diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2
index 554512f4d..cd6c34ede 100644
--- a/data/templates/conntrack/sysctl.conf.j2
+++ b/data/templates/conntrack/sysctl.conf.j2
@@ -1,9 +1,10 @@
# Autogenerated by system_conntrack.py
{# all values have defaults - thus no checking required #}
net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }}
net.netfilter.nf_conntrack_max = {{ table_size }}
net.ipv4.tcp_max_syn_backlog = {{ tcp.half_open_connections }}
net.netfilter.nf_conntrack_tcp_loose = {{ '1' if tcp.loose is vyos_defined('enable') else '0' }}
net.netfilter.nf_conntrack_tcp_max_retrans = {{ tcp.max_retrans }}
-net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }}
\ No newline at end of file
+net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }}
+net.netfilter.nf_conntrack_timestamp = {{ '1' if log.timestamp is vyos_defined else '0' }}
\ No newline at end of file
diff --git a/debian/control b/debian/control
index c11e6abef..d3f5fb464 100644
--- a/debian/control
+++ b/debian/control
@@ -1,379 +1,380 @@
Source: vyos-1x
Section: contrib/net
Priority: extra
Maintainer: VyOS Package Maintainers <maintainers@vyos.net>
Build-Depends:
debhelper (>= 9),
dh-python,
fakeroot,
gcc,
iproute2,
libvyosconfig0 (>= 0.0.7),
libzmq3-dev,
python3 (>= 3.10),
# For QA
pylint,
# For generating command definitions
python3-lxml,
python3-xmltodict,
# For running tests
python3-coverage,
python3-hurry.filesize,
python3-netaddr,
python3-netifaces,
python3-nose,
python3-jinja2,
python3-paramiko,
python3-passlib,
python3-psutil,
python3-requests,
python3-setuptools,
python3-tabulate,
python3-zmq,
quilt,
whois
Standards-Version: 3.9.6
Package: vyos-1x
Architecture: amd64 arm64
Pre-Depends:
libpam-runtime [amd64],
libnss-tacplus [amd64],
libpam-tacplus [amd64],
libpam-radius-auth [amd64]
Depends:
## Fundamentals
${python3:Depends} (>= 3.10),
dialog,
libvyosconfig0,
libpam-cap,
bash-completion,
ipvsadm,
udev,
less,
at,
rsync,
vyatta-bash,
vyatta-biosdevname,
vyatta-cfg,
vyos-http-api-tools,
vyos-utils,
## End of Fundamentals
## Python libraries used in multiple modules and scripts
python3,
python3-cryptography,
python3-hurry.filesize,
python3-inotify,
python3-jinja2,
python3-jmespath,
python3-netaddr,
python3-netifaces,
python3-paramiko,
python3-passlib,
+ python3-pyroute2,
python3-psutil,
python3-pyhumps,
python3-pystache,
python3-pyudev,
python3-six,
python3-tabulate,
python3-voluptuous,
python3-xmltodict,
python3-zmq,
## End of Python libraries
## Basic System services and utilities
coreutils,
sudo,
systemd,
bsdmainutils,
openssl,
curl,
dbus,
file,
iproute2 (>= 6.0.0),
linux-cpupower,
# ipaddrcheck is widely used in IP value validators
ipaddrcheck,
ethtool,
lm-sensors,
procps,
netplug,
sed,
ssl-cert,
tuned,
beep,
wide-dhcpv6-client,
# Generic colorizer
grc,
## End of System services and utilities
## For the installer
fdisk,
gdisk,
mdadm,
efibootmgr,
libefivar1,
dosfstools,
grub-efi-amd64-bin [amd64],
grub-efi-arm64-bin [arm64],
# Image signature verification tool
minisign,
# Live filesystem tools
squashfs-tools,
fuse-overlayfs,
## End installer
auditd,
iputils-arping,
iputils-ping,
isc-dhcp-client,
# For "vpn pptp", "vpn l2tp", "vpn sstp", "service ipoe-server"
accel-ppp,
# End "vpn pptp", "vpn l2tp", "vpn sstp", "service ipoe-server"
avahi-daemon,
conntrack,
conntrackd,
## Conf mode features
# For "interfaces wireless"
hostapd,
hsflowd,
iw,
wireless-regdb,
wpasupplicant (>= 0.6.7),
# End "interfaces wireless"
# For "interfaces wwan"
modemmanager,
usb-modeswitch,
libqmi-utils,
# End "interfaces wwan"
# For "interfaces openvpn"
openvpn,
openvpn-auth-ldap,
openvpn-auth-radius,
openvpn-otp,
libpam-google-authenticator,
# End "interfaces openvpn"
# For "interfaces wireguard"
wireguard-tools,
qrencode,
# End "interfaces wireguard"
# For "interfaces pppoe"
pppoe,
# End "interfaces pppoe"
# For "interfaces sstpc"
sstp-client,
# End "interfaces sstpc"
# For "protocols *"
frr (>= 9.1),
frr-pythontools,
frr-rpki-rtrlib,
frr-snmp,
# End "protocols *"
# For "protocols nhrp" (part of DMVPN)
opennhrp,
# End "protocols nhrp"
# For "protocols igmp-proxy"
igmpproxy,
# End "protocols igmp-proxy"
# For "pki"
certbot,
# End "pki"
# For "service console-server"
conserver-client,
conserver-server,
console-data,
dropbear,
# End "service console-server"
# For "service aws glb"
aws-gwlbtun,
# For "service dns dynamic"
ddclient (>= 3.11.1),
# End "service dns dynamic"
# # For "service ids"
fastnetmon [amd64],
suricata,
suricata-update,
# End "service ids"
# # For "service ndp-proxy"
ndppd,
# End "service ndp-proxy"
# For "service router-advert"
radvd,
# End "service route-advert"
# For "load-balancing reverse-proxy"
haproxy,
# End "load-balancing reverse-proxy"
# For "load-balancing wan"
vyatta-wanloadbalance,
# End "load-balancing wan"
# For "service dhcp-relay"
isc-dhcp-relay,
# For "service dhcp-server"
kea,
# End "service dhcp-server"
# For "service lldp"
lldpd,
# End "service lldp"
# For "service https"
nginx-light,
# End "service https"
# For "service ssh"
openssh-server,
sshguard,
# End "service ssh"
# For "service salt-minion"
salt-minion,
# End "service salt-minion"
# For "service snmp"
snmp,
snmpd,
# End "service snmp"
# For "service webproxy"
squid,
squidclient,
squidguard,
# End "service webproxy"
# For "service monitoring telegraf"
telegraf (>= 1.20),
# End "service monitoring telegraf"
# For "service monitoring zabbix-agent"
zabbix-agent2,
# End "service monitoring zabbix-agent"
# For "service tftp-server"
tftpd-hpa,
# End "service tftp-server"
# For "service dns forwarding"
pdns-recursor,
# End "service dns forwarding"
# For "service sla owamp"
owamp-client,
owamp-server,
# End "service sla owamp"
# For "service sla twamp"
twamp-client,
twamp-server,
# End "service sla twamp"
# For "service broadcast-relay"
udp-broadcast-relay,
# End "service broadcast-relay"
# For "high-availability vrrp"
keepalived (>=2.0.5),
# End "high-availability-vrrp"
# For "system console"
util-linux,
# End "system console"
# For "system task-scheduler"
cron,
# End "system task-scheduler"
# For "system lcd"
lcdproc,
lcdproc-extra-drivers,
# End "system lcd"
# For "system config-management commit-archive"
git,
# End "system config-management commit-archive"
# For firewall
libndp-tools,
libnetfilter-conntrack3,
libnfnetlink0,
nfct,
nftables (>= 0.9.3),
# For "vpn ipsec"
strongswan (>= 5.9),
strongswan-swanctl (>= 5.9),
charon-systemd,
libcharon-extra-plugins (>=5.9),
libcharon-extauth-plugins (>=5.9),
libstrongswan-extra-plugins (>=5.9),
libstrongswan-standard-plugins (>=5.9),
python3-vici (>= 5.7.2),
# End "vpn ipsec"
# For "nat64"
jool,
# End "nat64"
# For "system conntrack modules rtsp"
nat-rtsp,
# End "system conntrack modules rtsp"
# For "service ntp"
chrony,
# End "system ntp"
# For "vpn openconnect"
ocserv,
# End "vpn openconnect"
# For "system flow-accounting"
pmacct (>= 1.6.0),
# End "system flow-accounting"
# For "system syslog"
rsyslog,
# End "system syslog"
# For "system option keyboard-layout"
kbd,
# End "system option keyboard-layout"
# For "container"
podman (>=4.9.5),
netavark,
aardvark-dns,
# iptables is only used for containers now, not the the firewall CLI
iptables,
# End container
## End Configuration mode
## Operational mode
# Used for hypervisor model in "run show version"
hvinfo,
# For "run traceroute"
traceroute,
# For "run monitor traffic"
tcpdump,
# End "run monitor traffic"
# For "show hardware dmi"
dmidecode,
# For "run show hardware storage smart"
smartmontools,
# For "run show hardware scsi"
lsscsi,
# For "run show hardware pci"
pciutils,
# For "show hardware usb"
usbutils,
# For "run show hardware storage nvme"
nvme-cli,
# For "run monitor bandwidth-test"
iperf,
iperf3,
# End "run monitor bandwidth-test"
# For "run wake-on-lan"
etherwake,
# For "run force ipv6-nd"
ndisc6,
# For "run monitor bandwidth"
bmon,
# For "run format disk"
parted,
# End Operational mode
## TPM tools
cryptsetup,
tpm2-tools,
## End TPM tools
## Optional utilities
easy-rsa,
tcptraceroute,
mtr-tiny,
telnet,
stunnel4,
uidmap
## End optional utilities
Description: VyOS configuration scripts and data
VyOS configuration scripts, interface definitions, and everything
Package: vyos-1x-vmware
Architecture: amd64
Depends:
vyos-1x,
open-vm-tools
Description: VyOS configuration scripts and data for VMware
Adds configuration files required for VyOS running on VMware hosts.
