Skip to content

Commit

Permalink
T5779: conntrack: Apply fixes to <set system conntrack timeout custom…
Browse files Browse the repository at this point in the history 
…>. Remove what was not working on 1.3, migrate what was working to new syntax and extend feature for ipv6.
  • Loading branch information
@nicolas-fort @jestabro
nicolas-fort authored and jestabro committed Dec 7, 2023
1 parent 17722f3 commit 6d6b3fb
Show file tree
Hide file tree
Showing 7 changed files with 406 additions and 53 deletions.
40 changes: 33 additions & 7 deletions data/templates/conntrack/nftables-ct.j2
View file
Expand Up @@ -11,20 +11,33 @@ table ip vyos_conntrack {
{% if ignore.ipv4.rule is vyos_defined %}
{% for rule, rule_config in ignore.ipv4.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{{ rule_config | conntrack_ignore_rule(rule, ipv6=False) }}
{{ rule_config | conntrack_rule(rule, 'ignore', ipv6=False) }}
{% endfor %}
{% endif %}
return
return
}
chain VYOS_CT_TIMEOUT {
{% if timeout.custom.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.rule.items() %}
{% if timeout.custom.ipv4.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.ipv4.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{{ rule_config | conntrack_rule(rule, 'timeout', ipv6=False) }}
{% endfor %}
{% endif %}
return
}

{% if timeout.custom.ipv4.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.ipv4.rule.items() %}
ct timeout ct-timeout-{{ rule }} {
l3proto ip;
{% for protocol, protocol_config in rule_config.protocol.items() %}
protocol {{ protocol }};
policy = { {{ protocol_config | conntrack_ct_policy() }} }
{% endfor %}
}
{% endfor %}
{% endif %}

chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %}
Expand Down Expand Up @@ -80,20 +93,33 @@ table ip6 vyos_conntrack {
{% if ignore.ipv6.rule is vyos_defined %}
{% for rule, rule_config in ignore.ipv6.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{{ rule_config | conntrack_ignore_rule(rule, ipv6=True) }}
{{ rule_config | conntrack_rule(rule, 'ignore', ipv6=True) }}
{% endfor %}
{% endif %}
return
}
chain VYOS_CT_TIMEOUT {
{% if timeout.custom.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.rule.items() %}
{% if timeout.custom.ipv6.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.ipv6.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{{ rule_config | conntrack_rule(rule, 'timeout', ipv6=True) }}
{% endfor %}
{% endif %}
return
}

{% if timeout.custom.ipv6.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.ipv6.rule.items() %}
ct timeout ct-timeout-{{ rule }} {
l3proto ip;
{% for protocol, protocol_config in rule_config.protocol.items() %}
protocol {{ protocol }};
policy = { {{ protocol_config | conntrack_ct_policy() }} }
{% endfor %}
}
{% endfor %}
{% endif %}

chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %}
Expand Down
136 changes: 136 additions & 0 deletions interface-definitions/include/conntrack/timeout-custom-protocols.xml.i
View file
@@ -0,0 +1,136 @@
<!-- include start from conntrack/timeout-custom-protocols.xml.i -->
<node name="tcp">
<properties>
<help>TCP connection timeout options</help>
</properties>
<children>
<leafNode name="close-wait">
<properties>
<help>TCP CLOSE-WAIT timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP CLOSE-WAIT timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="close">
<properties>
<help>TCP CLOSE timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP CLOSE timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="established">
<properties>
<help>TCP ESTABLISHED timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP ESTABLISHED timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="fin-wait">
<properties>
<help>TCP FIN-WAIT timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP FIN-WAIT timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="last-ack">
<properties>
<help>TCP LAST-ACK timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP LAST-ACK timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="syn-recv">
<properties>
<help>TCP SYN-RECEIVED timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP SYN-RECEIVED timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="syn-sent">
<properties>
<help>TCP SYN-SENT timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP SYN-SENT timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="time-wait">
<properties>
<help>TCP TIME-WAIT timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP TIME-WAIT timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
<node name="udp">
<properties>
<help>UDP timeout options</help>
</properties>
<children>
<leafNode name="replied">
<properties>
<help>Timeout for UDP connection seen in both directions</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>Timeout for UDP connection seen in both directions</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="unreplied">
<properties>
<help>Timeout for unreplied UDP</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>Timeout for unreplied UDP</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
<!-- include end -->
144 changes: 104 additions & 40 deletions interface-definitions/system-conntrack.xml.in
View file
Expand Up @@ -385,58 +385,122 @@
<help>Define custom timeouts per connection</help>
</properties>
<children>
<tagNode name="rule">
<node name="ipv4">
<properties>
<help>Rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number of conntrack rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
<help>IPv4 rules</help>
</properties>
<children>
#include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
</properties>
<children>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
<leafNode name="inbound-interface">
<properties>
<help>Interface to ignore connections tracking on</help>
<completionHelp>
<list>any</list>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
</leafNode>
#include <include/ip-protocol.xml.i>
<node name="protocol">
<tagNode name="rule">
<properties>
<help>Customize protocol specific timers, one protocol configuration per rule</help>
<help>Rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number of conntrack rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/conntrack/timeout-common-protocols.xml.i>
#include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
</properties>
<children>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
<leafNode name="inbound-interface">
<properties>
<help>Interface to ignore connections tracking on</help>
<completionHelp>
<list>any</list>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
</leafNode>
<node name="protocol">
<properties>
<help>Customize protocol specific timers, one protocol configuration per rule</help>
</properties>
<children>
#include <include/conntrack/timeout-custom-protocols.xml.i>
</children>
</node>
<node name="source">
<properties>
<help>Source parameters</help>
</properties>
<children>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
</children>
</node>
<node name="source">
</tagNode>
</children>
</node>
<node name="ipv6">
<properties>
<help>IPv6 rules</help>
</properties>
<children>
<tagNode name="rule">
<properties>
<help>Source parameters</help>
<help>Rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number of conntrack rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
#include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
</properties>
<children>
#include <include/firewall/address-ipv6.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
<leafNode name="inbound-interface">
<properties>
<help>Interface to ignore connections tracking on</help>
<completionHelp>
<list>any</list>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
</leafNode>
<node name="protocol">
<properties>
<help>Customize protocol specific timers, one protocol configuration per rule</help>
</properties>
<children>
#include <include/conntrack/timeout-custom-protocols.xml.i>
</children>
</node>
<node name="source">
<properties>
<help>Source parameters</help>
</properties>
<children>
#include <include/firewall/address-ipv6.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
</children>
</node>
</tagNode>
</children>
</tagNode>
</node>
</children>
</node>
#include <include/conntrack/timeout-common-protocols.xml.i>
Expand Down

0 comments on commit 6d6b3fb

Please sign in to comment.