_address {{ address }} {% endfor %} } {% endif %} {% if accept_protocol is vyos_defined %} Protocol Accept { {% for protocol in accept_protocol %} {% if protocol == 'icmp6' %} IPv6-ICMP {% else %} {{ protocol | upper }} {% endif %} {% endfor %} } {% endif %} } {% endif %} } diff --git a/interface-definitions/service_conntrack-sync.xml.in b/interface-definitions/service_conntrack-sync.xml.in index 397864867..631c830b4 100644 --- a/interface-definitions/service_conntrack-sync.xml.in +++ b/interface-definitions/service_conntrack-sync.xml.in @@ -1,179 +1,185 @@ <?xml version="1.0"?> <interfaceDefinition> <node name="service"> <children> <node name="conntrack-sync" owner="${vyos_conf_scripts_dir}/service_conntrack-sync.py"> <properties> <help>Connection tracking synchronization</help> <!-- before VRRP / HA --> <priority>799</priority> </properties> <children> <leafNode name="accept-protocol"> <properties> <help>Protocols for which local conntrack entries will be synced</help> <completionHelp> <list>tcp udp icmp icmp6 sctp dccp</list> </completionHelp> <valueHelp> <format>tcp</format> <description>Sync Transmission Control Protocol entries</description> </valueHelp> <valueHelp> <format>udp</format> <description>Sync User Datagram Protocol entries</description> </valueHelp> <valueHelp> <format>icmp</format> <description>Sync Internet Control Message Protocol entries</description> </valueHelp> <valueHelp> <format>icmp6</format> <description>Sync IPv6 Internet Control Message Protocol entries</description> </valueHelp> <valueHelp> <format>sctp</format> <description>Sync Stream Control Transmission Protocol entries</description> </valueHelp> <valueHelp> <format>dccp</format> <description>Sync Datagram Congestion Control Protocol entries</description> </valueHelp> <constraint> <regex>(tcp|udp|icmp|icmp6|sctp|dccp)</regex> </constraint> <constraintErrorMessage>Allowed protocols: tcp udp icmp or sctp</constraintErrorMessage> <multi/> </properties> </leafNode> <leafNode name="disable-external-cache"> <properties> <help>Directly injects the flow-states into the in-kernel Connection Tracking System of the backup firewall.</help> <valueless/> </properties> </leafNode> <leafNode name="disable-syslog"> <properties> <help>Disable connection logging via Syslog</help> <valueless/> </properties> </leafNode> <leafNode name="event-listen-queue-size"> <properties> <help>Queue size for local conntrack events</help> <valueHelp> <format>u32</format> <description>Queue size in MB</description> </valueHelp> </properties> <defaultValue>8</defaultValue> </leafNode> <leafNode name="expect-sync"> <properties> <help>Protocol for which expect entries need to be synchronized</help> <completionHelp> <list>all ftp sip h323 nfs sqlnet</list> </completionHelp> <constraint> <regex>(all|ftp|sip|h323|nfs|sqlnet)</regex> </constraint> <constraintErrorMessage>Invalid protocol</constraintErrorMessage> <multi/> </properties> </leafNode> + <leafNode name="startup-resync"> + <properties> + <help>Order conntrackd to request a complete conntrack table resync against the other node at startup</help> + <valueless/> + </properties> + </leafNode> <node name="failover-mechanism"> <properties> <help>Failover mechanism to use for conntrack-sync</help> </properties> <children> <node name="vrrp"> <properties> <help>VRRP as failover-mechanism to use for conntrack-sync</help> </properties> <children> <leafNode name="sync-group"> <properties> <help>VRRP sync group</help> <completionHelp> <path>high-availability vrrp sync-group</path> </completionHelp> </properties> </leafNode> </children> </node> </children> </node> <leafNode name="ignore-address"> <properties> <help>IP addresses for which local conntrack entries will not be synced</help> <valueHelp> <format>ipv4</format> <description>IPv4 address to ignore</description> </valueHelp> <valueHelp> <format>ipv4net</format> <description>IPv4 prefix to ignore</description> </valueHelp> <valueHelp> <format>ipv6</format> <description>IPv6 address to ignore</description> </valueHelp> <valueHelp> <format>ipv6net</format> <description>IPv6 prefix to ignore</description> </valueHelp> <constraint> <validator name="ipv4"/> <validator name="ipv6"/> </constraint> <multi/> </properties> </leafNode> <tagNode name="interface"> <properties> <help>Interface to use for syncing conntrack entries</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces --bridgeable</script> </completionHelp> </properties> <children> <leafNode name="peer"> <properties> <help>IP address of the peer to send the UDP conntrack info too. This disable multicast.</help> <valueHelp> <format>ipv4</format> <description>IP address to listen for incoming connections</description> </valueHelp> <constraint> <validator name="ipv4-address"/> </constraint> </properties> </leafNode> #include <include/port-number.xml.i> </children> </tagNode> #include <include/listen-address-ipv4.xml.i> <leafNode name="mcast-group"> <properties> <help>Multicast group to use for syncing conntrack entries</help> <constraint> <validator name="ipv4-multicast"/> </constraint> </properties> <defaultValue>225.0.0.50</defaultValue> </leafNode> <leafNode name="sync-queue-size"> <properties> <help>Queue size for syncing conntrack entries</help> <valueHelp> <format>u32</format> <description>Queue size in MB</description> </valueHelp> </properties> <defaultValue>1</defaultValue> </leafNode> </children> </node> </children> </node> </interfaceDefinition>