Package: vyos-1x-smoketest
Architecture: all
Depends:
skopeo,
snmp,
vyos-1x
Description: VyOS build sanity checking toolkit
diff --git a/interface-definitions/include/conntrack/log-common.xml.i b/interface-definitions/include/conntrack/log-common.xml.i
deleted file mode 100644
index 38799f8f4..000000000
--- a/interface-definitions/include/conntrack/log-common.xml.i
+++ /dev/null
@@ -1,20 +0,0 @@
-<!-- include start from conntrack/log-common.xml.i -->
-<leafNode name="destroy">
- <properties>
- <help>Log connection deletion</help>
- <valueless/>
- </properties>
-</leafNode>
-<leafNode name="new">
- <properties>
- <help>Log connection creation</help>
- <valueless/>
- </properties>
-</leafNode>
-<leafNode name="update">
- <properties>
- <help>Log connection updates</help>
- <valueless/>
- </properties>
-</leafNode>
-<!-- include end -->
diff --git a/interface-definitions/include/conntrack/log-protocols.xml.i b/interface-definitions/include/conntrack/log-protocols.xml.i
new file mode 100644
index 000000000..019250760
--- /dev/null
+++ b/interface-definitions/include/conntrack/log-protocols.xml.i
@@ -0,0 +1,26 @@
+<!-- include start from conntrack/log-protocols.xml.i -->
+<leafNode name="icmp">
+ <properties>
+ <help>Log connection tracking events for ICMP</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<leafNode name="other">
+ <properties>
+ <help>Log connection tracking events for all protocols other than TCP, UDP and ICMP</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<leafNode name="tcp">
+ <properties>
+ <help>Log connection tracking events for TCP</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<leafNode name="udp">
+ <properties>
+ <help>Log connection tracking events for UDP</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/system_conntrack.xml.in b/interface-definitions/system_conntrack.xml.in
index 0dfa2ea81..cd59d1308 100644
--- a/interface-definitions/system_conntrack.xml.in
+++ b/interface-definitions/system_conntrack.xml.in
@@ -1,518 +1,555 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="system">
<children>
<node name="conntrack" owner="${vyos_conf_scripts_dir}/system_conntrack.py">
<properties>
<help>Connection Tracking Engine Options</help>
<!-- Before NAT and conntrack-sync are configured -->
<priority>218</priority>
</properties>
<children>
<leafNode name="flow-accounting">
<properties>
<help>Enable connection tracking flow accounting</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="expect-table-size">
<properties>
<help>Size of connection tracking expect table</help>
<valueHelp>
<format>u32:1-50000000</format>
<description>Number of entries allowed in connection tracking expect table</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-50000000"/>
</constraint>
</properties>
<defaultValue>2048</defaultValue>
</leafNode>
<leafNode name="hash-size">
<properties>
<help>Hash size for connection tracking table</help>
<valueHelp>
<format>u32:1-50000000</format>
<description>Size of hash to use for connection tracking table</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-50000000"/>
</constraint>
</properties>
<defaultValue>32768</defaultValue>
</leafNode>
<node name="ignore">
<properties>
<help>Customized rules to ignore selective connection tracking</help>
</properties>
<children>
<node name="ipv4">
<properties>
<help>IPv4 rules</help>
</properties>
<children>
<tagNode name="rule">
<properties>
<help>Rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number of conntrack ignore rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
</properties>
<children>
#include <include/firewall/source-destination-group-ipv4.xml.i>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
<leafNode name="inbound-interface">
<properties>
<help>Interface to ignore connections tracking on</help>
<completionHelp>
<list>any</list>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
</leafNode>
#include <include/ip-protocol.xml.i>
<leafNode name="protocol">
<properties>
<help>Protocol to match (protocol name, number, or "all")</help>
<completionHelp>
<script>${vyos_completion_dir}/list_protocols.sh</script>
<list>all tcp_udp</list>
</completionHelp>
<valueHelp>
<format>all</format>
<description>All IP protocols</description>
</valueHelp>
<valueHelp>
<format>tcp_udp</format>
<description>Both TCP and UDP</description>
</valueHelp>
<valueHelp>
<format>u32:0-255</format>
<description>IP protocol number</description>
</valueHelp>
<valueHelp>
<format><protocol></format>
<description>IP protocol name</description>
</valueHelp>
<valueHelp>
<format>!<protocol></format>
<description>IP protocol name</description>
</valueHelp>
<constraint>
<validator name="ip-protocol"/>
</constraint>
</properties>
</leafNode>
<node name="source">
<properties>
<help>Source parameters</help>
</properties>
<children>
#include <include/firewall/source-destination-group-ipv4.xml.i>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
#include <include/firewall/tcp-flags.xml.i>
</children>
</tagNode>
</children>
</node>
<node name="ipv6">
<properties>
<help>IPv6 rules</help>
</properties>
<children>
<tagNode name="rule">
<properties>
<help>Rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number of conntrack ignore rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
</properties>
<children>
#include <include/firewall/address-ipv6.xml.i>
#include <include/firewall/source-destination-group-ipv6.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
<leafNode name="inbound-interface">
<properties>
<help>Interface to ignore connections tracking on</help>
<completionHelp>
<list>any</list>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
</leafNode>
#include <include/ip-protocol.xml.i>
<leafNode name="protocol">
<properties>
<help>Protocol to match (protocol name, number, or "all")</help>
<completionHelp>
<script>${vyos_completion_dir}/list_protocols.sh</script>
<list>all tcp_udp</list>
</completionHelp>
<valueHelp>
<format>all</format>
<description>All IP protocols</description>
</valueHelp>
<valueHelp>
<format>tcp_udp</format>
<description>Both TCP and UDP</description>
</valueHelp>
<valueHelp>
<format>u32:0-255</format>
<description>IP protocol number</description>
</valueHelp>
<valueHelp>
<format><protocol></format>
<description>IP protocol name</description>
</valueHelp>
<valueHelp>
<format>!<protocol></format>
<description>IP protocol name</description>
</valueHelp>
<constraint>
<validator name="ip-protocol"/>
</constraint>
</properties>
</leafNode>
<node name="source">
<properties>
<help>Source parameters</help>
</properties>
<children>
#include <include/firewall/address-ipv6.xml.i>
#include <include/firewall/source-destination-group-ipv6.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
#include <include/firewall/tcp-flags.xml.i>
</children>
</tagNode>
</children>
</node>
</children>
</node>
<node name="log">
<properties>
- <help>Log connection tracking events per protocol</help>
+ <help>Log connection tracking</help>
</properties>
<children>
- <node name="icmp">
+ <node name="event">
<properties>
- <help>Log connection tracking events for ICMP</help>
+ <help>Event type and protocol</help>
</properties>
<children>
- #include <include/conntrack/log-common.xml.i>
+ <node name="destroy">
+ <properties>
+ <help>Log connection deletion</help>
+ </properties>
+ <children>
+ #include <include/conntrack/log-protocols.xml.i>
+ </children>
+ </node>
+ <node name="new">
+ <properties>
+ <help>Log connection creation</help>
+ </properties>
+ <children>
