Skip to content

Commit

Permalink
T5779: conntrack: Apply fixes to <set system conntrack timeout custom…
Browse files Browse the repository at this point in the history 
…>. Remove what was not working on 1.3, migrate what was working to new syntax and extend feature for ipv6.

(cherry picked from commit 24a1a70)

# Conflicts:
#	data/templates/conntrack/nftables-ct.j2
#	python/vyos/template.py
#	smoketest/scripts/cli/test_system_conntrack.py
#	src/conf_mode/conntrack.py
  • Loading branch information
@nicolas-fort @mergify
nicolas-fort authored and mergify[bot] committed Jan 11, 2024
1 parent d0145bf commit eecd8d1
Show file tree
Hide file tree
Showing 7 changed files with 887 additions and 41 deletions.
148 changes: 147 additions & 1 deletion data/templates/conntrack/nftables-ct.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ table raw {
{% if ignore.rule is vyos_defined %}
{% for rule, rule_config in ignore.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
<<<<<<< HEAD
{% set nft_command = '' %}
{% if rule_config.inbound_interface is vyos_defined %}
{% set nft_command = nft_command ~ ' iifname ' ~ rule_config.inbound_interface %}
Expand All @@ -33,16 +34,161 @@ table raw {
{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' sport { ' ~ rule_config.source.port ~ ' }' %}
{% endif %}
{{ nft_command }} counter notrack comment ignore-{{ rule }}
=======
{{ rule_config | conntrack_rule(rule, 'ignore', ipv6=False) }}
>>>>>>> 24a1a7059 (T5779: conntrack: Apply fixes to <set system conntrack timeout custom>. Remove what was not working on 1.3, migrate what was working to new syntax and extend feature for ipv6.)
{% endfor %}
{% endif %}
return
return
}
<<<<<<< HEAD
chain {{ nft_ct_timeout_name }} {
{% if timeout.custom.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.rule.items() %}
=======
chain VYOS_CT_TIMEOUT {
{% if timeout.custom.ipv4.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.ipv4.rule.items() %}
>>>>>>> 24a1a7059 (T5779: conntrack: Apply fixes to <set system conntrack timeout custom>. Remove what was not working on 1.3, migrate what was working to new syntax and extend feature for ipv6.)
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{{ rule_config | conntrack_rule(rule, 'timeout', ipv6=False) }}
{% endfor %}
{% endif %}
return
}
<<<<<<< HEAD
=======

{% if timeout.custom.ipv4.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.ipv4.rule.items() %}
ct timeout ct-timeout-{{ rule }} {
l3proto ip;
{% for protocol, protocol_config in rule_config.protocol.items() %}
protocol {{ protocol }};
policy = { {{ protocol_config | conntrack_ct_policy() }} }
{% endfor %}
}
{% endfor %}
{% endif %}

chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %}
counter jump VYOS_CT_HELPER
{% endif %}
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
counter jump NAT_CONNTRACK
counter jump WLB_CONNTRACK
notrack
}

chain OUTPUT {
type filter hook output priority -300; policy accept;
{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %}
counter jump VYOS_CT_HELPER
{% endif %}
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
counter jump NAT_CONNTRACK
{% if wlb_local_action %}
counter jump WLB_CONNTRACK
{% endif %}
notrack
}

{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }}

chain FW_CONNTRACK {
{{ ipv4_firewall_action }}
}

chain NAT_CONNTRACK {
{{ ipv4_nat_action }}
}

chain WLB_CONNTRACK {
{{ wlb_action }}
}

{% if firewall.group is vyos_defined %}
{{ group_tmpl.groups(firewall.group, False, True) }}
{% endif %}
}

{% if first_install is not vyos_defined %}
delete table ip6 vyos_conntrack
{% endif %}
table ip6 vyos_conntrack {
chain VYOS_CT_IGNORE {
{% if ignore.ipv6.rule is vyos_defined %}
{% for rule, rule_config in ignore.ipv6.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{{ rule_config | conntrack_rule(rule, 'ignore', ipv6=True) }}
{% endfor %}
{% endif %}
return
}
chain VYOS_CT_TIMEOUT {
{% if timeout.custom.ipv6.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.ipv6.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{{ rule_config | conntrack_rule(rule, 'timeout', ipv6=True) }}
{% endfor %}
{% endif %}
return
}

{% if timeout.custom.ipv6.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.ipv6.rule.items() %}
ct timeout ct-timeout-{{ rule }} {
l3proto ip;
{% for protocol, protocol_config in rule_config.protocol.items() %}
protocol {{ protocol }};
policy = { {{ protocol_config | conntrack_ct_policy() }} }
{% endfor %}
}
{% endfor %}
{% endif %}

chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %}
counter jump VYOS_CT_HELPER
{% endif %}
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
counter jump NAT_CONNTRACK
notrack
}

chain OUTPUT {
type filter hook output priority -300; policy accept;
{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %}
counter jump VYOS_CT_HELPER
{% endif %}
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
counter jump NAT_CONNTRACK
notrack
}

{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }}

chain FW_CONNTRACK {
{{ ipv6_firewall_action }}
}

chain NAT_CONNTRACK {
{{ ipv6_nat_action }}
}

{% if firewall.group is vyos_defined %}
{{ group_tmpl.groups(firewall.group, True, True) }}
{% endif %}
>>>>>>> 24a1a7059 (T5779: conntrack: Apply fixes to <set system conntrack timeout custom>. Remove what was not working on 1.3, migrate what was working to new syntax and extend feature for ipv6.)
}
136 changes: 136 additions & 0 deletions interface-definitions/include/conntrack/timeout-custom-protocols.xml.i
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
<!-- include start from conntrack/timeout-custom-protocols.xml.i -->
<node name="tcp">
<properties>
<help>TCP connection timeout options</help>
</properties>
<children>
<leafNode name="close-wait">
<properties>
<help>TCP CLOSE-WAIT timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP CLOSE-WAIT timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="close">
<properties>
<help>TCP CLOSE timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP CLOSE timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="established">
<properties>
<help>TCP ESTABLISHED timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP ESTABLISHED timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="fin-wait">
<properties>
<help>TCP FIN-WAIT timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP FIN-WAIT timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="last-ack">
<properties>
<help>TCP LAST-ACK timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP LAST-ACK timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="syn-recv">
<properties>
<help>TCP SYN-RECEIVED timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP SYN-RECEIVED timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="syn-sent">
<properties>
<help>TCP SYN-SENT timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP SYN-SENT timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="time-wait">
<properties>
<help>TCP TIME-WAIT timeout in seconds</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>TCP TIME-WAIT timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
<node name="udp">
<properties>
<help>UDP timeout options</help>
</properties>
<children>
<leafNode name="replied">
<properties>
<help>Timeout for UDP connection seen in both directions</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>Timeout for UDP connection seen in both directions</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
<leafNode name="unreplied">
<properties>
<help>Timeout for unreplied UDP</help>
<valueHelp>
<format>u32:1-21474836</format>
<description>Timeout for unreplied UDP</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-21474836"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
<!-- include end -->

0 comments on commit eecd8d1

Please sign in to comment.