conntrackd - netfilter connection tracking user-space daemon
is the user-space daemon for the netfilter connection tracking
system. This daemon synchronizes connection tracking states between several
replica firewalls. Thus, conntrackd
can be used to deploy highly
available stateful firewalls.
The daemon supports Primary-Backup and Multiprimary setups and can also be used
as statistics collector.
The options recognized by conntrackd
can be divided into two different
General options for the conntrackd
- Run conntrackd in daemon mode (fork to background).
- -C <path>
- Load config file specified in path. See
conntrackd.conf(5) for details.
- Display version information.
- Display help information.
can be used in client mode to request several information and
operations to a running instance of the daemon.
- -i [ct|expect]
- Dump the internal cache, i.e. show local states
- -e [ct|expect]
- Dump the external cache, i.e. show foreign states
- Display output in XML format. This option is only valid in
combination with -i and -e parameters.
- -f [internal|external]
- Flush the internal and/or external cache
- -F [ct|expect]
- Flush the kernel conntrack table (if you use a Linux kernel
>= 2.6.29, this option will not flush your internal and external
- Commit external cache to conntrack table.
- Force a bulk send to other replica firewalls. With this
command, you will ask conntrackd to send the state-entries that it owns to
- Request resync with other node (only FT-FW and NOTRACK
- Kill the daemon
- Dump statistics. If no parameter is passed, it displays the
If "network" is passed as parameter it displays the networking
If "cache" is passed as parameter, it shows the extended cache
If "runtime" is passed as parameter, it shows the run-time
If "process" is passed as parameter, it shows existing child
processes (if any).
If "queue" is passed as parameter, it shows queue statistics.
If "ct" is passed, it displays the general statistics.
If "expect" is passed as parameter, it shows expectation
- -R [ct|expect]
- Force a resync against the kernel connection tracking
- Reset the in-kernel timers (See PurgeTimeout clause)
The exit code is 0 for correct function. Errors cause an exit code of 1.
The following example are illustrative, for a real use in a firewall fail-over,
check the primary-backup.sh script that comes with the sources.
- conntrackd -d
- Runs conntrackd in daemon and synchronization mode
- conntrackd -i
- Dumps the states held in the internal cache, i.e. those
handled by this firewall
- conntrackd -e
- Dumps the states held in the external cache, i.e. those
handled by other replica firewalls
- conntrackd -c
- Commits the external cache into the kernel connection
tracking system. This is used to inject the state so that the connections
can be recovered during the failover.
This daemon requires a Linux kernel version >= 2.6.18. TCP window tracking
support requires >= 2.6.22, otherwise you have to disable it. Helpers are
fully supported since >= 2.6.25, however, if you use any previous version,
depending on the protocol helper and your setup (e.g. if you setup performs
NAT sequence adjustments or not), your help connection may be successfully
There are several unsupported stateful iptables matches such as recent,
connbytes and the quota matches which gather internal information to operate.
Since that information does not belong to the domain of the connection
tracking system, connections affected by those matches may not be fully
recovered during the takeover.
The daemon requires a Linux kernel version >= 2.6.26 to support kernel-space
event filtering. Otherwise, all the event filtering is done in userspace with
the corresponding extra overhead. If you are not using the Filter clause in
the configuration file, ignore this notice.
Starting with the 1.4.4 release, conntrackd
includes integration with
to use an unit file of Type=notify
The daemon should be configured at build time to include such support and
should contain Systemd on
During the 0.9.9 development, some important changes in the replication message
format were introduced. Therefore, conntrackd
>= 0.9.9 will not work
appropriately with conntrackd
This should not be a problem if you use the same conntrackd version in all the
firewall replica nodes.
conntrackd.conf(5) conntrack(8) iptables(8) nft(8)
Please, report them to firstname.lastname@example.org (subscription required)
or file a bug in Netfilter's bugzilla (https://bugzilla.netfilter.org).
Pablo Neira Ayuso wrote and maintains the conntrackd tool
Man page written by Pablo Neira Ayuso <email@example.com>.