+ #include <include/conntrack/log-protocols.xml.i>
+ </children>
+ </node>
+ <node name="update">
+ <properties>
+ <help>Log connection updates</help>
+ </properties>
+ <children>
+ #include <include/conntrack/log-protocols.xml.i>
+ </children>
+ </node>
</children>
</node>
- <node name="other">
+ <leafNode name="timestamp">
<properties>
- <help>Log connection tracking events for all protocols other than TCP, UDP and ICMP</help>
+ <help>Log connection tracking events include flow-based timestamp</help>
+ <valueless/>
</properties>
- <children>
- #include <include/conntrack/log-common.xml.i>
- </children>
- </node>
- <node name="tcp">
+ </leafNode>
+ <leafNode name="queue-size">
<properties>
- <help>Log connection tracking events for TCP</help>
+ <help>Internal message queue size</help>
+ <valueHelp>
+ <format>u32:100-999999</format>
+ <description>Queue size</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Queue size must be between 100 and 999999</constraintErrorMessage>
</properties>
- <children>
- #include <include/conntrack/log-common.xml.i>
- </children>
- </node>
- <node name="udp">
+ </leafNode>
+ <leafNode name="log-level">
<properties>
- <help>Log connection tracking events for UDP</help>
+ <help>Set log-level. Log must be enable.</help>
+ <completionHelp>
+ <list>info debug</list>
+ </completionHelp>
+ <valueHelp>
+ <format>info</format>
+ <description>Info log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>debug</format>
+ <description>Debug log level</description>
+ </valueHelp>
+ <constraint>
+ <regex>(info|debug)</regex>
+ </constraint>
</properties>
- <children>
- #include <include/conntrack/log-common.xml.i>
- </children>
- </node>
+ </leafNode>
</children>
</node>
<node name="modules">
<properties>
<help>Connection tracking modules</help>
</properties>
<children>
<leafNode name="ftp">
<properties>
<help>FTP connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="h323">
<properties>
<help>H.323 connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="nfs">
<properties>
<help>NFS connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="pptp">
<properties>
<help>PPTP connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="rtsp">
<properties>
<help>RTSP connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="sip">
<properties>
<help>SIP connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="sqlnet">
<properties>
<help>SQLnet connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="tftp">
<properties>
<help>TFTP connection tracking</help>
<valueless/>
</properties>
</leafNode>
</children>
</node>
<leafNode name="table-size">
<properties>
<help>Size of connection tracking table</help>
<valueHelp>
<format>u32:1-50000000</format>
<description>Number of entries allowed in connection tracking table</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-50000000"/>
</constraint>
</properties>
<defaultValue>262144</defaultValue>
</leafNode>
<node name="tcp">
<properties>
<help>TCP options</help>
</properties>
<children>
<leafNode name="half-open-connections">
<properties>
<help>Maximum number of TCP half-open connections</help>
<valueHelp>
<format>u32:1-2147483647</format>
<description>Generic connection timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-2147483647"/>
</constraint>
</properties>
<defaultValue>512</defaultValue>
</leafNode>
<leafNode name="loose">
<properties>
<help>Policy to track previously established connections</help>
<completionHelp>
<list>enable disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
<description>Allow tracking of previously established connections</description>
</valueHelp>
<valueHelp>
<format>disable</format>
<description>Do not allow tracking of previously established connections</description>
</valueHelp>
<constraint>
<regex>(enable|disable)</regex>
</constraint>
</properties>
<defaultValue>enable</defaultValue>
</leafNode>
<leafNode name="max-retrans">
<properties>
<help>Maximum number of packets that can be retransmitted without received an ACK</help>
<valueHelp>
<format>u32:1-255</format>
<description>Number of packets to be retransmitted</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-255"/>
</constraint>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
</children>
</node>
<node name="timeout">
<properties>
<help>Connection timeout options</help>
</properties>
<children>
<node name="custom">
<properties>
<help>Define custom timeouts per connection</help>
</properties>
<children>
<node name="ipv4">
<properties>
<help>IPv4 rules</help>
</properties>
<children>
<tagNode name="rule">
<properties>
<help>Rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number of conntrack rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Timeout rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
</properties>
<children>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
<leafNode name="inbound-interface">
<properties>
<help>Interface to apply custom connection timers on</help>
<completionHelp>
<list>any</list>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
</leafNode>
<node name="protocol">
<properties>
<help>Customize protocol specific timers, one protocol configuration per rule</help>
</properties>
<children>
#include <include/conntrack/timeout-custom-protocols.xml.i>
</children>
</node>
<node name="source">
<properties>
<help>Source parameters</help>
</properties>
<children>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
</children>
</tagNode>
</children>
</node>
<node name="ipv6">
<properties>
<help>IPv6 rules</help>
</properties>
<children>
<tagNode name="rule">
<properties>
<help>Rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number of conntrack rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Timeout rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
</properties>
<children>
#include <include/firewall/address-ipv6.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
<leafNode name="inbound-interface">
<properties>
<help>Interface to apply custom connection timers on</help>
<completionHelp>
<list>any</list>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
</leafNode>
<node name="protocol">
<properties>
<help>Customize protocol specific timers, one protocol configuration per rule</help>
</properties>
<children>
#include <include/conntrack/timeout-custom-protocols.xml.i>
</children>
</node>
<node name="source">
<properties>
<help>Source parameters</help>
</properties>
<children>
#include <include/firewall/address-ipv6.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
</children>
</tagNode>
</children>
</node>
</children>
</node>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/smoketest/scripts/cli/test_system_conntrack.py b/smoketest/scripts/cli/test_system_conntrack.py
index 3ae7b6217..c07fdce77 100755
--- a/smoketest/scripts/cli/test_system_conntrack.py
+++ b/smoketest/scripts/cli/test_system_conntrack.py
@@ -1,284 +1,317 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.firewall import find_nftables_rule
-from vyos.utils.file import read_file
+from vyos.utils.file import read_file, read_json
base_path = ['system', 'conntrack']
def get_sysctl(parameter):
tmp = parameter.replace(r'.', r'/')
return read_file(f'/proc/sys/{tmp}')
+def get_logger_config():
+ return read_json('/run/vyos-conntrack-logger.conf')
+
class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
@classmethod
def setUpClass(cls):
super(TestSystemConntrack, cls).setUpClass()
# ensure we can also run this test on a live system - so lets clean
# out the current configuration :)
cls.cli_delete(cls, base_path)
