diff --git a/interface-definitions/include/conntrack-module-disable.xml.i b/interface-definitions/include/conntrack-module-disable.xml.i new file mode 100644 index 000000000..f891225e0 --- /dev/null +++ b/interface-definitions/include/conntrack-module-disable.xml.i @@ -0,0 +1,8 @@ +<!-- include start from conntrack-module-disable.xml.i --> +<leafNode name="disable"> + <properties> + <help>Disable connection tracking helper</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in index 07a2c401d..fa73df3db 100644 --- a/interface-definitions/system-conntrack.xml.in +++ b/interface-definitions/system-conntrack.xml.in @@ -1,285 +1,348 @@ <?xml version="1.0"?> <interfaceDefinition> <node name="system"> <children> <node name="conntrack" owner="${vyos_conf_scripts_dir}/conntrack.py"> <properties> <help>Connection Tracking Engine Options</help> <!-- Before NAT and conntrack-sync are configured --> <priority>218</priority> </properties> <children> <leafNode name="expect-table-size"> <properties> <help>Size of connection tracking expect table</help> <valueHelp> <format>u32:1-50000000</format> <description>Number of entries allowed in connection tracking expect table</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-50000000"/> </constraint> </properties> <defaultValue>2048</defaultValue> </leafNode> <leafNode name="hash-size"> <properties> <help>Hash size for connection tracking table</help> <valueHelp> <format>u32:1-50000000</format> <description>Size of hash to use for connection tracking table</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-50000000"/> </constraint> </properties> <defaultValue>32768</defaultValue> </leafNode> + <node name="modules"> + <properties> + <help>Connection tracking modules settings</help> + </properties> + <children> + <node name="ftp"> + <properties> + <help>FTP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="h323"> + <properties> + <help>H.323 connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="nfs"> + <properties> + <help>NFS connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="pptp"> + <properties> + <help>PPTP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="sip"> + <properties> + <help>SIP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="sqlnet"> + <properties> + <help>SQLnet connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="tftp"> + <properties> + <help>TFTP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + </children> + </node> <leafNode name="table-size"> <properties> <help>Size of connection tracking table</help> <valueHelp> <format>u32:1-50000000</format> <description>Number of entries allowed in connection tracking table</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-50000000"/> </constraint> </properties> <defaultValue>262144</defaultValue> </leafNode> <node name="tcp"> <properties> <help>TCP options</help> </properties> <children> <leafNode name="half-open-connections"> <properties> <help>Maximum number of TCP half-open connections</help> <valueHelp> <format>u32:1-2147483647</format> <description>Generic connection timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-2147483647"/> </constraint> </properties> <defaultValue>512</defaultValue> </leafNode> <leafNode name="loose"> <properties> <help>Policy to track previously established connections</help> <completionHelp> <list>enable disable</list> </completionHelp> <valueHelp> <format>enable</format> <description>Allow tracking of previously established connections</description> </valueHelp> <valueHelp> <format>disable</format> <description>Do not allow tracking of previously established connections</description> </valueHelp> <constraint> <regex>^(enable|disable)$</regex> </constraint> </properties> <defaultValue>enable</defaultValue> </leafNode> <leafNode name="max-retrans"> <properties> <help>TCP maximum retransmit attempts</help> <valueHelp> <format>u32:1-2147483647</format> <description>Generic connection timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-2147483647"/> </constraint> </properties> <defaultValue>3</defaultValue> </leafNode> </children> </node> <node name="timeout"> <properties> <help>Connection timeout options</help> </properties> <children> <leafNode name="icmp"> <properties> <help>ICMP timeout in seconds</help> <valueHelp> <format>u32:1-21474836</format> <description>ICMP timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-21474836"/> </constraint> </properties> <defaultValue>30</defaultValue> </leafNode> <leafNode name="other"> <properties> <help>Generic connection timeout in seconds</help> <valueHelp> <format>u32:1-21474836</format> <description>Generic connection timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-21474836"/> </constraint> </properties> <defaultValue>600</defaultValue> </leafNode> <node name="tcp"> <properties> <help>TCP connection timeout options</help> </properties> <children> <leafNode name="close-wait"> <properties> <help>TCP CLOSE-WAIT timeout in seconds</help> <valueHelp> <format>u32:1-21474836</format> <description>TCP CLOSE-WAIT timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-21474836"/> </constraint> </properties> <defaultValue>60</defaultValue> </leafNode> <leafNode name="close"> <properties> <help>TCP CLOSE timeout in seconds</help> <valueHelp> <format>u32:1-21474836</format> <description>TCP CLOSE timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-21474836"/> </constraint> </properties> <defaultValue>10</defaultValue> </leafNode> <leafNode name="established"> <properties> <help>TCP ESTABLISHED timeout in seconds</help> <valueHelp> <format>u32:1-21474836</format> <description>TCP ESTABLISHED timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-21474836"/> </constraint> </properties> <defaultValue>432000</defaultValue> </leafNode> <leafNode