network/roles/firewall/templates/conntrackd.conf.j2

{% set fw = inventory_hostname.split('-')[1]|int -%}

Sync {
	Mode FTFW {
	     # Add received rules immediately so we don’t need a
	     # signal on failover.
	     DisableExternalCache On
	}

	UDP {
		Interface {{ iface_sync }}
		IPv6_address fe80::{{ fw }}
		IPv6_Destination_Address fe80::{{ 2 if fw == 1 else 1 }}
		Port 3780

		# Recommended by manual.
		Checksum on
		RcvSocketBuffer 1249280
		SndSocketBuffer 1249280
	}

	#Options {
	#	TCPWindowTracking Off
	#}
}

General {
	UNIX {
		Path /var/run/conntrackd.ctl
	}
	Syslog on

	# Recommended by manual.
	HashLimit 524288
	NetlinkBufferSize 2097152
	NetlinkBufferSizeMaxGrowth 8388608

	Filter From Kernelspace {
		# Don’t replicate rules for traffic from/to firewall.
		Address Ignore {
			IPv4_address 127.0.0.1/8
			IPv6_address ::1/128
			IPv6_address fe80::/64 # link-local addresses
			IPv4_address {{ wg_ip }}
{% for address in interfaces | map(attribute='ip_addresses') | flatten | sort(attribute='address') %}
			IPv{{ address.family.value }}_address {{ address.address }}
{% endfor %}
		}
	}
}
Initial commit, squashed 2023-12-18 10:22:14 +00:00			`{% set fw = inventory_hostname.split('-')[1]\|int -%}`

			`Sync {`
			`Mode FTFW {`
			`# Add received rules immediately so we don’t need a`
			`# signal on failover.`
			`DisableExternalCache On`
			`}`

			`UDP {`
			`Interface {{ iface_sync }}`
			`IPv6_address fe80::{{ fw }}`
			`IPv6_Destination_Address fe80::{{ 2 if fw == 1 else 1 }}`
			`Port 3780`

			`# Recommended by manual.`
			`Checksum on`
			`RcvSocketBuffer 1249280`
			`SndSocketBuffer 1249280`
			`}`

			`#Options {`
			`# TCPWindowTracking Off`
			`#}`
			`}`

			`General {`
			`UNIX {`
			`Path /var/run/conntrackd.ctl`
			`}`
			`Syslog on`

			`# Recommended by manual.`
			`HashLimit 524288`
			`NetlinkBufferSize 2097152`
			`NetlinkBufferSizeMaxGrowth 8388608`

			`Filter From Kernelspace {`
			`# Don’t replicate rules for traffic from/to firewall.`
			`Address Ignore {`
			`IPv4_address 127.0.0.1/8`
			`IPv6_address ::1/128`
			`IPv6_address fe80::/64 # link-local addresses`
			`IPv4_address {{ wg_ip }}`
			`{% for address in interfaces \| map(attribute='ip_addresses') \| flatten \| sort(attribute='address') %}`
			`IPv{{ address.family.value }}_address {{ address.address }}`
			`{% endfor %}`
			`}`
			`}`
			`}`