def tearDown(self):
self.cli_delete(base_path)
self.cli_commit()
def test_conntrack_options(self):
conntrack_config = {
'net.netfilter.nf_conntrack_expect_max' : {
'cli' : ['expect-table-size'],
'test_value' : '8192',
'default_value' : '2048',
},
'net.nf_conntrack_max' :{
'cli' : ['table-size'],
'test_value' : '500000',
'default_value' : '262144',
},
'net.ipv4.tcp_max_syn_backlog' :{
'cli' : ['tcp', 'half-open-connections'],
'test_value' : '2048',
'default_value' : '512',
},
'net.netfilter.nf_conntrack_tcp_loose' :{
'cli' : ['tcp', 'loose'],
'test_value' : 'disable',
'default_value' : '1',
},
'net.netfilter.nf_conntrack_tcp_max_retrans' :{
'cli' : ['tcp', 'max-retrans'],
'test_value' : '128',
'default_value' : '3',
},
}
for parameter, parameter_config in conntrack_config.items():
self.cli_set(base_path + parameter_config['cli'] + [parameter_config['test_value']])
# commit changes
self.cli_commit()
# validate configuration
for parameter, parameter_config in conntrack_config.items():
tmp = parameter_config['test_value']
# net.netfilter.nf_conntrack_tcp_loose has a fancy "disable" value,
# make this work
if tmp == 'disable':
tmp = '0'
self.assertEqual(get_sysctl(f'{parameter}'), tmp)
# delete all configuration options and revert back to defaults
self.cli_delete(base_path)
self.cli_commit()
# validate configuration
for parameter, parameter_config in conntrack_config.items():
self.assertEqual(get_sysctl(f'{parameter}'), parameter_config['default_value'])
def test_conntrack_module_enable(self):
# conntrack helper modules are disabled by default
modules = {
'ftp': {
'driver': ['nf_nat_ftp', 'nf_conntrack_ftp'],
'nftables': ['ct helper set "ftp_tcp"']
},
'h323': {
'driver': ['nf_nat_h323', 'nf_conntrack_h323'],
'nftables': ['ct helper set "ras_udp"',
'ct helper set "q931_tcp"']
},
'nfs': {
'nftables': ['ct helper set "rpc_tcp"',
'ct helper set "rpc_udp"']
},
'pptp': {
'driver': ['nf_nat_pptp', 'nf_conntrack_pptp'],
'nftables': ['ct helper set "pptp_tcp"']
},
'rtsp': {
'driver': ['nf_nat_rtsp', 'nf_conntrack_rtsp'],
'nftables': ['ct helper set "rtsp_tcp"']
},
'sip': {
'driver': ['nf_nat_sip', 'nf_conntrack_sip'],
'nftables': ['ct helper set "sip_tcp"',
'ct helper set "sip_udp"']
},
'sqlnet': {
'nftables': ['ct helper set "tns_tcp"']
},
'tftp': {
'driver': ['nf_nat_tftp', 'nf_conntrack_tftp'],
'nftables': ['ct helper set "tftp_udp"']
},
}
# load modules
for module in modules:
self.cli_set(base_path + ['modules', module])
# commit changes
self.cli_commit()
# verify modules are loaded on the system
for module, module_options in modules.items():
if 'driver' in module_options:
for driver in module_options['driver']:
self.assertTrue(os.path.isdir(f'/sys/module/{driver}'))
if 'nftables' in module_options:
for rule in module_options['nftables']:
self.assertTrue(find_nftables_rule('ip vyos_conntrack', 'VYOS_CT_HELPER', [rule]) != None)
# unload modules
for module in modules:
self.cli_delete(base_path + ['modules', module])
# commit changes
self.cli_commit()
# verify modules are not loaded on the system
for module, module_options in modules.items():
if 'driver' in module_options:
for driver in module_options['driver']:
self.assertFalse(os.path.isdir(f'/sys/module/{driver}'))
if 'nftables' in module_options:
for rule in module_options['nftables']:
self.assertTrue(find_nftables_rule('ip vyos_conntrack', 'VYOS_CT_HELPER', [rule]) == None)
def test_conntrack_hash_size(self):
hash_size = '65536'
hash_size_default = '32768'
self.cli_set(base_path + ['hash-size', hash_size])
# commit changes
self.cli_commit()
# verify new configuration - only effective after reboot, but
# a valid config file is sufficient
tmp = read_file('/etc/modprobe.d/vyatta_nf_conntrack.conf')
self.assertIn(hash_size, tmp)
# Test default value by deleting the configuration
self.cli_delete(base_path + ['hash-size'])
# commit changes
self.cli_commit()
# verify new configuration - only effective after reboot, but
# a valid config file is sufficient
tmp = read_file('/etc/modprobe.d/vyatta_nf_conntrack.conf')
self.assertIn(hash_size_default, tmp)
def test_conntrack_ignore(self):
address_group = 'conntracktest'
address_group_member = '192.168.0.1'
ipv6_address_group = 'conntracktest6'
ipv6_address_group_member = 'dead:beef::1'
self.cli_set(['firewall', 'group', 'address-group', address_group, 'address', address_group_member])
self.cli_set(['firewall', 'group', 'ipv6-address-group', ipv6_address_group, 'address', ipv6_address_group_member])
self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '1', 'source', 'address', '192.0.2.1'])
self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '1', 'destination', 'address', '192.0.2.2'])
self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '1', 'destination', 'port', '22'])
self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '1', 'protocol', 'tcp'])
self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '1', 'tcp', 'flags', 'syn'])
self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '2', 'source', 'address', '192.0.2.1'])
self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '2', 'destination', 'group', 'address-group', address_group])
self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '11', 'source', 'address', 'fe80::1'])
self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '11', 'destination', 'address', 'fe80::2'])
self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '11', 'destination', 'port', '22'])
self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '11', 'protocol', 'tcp'])
self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '12', 'source', 'address', 'fe80::1'])
self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '12', 'destination', 'group', 'address-group', ipv6_address_group])
self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '13', 'source', 'address', 'fe80::1'])
self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '13', 'destination', 'address', '!fe80::3'])
self.cli_commit()
nftables_search = [
['ip saddr 192.0.2.1', 'ip daddr 192.0.2.2', 'tcp dport 22', 'tcp flags & syn == syn', 'notrack'],
['ip saddr 192.0.2.1', 'ip daddr @A_conntracktest', 'notrack']
]
nftables6_search = [
['ip6 saddr fe80::1', 'ip6 daddr fe80::2', 'tcp dport 22', 'notrack'],
['ip6 saddr fe80::1', 'ip6 daddr @A6_conntracktest6', 'notrack'],
['ip6 saddr fe80::1', 'ip6 daddr != fe80::3', 'notrack']
]
self.verify_nftables(nftables_search, 'ip vyos_conntrack')
self.verify_nftables(nftables6_search, 'ip6 vyos_conntrack')
self.cli_delete(['firewall'])
def test_conntrack_timeout_custom(self):
self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '1', 'source', 'address', '192.0.2.1'])
self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '1', 'destination', 'address', '192.0.2.2'])
self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '1', 'destination', 'port', '22'])
self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '1', 'protocol', 'tcp', 'syn-sent', '77'])
self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '1', 'protocol', 'tcp', 'close', '88'])
self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '1', 'protocol', 'tcp', 'established', '99'])
self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '2', 'inbound-interface', 'eth1'])
self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '2', 'source', 'address', '198.51.100.1'])
self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '2', 'protocol', 'udp', 'unreplied', '55'])