name="fin-wait"> <properties> <help>TCP FIN-WAIT timeout in seconds</help> <valueHelp> <format>u32:1-21474836</format> <description>TCP FIN-WAIT timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-21474836"/> </constraint> </properties> <defaultValue>120</defaultValue> </leafNode> <leafNode name="last-ack"> <properties> <help>TCP LAST-ACK timeout in seconds</help> <valueHelp> <format>u32:1-21474836</format> <description>TCP LAST-ACK timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-21474836"/> </constraint> </properties> <defaultValue>30</defaultValue> </leafNode> <leafNode name="syn-recv"> <properties> <help>TCP SYN-RECEIVED timeout in seconds</help> <valueHelp> <format>u32:1-21474836</format> <description>TCP SYN-RECEIVED timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-21474836"/> </constraint> </properties> <defaultValue>60</defaultValue> </leafNode> <leafNode name="syn-sent"> <properties> <help>TCP SYN-SENT timeout in seconds</help> <valueHelp> <format>u32:1-21474836</format> <description>TCP SYN-SENT timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-21474836"/> </constraint> </properties> <defaultValue>120</defaultValue> </leafNode> <leafNode name="time-wait"> <properties> <help>TCP TIME-WAIT timeout in seconds</help> <valueHelp> <format>u32:1-21474836</format> <description>TCP TIME-WAIT timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-21474836"/> </constraint> </properties> <defaultValue>120</defaultValue> </leafNode> </children> </node> <node name="udp"> <properties> <help>UDP timeout options</help> </properties> <children> <leafNode name="other"> <properties> <help>UDP generic timeout in seconds</help> <valueHelp> <format>u32:1-21474836</format> <description>UDP generic timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-21474836"/> </constraint> </properties> <defaultValue>30</defaultValue> </leafNode> <leafNode name="stream"> <properties> <help>UDP stream timeout in seconds</help> <valueHelp> <format>u32:1-21474836</format> <description>UDP stream timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-21474836"/> </constraint> </properties> <defaultValue>180</defaultValue> </leafNode> </children> </node> </children> </node> </children> </node> </children> </node> </interfaceDefinition> diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py index e834231cf..4e6e39c0f 100755 --- a/src/conf_mode/conntrack.py +++ b/src/conf_mode/conntrack.py @@ -1,83 +1,140 @@ #!/usr/bin/env python3 # # Copyright (C) 2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import os + from sys import exit from vyos.config import Config from vyos.configdict import dict_merge from vyos.util import cmd from vyos.util import run from vyos.util import process_named_running +from vyos.util import dict_search from vyos.template import render from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf' sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf' +# Every ALG (Application Layer Gateway) consists of either a Kernel Object +# also called a Kernel Module/Driver or some rules present in iptables +module_map = { + 'ftp' : { + 'ko' : ['nf_nat_ftp', 'nf_conntrack_ftp'], + }, + 'h323' : { + 'ko' : ['nf_nat_h323', 'nf_conntrack_h323'], + }, + 'nfs' : { + 'iptables' : ['VYATTA_CT_HELPER --table raw --proto tcp --dport 111 --jump CT --helper rpc', + 'VYATTA_CT_HELPER --table raw --proto udp --dport 111 --jump CT --helper rpc'], + }, + 'pptp' : { + 'ko' : ['nf_nat_pptp', 'nf_conntrack_pptp'], + }, + 'sip' : { + 'ko' : ['nf_nat_sip', 'nf_conntrack_sip'], + }, + 'sqlnet' : { + 'iptables' : ['VYATTA_CT_HELPER --table raw --proto tcp --dport 1521 --jump CT --helper tns', + 'VYATTA_CT_HELPER --table raw --proto tcp --dport 1525 --jump CT --helper tns', + 'VYATTA_CT_HELPER --table raw --proto tcp --dport 1536 --jump CT --helper tns'], + }, + 'tftp' : { + 'ko' : ['nf_nat_tftp', 'nf_conntrack_tftp'], + }, +} + def resync_conntrackd(): tmp = run('/usr/libexec/vyos/conf_mode/conntrack_sync.py') if tmp > 0: print('ERROR: error restarting conntrackd!') def get_config(config=None): if config: conf = config else: conf = Config() base = ['system', 'conntrack'] conntrack = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. default_values = defaults(base) conntrack = dict_merge(default_values, conntrack) return conntrack def verify(conntrack): return None def generate(conntrack): render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.tmpl', conntrack) render(sysctl_file, 'conntrack/sysctl.conf.tmpl', conntrack) return None def apply(conntrack): + # Depending on the enable/disable state of the ALG (Application Layer Gateway) + # modules we need to either insmod or rmmod the helpers. + for module, module_config in module_map.items(): + if dict_search(f'modules.{module}.disable', conntrack) != None: + if 'ko' in module_config: + for mod in module_config['ko']: + # Only remove the module if it's loaded + if os.path.exists(f'/sys/module/{mod}'): + cmd(f'rmmod {mod}') + if 'iptables' in module_config: + for rule in module_config['iptables']: + print(f'iptables --delete {rule}') + cmd(f'iptables --delete {rule}') + else: + if 'ko' in module_config: + for mod in module_config['ko']: + cmd(f'modprobe {mod}') + if 'iptables' in module_config: + for rule in module_config['iptables']: + # Only install iptables rule if it does not exist + tmp = run(f'iptables --check {rule}') + if tmp > 0: + cmd(f'iptables --insert {rule}') + + if process_named_running('conntrackd'): # Reload conntrack-sync daemon to fetch new sysctl values resync_conntrackd() # We silently ignore all errors # See: https://bugzilla.redhat.com/show_bug.cgi?id=1264080 cmd(f'sysctl -f {sysctl_file}') return None if __name__ == '__main__': try: c = get_config() verify(c) generate(c) apply(c) except ConfigError as e: print(e) exit(1)