self.cli_set(base_path + ['timeout', 'custom', 'ipv6', 'rule', '1', 'source', 'address', '2001:db8::1'])
self.cli_set(base_path + ['timeout', 'custom', 'ipv6', 'rule', '1', 'inbound-interface', 'eth2'])
self.cli_set(base_path + ['timeout', 'custom', 'ipv6', 'rule', '1', 'protocol', 'tcp', 'time-wait', '22'])
self.cli_set(base_path + ['timeout', 'custom', 'ipv6', 'rule', '1', 'protocol', 'tcp', 'last-ack', '33'])
self.cli_commit()
nftables_search = [
['ct timeout ct-timeout-1 {'],
['protocol tcp'],
['policy = { syn_sent : 1m17s, established : 1m39s, close : 1m28s }'],
['ct timeout ct-timeout-2 {'],
['protocol udp'],
['policy = { unreplied : 55s }'],
['chain VYOS_CT_TIMEOUT {'],
['ip saddr 192.0.2.1', 'ip daddr 192.0.2.2', 'tcp dport 22', 'ct timeout set "ct-timeout-1"'],
['iifname "eth1"', 'meta l4proto udp', 'ip saddr 198.51.100.1', 'ct timeout set "ct-timeout-2"']
]
nftables6_search = [
['ct timeout ct-timeout-1 {'],
['protocol tcp'],
['policy = { last_ack : 33s, time_wait : 22s }'],
['chain VYOS_CT_TIMEOUT {'],
['iifname "eth2"', 'meta l4proto tcp', 'ip6 saddr 2001:db8::1', 'ct timeout set "ct-timeout-1"']
]
self.verify_nftables(nftables_search, 'ip vyos_conntrack')
self.verify_nftables(nftables6_search, 'ip6 vyos_conntrack')
self.cli_delete(['firewall'])
+
+ def test_conntrack_log(self):
+ expected_config = {
+ 'event': {
+ 'destroy': {},
+ 'new': {},
+ 'update': {},
+ },
+ 'queue_size': '10000'
+ }
+ self.cli_set(base_path + ['log', 'event', 'destroy'])
+ self.cli_set(base_path + ['log', 'event', 'new'])
+ self.cli_set(base_path + ['log', 'event', 'update'])
+ self.cli_set(base_path + ['log', 'queue-size', '10000'])
+ self.cli_commit()
+ self.assertEqual(expected_config, get_logger_config())
+ self.assertEqual('0', get_sysctl('net.netfilter.nf_conntrack_timestamp'))
+
+ for event in ['destroy', 'new', 'update']:
+ for proto in ['icmp', 'other', 'tcp', 'udp']:
+ self.cli_set(base_path + ['log', 'event', event, proto])
+ expected_config['event'][event][proto] = {}
+ self.cli_set(base_path + ['log', 'timestamp'])
+ expected_config['timestamp'] = {}
+ self.cli_commit()
+
+ self.assertEqual(expected_config, get_logger_config())
+ self.assertEqual('1', get_sysctl('net.netfilter.nf_conntrack_timestamp'))
+
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/system_conntrack.py b/src/conf_mode/system_conntrack.py
index aa290788c..2529445bf 100755
--- a/src/conf_mode/system_conntrack.py
+++ b/src/conf_mode/system_conntrack.py
@@ -1,256 +1,273 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
+import json
import os
from sys import exit
from vyos.base import Warning
from vyos.config import Config
from vyos.configdep import set_dependents, call_dependents
from vyos.utils.dict import dict_search
from vyos.utils.dict import dict_search_args
from vyos.utils.dict import dict_search_recursive
-from vyos.utils.process import cmd
+from vyos.utils.file import write_file
+from vyos.utils.process import cmd, call
from vyos.utils.process import rc_cmd
from vyos.template import render
from vyos import ConfigError
from vyos import airbag
airbag.enable()
conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf'
sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf'
nftables_ct_file = r'/run/nftables-ct.conf'
+vyos_conntrack_logger_config = r'/run/vyos-conntrack-logger.conf'
# Every ALG (Application Layer Gateway) consists of either a Kernel Object
# also called a Kernel Module/Driver or some rules present in iptables
module_map = {
'ftp': {
'ko': ['nf_nat_ftp', 'nf_conntrack_ftp'],
'nftables': ['tcp dport {21} ct helper set "ftp_tcp" return']
},
'h323': {
'ko': ['nf_nat_h323', 'nf_conntrack_h323'],
'nftables': ['udp dport {1719} ct helper set "ras_udp" return',
'tcp dport {1720} ct helper set "q931_tcp" return']
},
'nfs': {
'nftables': ['tcp dport {111} ct helper set "rpc_tcp" return',
'udp dport {111} ct helper set "rpc_udp" return']
},
'pptp': {
'ko': ['nf_nat_pptp', 'nf_conntrack_pptp'],
'nftables': ['tcp dport {1723} ct helper set "pptp_tcp" return'],
'ipv4': True
},
'rtsp': {
'ko': ['nf_nat_rtsp', 'nf_conntrack_rtsp'],
'nftables': ['tcp dport {554} ct helper set "rtsp_tcp" return'],
'ipv4': True
},
'sip': {
'ko': ['nf_nat_sip', 'nf_conntrack_sip'],
'nftables': ['tcp dport {5060,5061} ct helper set "sip_tcp" return',
'udp dport {5060,5061} ct helper set "sip_udp" return']
},
'sqlnet': {
'nftables': ['tcp dport {1521,1525,1536} ct helper set "tns_tcp" return']
},
'tftp': {
'ko': ['nf_nat_tftp', 'nf_conntrack_tftp'],
'nftables': ['udp dport {69} ct helper set "tftp_udp" return']
},
}
valid_groups = [
'address_group',
'domain_group',
'network_group',
'port_group'
]
def get_config(config=None):
if config:
conf = config
else:
conf = Config()
base = ['system', 'conntrack']
conntrack = conf.get_config_dict(base, key_mangling=('-', '_'),
get_first_key=True,
with_recursive_defaults=True)
conntrack['firewall'] = conf.get_config_dict(['firewall'], key_mangling=('-', '_'),
get_first_key=True,
no_tag_node_value_mangle=True)
conntrack['ipv4_nat_action'] = 'accept' if conf.exists(['nat']) else 'return'
conntrack['ipv6_nat_action'] = 'accept' if conf.exists(['nat66']) else 'return'
conntrack['wlb_action'] = 'accept' if conf.exists(['load-balancing', 'wan']) else 'return'
conntrack['wlb_local_action'] = conf.exists(['load-balancing', 'wan', 'enable-local-traffic'])
conntrack['module_map'] = module_map
if conf.exists(['service', 'conntrack-sync']):
set_dependents('conntrack_sync', conf)
# If conntrack status changes, VRF zone rules need updating
if conf.exists(['vrf']):
set_dependents('vrf', conf)
return conntrack
+
def verify(conntrack):
for inet in ['ipv4', 'ipv6']:
if dict_search_args(conntrack, 'ignore', inet, 'rule') != None:
for rule, rule_config in conntrack['ignore'][inet]['rule'].items():
if dict_search('destination.port', rule_config) or \
dict_search('destination.group.port_group', rule_config) or \
dict_search('source.port', rule_config) or \
dict_search('source.group.port_group', rule_config):
if 'protocol' not in rule_config or rule_config['protocol'] not in ['tcp', 'udp']:
raise ConfigError(f'Port requires tcp or udp as protocol in rule {rule}')
tcp_flags = dict_search_args(rule_config, 'tcp', 'flags')
if tcp_flags:
if dict_search_args(rule_config, 'protocol') != 'tcp':
raise ConfigError('Protocol must be tcp when specifying tcp flags')
not_flags = dict_search_args(rule_config, 'tcp', 'flags', 'not')
if not_flags:
duplicates = [flag for flag in tcp_flags if flag in not_flags]
if duplicates:
raise ConfigError(f'Cannot match a tcp flag as set and not set')
for side in ['destination', 'source']:
if side in rule_config:
side_conf = rule_config[side]
if 'group' in side_conf:
if len({'address_group', 'network_group', 'domain_group'} & set(side_conf['group'])) > 1:
raise ConfigError('Only one address-group, network-group or domain-group can be specified')
for group in valid_groups:
if group in side_conf['group']:
group_name = side_conf['group'][group]
error_group = group.replace("_", "-")
if group in ['address_group', 'network_group', 'domain_group']:
if 'address' in side_conf:
raise ConfigError(f'{error_group} and address cannot both be defined')
if group_name and group_name[0] == '!':
group_name = group_name[1:]
if inet == 'ipv6':
group = f'ipv6_{group}'
group_obj = dict_search_args(conntrack['firewall'], 'group', group, group_name)
if group_obj is None:
raise ConfigError(f'Invalid {error_group} "{group_name}" on ignore rule')
if not group_obj:
Warning(f'{error_group} "{group_name}" has no members!')
Warning(f'It is prefered to define {inet} conntrack ignore rules in <firewall {inet} prerouting raw> section')
if dict_search_args(conntrack, 'timeout', 'custom', inet, 'rule') != None:
for rule, rule_config in conntrack['timeout']['custom'][inet]['rule'].items():
if 'protocol' not in rule_config:
raise ConfigError(f'Conntrack custom timeout rule {rule} requires protocol tcp or udp')
else:
if 'tcp' in rule_config['protocol'] and 'udp' in rule_config['protocol']:
raise ConfigError(f'conntrack custom timeout rule {rule} - Cant use both tcp and udp protocol')
return None
def generate(conntrack):
if not os.path.exists(nftables_ct_file):
conntrack['first_install'] = True
+ if 'log' not in conntrack:
+ # Remove old conntrack-logger config and return
+ if os.path.exists(vyos_conntrack_logger_config):
+ os.unlink(vyos_conntrack_logger_config)
+
# Determine if conntrack is needed
conntrack['ipv4_firewall_action'] = 'return'
conntrack['ipv6_firewall_action'] = 'return'
if dict_search_args(conntrack['firewall'], 'global_options', 'state_policy') != None:
conntrack['ipv4_firewall_action'] = 'accept'
conntrack['ipv6_firewall_action'] = 'accept'
else:
for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'):
if any(('state' in rule_conf or 'connection_status' in rule_conf or 'offload_target' in rule_conf) for rule_conf in rules.values()):
if path[0] == 'ipv4':
conntrack['ipv4_firewall_action'] = 'accept'
elif path[0] == 'ipv6':
conntrack['ipv6_firewall_action'] = 'accept'
render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack)
render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack)
render(nftables_ct_file, 'conntrack/nftables-ct.j2', conntrack)
+
+ if 'log' in conntrack:
+ log_conf_json = json.dumps(conntrack['log'], indent=4)
+ write_file(vyos_conntrack_logger_config, log_conf_json)
+
return None
def apply(conntrack):
# Depending on the enable/disable state of the ALG (Application Layer Gateway)
# modules we need to either insmod or rmmod the helpers.
add_modules = []
rm_modules = []
for module, module_config in module_map.items():
if dict_search_args(conntrack, 'modules', module) is None:
if 'ko' in module_config:
unloaded = [mod for mod in module_config['ko'] if os.path.exists(f'/sys/module/{mod}')]
rm_modules.extend(unloaded)
else:
if 'ko' in module_config:
add_modules.extend(module_config['ko'])
# Add modules before nftables uses them
if add_modules:
module_str = ' '.join(add_modules)
cmd(f'modprobe -a {module_str}')
# Load new nftables ruleset
install_result, output = rc_cmd(f'nft --file {nftables_ct_file}')
if install_result == 1:
raise ConfigError(f'Failed to apply configuration: {output}')
# Remove modules after nftables stops using them
if rm_modules:
module_str = ' '.join(rm_modules)
cmd(f'rmmod {module_str}')
try:
call_dependents()
except ConfigError:
# Ignore config errors on dependent due to being called too early. Example:
# ConfigError("ConfigError('Interface ethN requires an IP address!')")
pass
# We silently ignore all errors
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1264080
cmd(f'sysctl -f {sysctl_file}')
+ if 'log' in conntrack:
+ call(f'systemctl restart vyos-conntrack-logger.service')
+
return None
+
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
exit(1)
diff --git a/src/services/vyos-conntrack-logger b/src/services/vyos-conntrack-logger
new file mode 100755
index 000000000..9c31b465f
--- /dev/null
+++ b/src/services/vyos-conntrack-logger
@@ -0,0 +1,458 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import argparse
+import grp
+import logging
+import multiprocessing
+import os
+import queue
+import signal
+import socket
+import threading
+from datetime import timedelta
+from pathlib import Path
+from time import sleep
+from typing import Dict, AnyStr
+
+from pyroute2 import conntrack
+from pyroute2.netlink import nfnetlink
+from pyroute2.netlink.nfnetlink import NFNL_SUBSYS_CTNETLINK
+from pyroute2.netlink.nfnetlink.nfctsocket import nfct_msg, \
+ IPCTNL_MSG_CT_DELETE, IPCTNL_MSG_CT_NEW, IPS_SEEN_REPLY, \
+ IPS_OFFLOAD, IPS_ASSURED
+
+from vyos.utils.file import read_json
+
+
+shutdown_event = multiprocessing.Event()
+
+logging.basicConfig(level=logging.INFO, format='%(message)s')
+logger = logging.getLogger(__name__)
+
+
+class DebugFormatter(logging.Formatter):
+ def format(self, record):
+ self._style._fmt = '[%(asctime)s] %(levelname)s: %(message)s'
+ return super().format(record)
+
+
+def set_log_level(level: str) -> None:
+ if level == 'debug':
+ logger.setLevel(logging.DEBUG)
+ logger.parent.handlers[0].setFormatter(DebugFormatter())
+ else:
+ logger.setLevel(logging.INFO)
+
+
+EVENT_NAME_TO_GROUP = {
+ 'new': nfnetlink.NFNLGRP_CONNTRACK_NEW,
+ 'update': nfnetlink.NFNLGRP_CONNTRACK_UPDATE,
+ 'destroy': nfnetlink.NFNLGRP_CONNTRACK_DESTROY
+}
+
+# https://github.com/torvalds/linux/blob/1dfe225e9af5bd3399a1dbc6a4df6a6041ff9c23/include/uapi/linux/netfilter/nf_conntrack_tcp.h#L9
+TCP_CONNTRACK_SYN_SENT = 1
+TCP_CONNTRACK_SYN_RECV = 2
+TCP_CONNTRACK_ESTABLISHED = 3
+TCP_CONNTRACK_FIN_WAIT = 4
+TCP_CONNTRACK_CLOSE_WAIT = 5
+TCP_CONNTRACK_LAST_ACK = 6
+TCP_CONNTRACK_TIME_WAIT = 7
+TCP_CONNTRACK_CLOSE = 8
+TCP_CONNTRACK_LISTEN = 9
+TCP_CONNTRACK_MAX = 10
+TCP_CONNTRACK_IGNORE = 11
+TCP_CONNTRACK_RETRANS = 12
+TCP_CONNTRACK_UNACK = 13
+TCP_CONNTRACK_TIMEOUT_MAX = 14
+
+TCP_CONNTRACK_TO_NAME = {
+ TCP_CONNTRACK_SYN_SENT: "SYN_SENT",
+ TCP_CONNTRACK_SYN_RECV: "SYN_RECV",
+ TCP_CONNTRACK_ESTABLISHED: "ESTABLISHED",
+ TCP_CONNTRACK_FIN_WAIT: "FIN_WAIT",
+ TCP_CONNTRACK_CLOSE_WAIT: "CLOSE_WAIT",
+ TCP_CONNTRACK_LAST_ACK: "LAST_ACK",
+ TCP_CONNTRACK_TIME_WAIT: "TIME_WAIT",
+ TCP_CONNTRACK_CLOSE: "CLOSE",
+ TCP_CONNTRACK_LISTEN: "LISTEN",
+ TCP_CONNTRACK_MAX: "MAX",
+ TCP_CONNTRACK_IGNORE: "IGNORE",
+ TCP_CONNTRACK_RETRANS: "RETRANS",
+ TCP_CONNTRACK_UNACK: "UNACK",
+ TCP_CONNTRACK_TIMEOUT_MAX: "TIMEOUT_MAX",
+}
+
+# https://github.com/torvalds/linux/blob/1dfe225e9af5bd3399a1dbc6a4df6a6041ff9c23/include/uapi/linux/netfilter/nf_conntrack_sctp.h#L8
+SCTP_CONNTRACK_CLOSED = 1
+SCTP_CONNTRACK_COOKIE_WAIT = 2
+SCTP_CONNTRACK_COOKIE_ECHOED = 3
+SCTP_CONNTRACK_ESTABLISHED = 4
+SCTP_CONNTRACK_SHUTDOWN_SENT = 5
+SCTP_CONNTRACK_SHUTDOWN_RECD = 6
+SCTP_CONNTRACK_SHUTDOWN_ACK_SENT = 7
+SCTP_CONNTRACK_HEARTBEAT_SENT = 8
+SCTP_CONNTRACK_HEARTBEAT_ACKED = 9 # no longer used
+SCTP_CONNTRACK_MAX = 10
+
+SCTP_CONNTRACK_TO_NAME = {
+ SCTP_CONNTRACK_CLOSED: 'CLOSED',
+ SCTP_CONNTRACK_COOKIE_WAIT: 'COOKIE_WAIT',
+ SCTP_CONNTRACK_COOKIE_ECHOED: 'COOKIE_ECHOED',
+ SCTP_CONNTRACK_ESTABLISHED: 'ESTABLISHED',
+ SCTP_CONNTRACK_SHUTDOWN_SENT: 'SHUTDOWN_SENT',
+ SCTP_CONNTRACK_SHUTDOWN_RECD: 'SHUTDOWN_RECD',
+ SCTP_CONNTRACK_SHUTDOWN_ACK_SENT: 'SHUTDOWN_ACK_SENT',
+ SCTP_CONNTRACK_HEARTBEAT_SENT: 'HEARTBEAT_SENT',
+ SCTP_CONNTRACK_HEARTBEAT_ACKED: 'HEARTBEAT_ACKED',
+ SCTP_CONNTRACK_MAX: 'MAX',
+}
+
+PROTO_CONNTRACK_TO_NAME = {
+ 'TCP': TCP_CONNTRACK_TO_NAME,
+ 'SCTP': SCTP_CONNTRACK_TO_NAME
+}
+
+SUPPORTED_PROTO_TO_NAME = {
+ socket.IPPROTO_ICMP: 'icmp',
+ socket.IPPROTO_TCP: 'tcp',
+ socket.IPPROTO_UDP: 'udp',
+}
+
+PROTO_TO_NAME = {
+ socket.IPPROTO_ICMPV6: 'icmpv6',
+ socket.IPPROTO_SCTP: 'sctp',
+ socket.IPPROTO_GRE: 'gre',
+}
+
+PROTO_TO_NAME.update(SUPPORTED_PROTO_TO_NAME)
+
+
+def sig_handler(signum, frame):
+ process_name = multiprocessing.current_process().name
+ logger.debug(f'[{process_name}]: {"Shutdown" if signum == signal.SIGTERM else "Reload"} signal received...')
+ shutdown_event.set()
+
+
+def format_flow_data(data: Dict) -> AnyStr:
+ """
+ Formats the flow event data into a string suitable for logging.
+ """
+ key_format = {
+ 'SRC_PORT': 'sport',
+ 'DST_PORT': 'dport'
+ }
+ message = f"src={data['ADDR'].get('SRC')} dst={data['ADDR'].get('DST')}"
+
+ for key in ['SRC_PORT', 'DST_PORT', 'TYPE', 'CODE', 'ID']:
+ tmp = data['PROTO'].get(key)
+ if tmp is not None:
+ key = key_format.get(key, key)
+ message += f" {key.lower()}={tmp}"
+
+ if 'COUNTERS' in data:
+ for key in ['PACKETS', 'BYTES']:
+ tmp = data['COUNTERS'].get(key)
+ if tmp is not None:
+ message += f" {key.lower()}={tmp}"
+
+ return message
+
+
+def format_event_message(event: Dict) -> AnyStr:
+ """
+ Formats the internal parsed event data into a string suitable for logging.
+ """
+ event_type = f"[{event['COMMON']['EVENT_TYPE'].upper()}]"
+ message = f"{event_type:<{9}} {event['COMMON']['ID']} " \
+ f"{event['ORIG']['PROTO'].get('NAME'):<{8}} " \
+ f"{event['ORIG']['PROTO'].get('NUMBER')} "
+
+ tmp = event['COMMON']['TIME_OUT']
+ if tmp is not None: message += f"{tmp} "
+
+ if proto_info := event['COMMON'].get('PROTO_INFO'):
+ message += f"{proto_info.get('STATE_NAME')} "
+
+ for key in ['ORIG', 'REPLY']:
+ message += f"{format_flow_data(event[key])} "
+ if key == 'ORIG' and not (event['COMMON']['STATUS'] & IPS_SEEN_REPLY):
+ message += f"[UNREPLIED] "
+
+ tmp = event['COMMON']['MARK']
+ if tmp is not None: message += f"mark={tmp} "
+
+ if event['COMMON']['STATUS'] & IPS_OFFLOAD: message += f" [OFFLOAD] "
+ elif event['COMMON']['STATUS'] & IPS_ASSURED: message += f" [ASSURED] "
+
+ if tmp := event['COMMON']['PORTID']: message += f"portid={tmp} "
+ if tstamp := event['COMMON'].get('TIMESTAMP'):
+ message += f"start={tstamp['START']} stop={tstamp['STOP']} "
+ delta_ns = tstamp['STOP'] - tstamp['START']
+ delta_s = delta_ns // 1e9
+ remaining_ns = delta_ns % 1e9
+ delta = timedelta(seconds=delta_s, microseconds=remaining_ns / 1000)
+ message += f"delta={delta.total_seconds()} "
+
+ return message
+
+
+def parse_event_type(header: Dict) -> AnyStr:
+ """
+ Extract event type from nfct_msg. new, update, destroy
+ """
+ event_type = 'unknown'
+ if header['type'] == IPCTNL_MSG_CT_DELETE | (NFNL_SUBSYS_CTNETLINK << 8):
+ event_type = 'destroy'
+ elif header['type'] == IPCTNL_MSG_CT_NEW | (NFNL_SUBSYS_CTNETLINK << 8):
+ event_type = 'update'
+ if header['flags']:
+ event_type = 'new'
+ return event_type
+
+
+def parse_proto(cta: nfct_msg.cta_tuple) -> Dict:
+ """
+ Extract proto info from nfct_msg. src/dst port, code, type, id
+ """
+ data = dict()
+
+ cta_proto = cta.get_attr('CTA_TUPLE_PROTO')
+ proto_num = cta_proto.get_attr('CTA_PROTO_NUM')
+
+ data['NUMBER'] = proto_num
+ data['NAME'] = PROTO_TO_NAME.get(proto_num, 'unknown')
+
+ if proto_num in (socket.IPPROTO_ICMP, socket.IPPROTO_ICMPV6):
+ pref = 'CTA_PROTO_ICMP'
+ if proto_num == socket.IPPROTO_ICMPV6: pref += 'V6'
+ keys = ['TYPE', 'CODE', 'ID']
+ else:
+ pref = 'CTA_PROTO'
+ keys = ['SRC_PORT', 'DST_PORT']
+
+ for key in keys:
+ data[key] = cta_proto.get_attr(f'{pref}_{key}')
+
+ return data
+
+
+def parse_proto_info(cta: nfct_msg.cta_protoinfo) -> Dict:
+ """
+ Extract proto state and state name from nfct_msg
+ """
+ data = dict()
+ if not cta:
+ return data
+
+ for proto in ['TCP', 'SCTP']:
+ if proto_info := cta.get_attr(f'CTA_PROTOINFO_{proto}'):
+ data['STATE'] = proto_info.get_attr(f'CTA_PROTOINFO_{proto}_STATE')
+ data['STATE_NAME'] = PROTO_CONNTRACK_TO_NAME.get(proto, {}).get(data['STATE'], 'unknown')
+ return data
+
+
+def parse_timestamp(cta: nfct_msg.cta_timestamp) -> Dict:
+ """
+ Extract timestamp from nfct_msg
+ """
+ data = dict()
+ if not cta:
+ return data
+ data['START'] = cta.get_attr('CTA_TIMESTAMP_START')
+ data['STOP'] = cta.get_attr('CTA_TIMESTAMP_STOP')
+
+ return data
+
+
+def parse_ip_addr(family: int, cta: nfct_msg.cta_tuple) -> Dict:
+ """
+ Extract ip adr from nfct_msg
+ """
+ data = dict()
+ cta_ip = cta.get_attr('CTA_TUPLE_IP')
+
+ if family == socket.AF_INET:
+ pref = 'CTA_IP_V4'
+ elif family == socket.AF_INET6:
+ pref = 'CTA_IP_V6'
+ else:
+ logger.error(f'Undefined INET: {family}')
+ raise NotImplementedError(family)
+
+ for direct in ['SRC', 'DST']:
+ data[direct] = cta_ip.get_attr(f'{pref}_{direct}')
+
+ return data
+
+
+def parse_counters(cta: nfct_msg.cta_counters) -> Dict:
+ """
+ Extract counters from nfct_msg
+ """
+ data = dict()
+ if not cta:
+ return data
+
+ for key in ['PACKETS', 'BYTES']:
+ tmp = cta.get_attr(f'CTA_COUNTERS_{key}')
+ if tmp is None:
+ tmp = cta.get_attr(f'CTA_COUNTERS32_{key}')
+ data['key'] = tmp
+
+ return data
+
+
+def is_need_to_log(event_type: AnyStr, proto_num: int, conf_event: Dict):
+ """
+ Filter message by event type and protocols
+ """
+ conf = conf_event.get(event_type)
+ if conf == {} or conf.get(SUPPORTED_PROTO_TO_NAME.get(proto_num, 'other')) is not None:
+ return True
+ return False
+
+
+def parse_conntrack_event(msg: nfct_msg, conf_event: Dict) -> Dict:
+ """
+ Convert nfct_msg to internal data dict.
+ """
+ data = dict()
+ event_type = parse_event_type(msg['header'])
+ proto_num = msg.get_nested('CTA_TUPLE_ORIG', 'CTA_TUPLE_PROTO', 'CTA_PROTO_NUM')
+
+ if not is_need_to_log(event_type, proto_num, conf_event):
+ return data
+
+ data = {
+ 'COMMON': {
+ 'ID': msg.get_attr('CTA_ID'),
+ 'EVENT_TYPE': event_type,
+ 'TIME_OUT': msg.get_attr('CTA_TIMEOUT'),
+ 'MARK': msg.get_attr('CTA_MARK'),
+ 'PORTID': msg['header'].get('pid'),
+ 'PROTO_INFO': parse_proto_info(msg.get_attr('CTA_PROTOINFO')),
+ 'STATUS': msg.get_attr('CTA_STATUS'),
+ 'TIMESTAMP': parse_timestamp(msg.get_attr('CTA_TIMESTAMP'))
+ },
+ 'ORIG': {},
+ 'REPLY': {},
+ }
+
+ for direct in ['ORIG', 'REPLY']:
+ data[direct]['ADDR'] = parse_ip_addr(msg['nfgen_family'], msg.get_attr(f'CTA_TUPLE_{direct}'))
+ data[direct]['PROTO'] = parse_proto(msg.get_attr(f'CTA_TUPLE_{direct}'))
+ data[direct]['COUNTERS'] = parse_counters(msg.get_attr(f'CTA_COUNTERS_{direct}'))
+
+ return data
+
+
+def worker(ct: conntrack.Conntrack, shutdown_event: multiprocessing.Event, conf_event: Dict):
+ """
+ Main function of parser worker process
+ """
+ process_name = multiprocessing.current_process().name
+ logger.debug(f'[{process_name}] started')
+ timeout = 0.1
+ while not shutdown_event.is_set():
+ if not ct.buffer_queue.empty():
+ try:
+ for msg in ct.get():
+ parsed_event = parse_conntrack_event(msg, conf_event)
+ if parsed_event:
+ message = format_event_message(parsed_event)
+ if logger.level == logging.DEBUG:
+ logger.debug(f"[{process_name}]: {message} raw: {msg}")
+ else:
+ logger.info(message)
+ except queue.Full:
+ logger.error("Conntrack message queue if full.")
+ except Exception as e:
+ logger.error(f"Error in queue: {e.__class__} {e}")
+ else:
+ sleep(timeout)
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser()
+ parser.add_argument('-c',
+ '--config',
+ action='store',
+ help='Path to vyos-conntrack-logger configuration',
+ required=True,
+ type=Path)
+
+ args = parser.parse_args()
+ try:
+ config = read_json(args.config)
+ except Exception as err:
+ logger.error(f'Configuration file "{args.config}" does not exist or malformed: {err}')
+ exit(1)
+
+ set_log_level(config.get('log_level', 'info'))
+
+ signal.signal(signal.SIGHUP, sig_handler)
+ signal.signal(signal.SIGTERM, sig_handler)
+
+ if 'event' in config:
+ event_groups = list(config.get('event').keys())
+ else:
+ logger.error(f'Configuration is wrong. Event filter is empty.')
+ exit(1)
+
+ conf_event = config['event']
+ qsize = config.get('queue_size')
+ ct = conntrack.Conntrack(async_qsize=int(qsize) if qsize else None)
+ ct.buffer_queue = multiprocessing.Queue(ct.async_qsize)
+ ct.bind(async_cache=True)
+
+ for name in event_groups:
+ if group := EVENT_NAME_TO_GROUP.get(name):
+ ct.add_membership(group)
+ else:
+ logger.error(f'Unexpected event group {name}')
+ processes = list()
+ try:
+ for _ in range(multiprocessing.cpu_count()):
+ p = multiprocessing.Process(target=worker, args=(ct,
+ shutdown_event,
+ conf_event))
+ processes.append(p)
+ p.start()
+ logger.info('Conntrack socket bound and listening for messages.')
+
+ while not shutdown_event.is_set():
+ if not ct.pthread.is_alive():
+ if ct.buffer_queue.qsize()/ct.async_qsize < 0.9:
+ if not shutdown_event.is_set():
+ logger.debug('Restart listener thread')
+ # restart listener thread after queue overloaded when queue size low than 90%
+ ct.pthread = threading.Thread(
+ name="Netlink async cache", target=ct.async_recv
+ )
+ ct.pthread.daemon = True
+ ct.pthread.start()
+ else:
+ sleep(0.1)
+ finally:
+ for p in processes:
+ p.join()
+ if not p.is_alive():
+ logger.debug(f"[{p.name}]: finished")
+ ct.close()
+ logging.info("Conntrack socket closed.")
+ exit()
diff --git a/src/systemd/vyos-conntrack-logger.service b/src/systemd/vyos-conntrack-logger.service
new file mode 100644
index 000000000..9bc1d857b
--- /dev/null
+++ b/src/systemd/vyos-conntrack-logger.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=VyOS conntrack logger daemon
+
+# Seemingly sensible way to say "as early as the system is ready"
+# All vyos-configd needs is read/write mounted root
+After=conntrackd.service
+
+[Service]
+ExecStart=/usr/bin/python3 -u /usr/libexec/vyos/services/vyos-conntrack-logger -c /run/vyos-conntrack-logger.conf
+Type=idle
+
+SyslogIdentifier=vyos-conntrack-logger
+SyslogFacility=daemon
+
+Restart=on-failure
+
+User=root
+Group=vyattacfg
+
+[Install]
+WantedBy=multi-user.target