diff options
author | Christian Breunig <christian@breunig.cc> | 2024-01-18 22:05:16 +0100 |
---|---|---|
committer | Christian Breunig <christian@breunig.cc> | 2024-01-18 22:09:30 +0100 |
commit | 80068c8ce453a385981999c25e4ff5aeaa6bf030 (patch) | |
tree | 2c3566becc1e93b70df5fb2f61b4f1028a04dd8f /python/vyos | |
parent | 4b3ef473c3acfedeb70a023a9ca46df5437fc5a2 (diff) | |
download | vyos-1x-80068c8ce453a385981999c25e4ff5aeaa6bf030.tar.gz vyos-1x-80068c8ce453a385981999c25e4ff5aeaa6bf030.zip |
conntrack: T5376: T5779: backport from current
Backport of the conntrack system from current branch.
(cherry picked from commit fd0bcaf12)
(cherry picked from commit 5acf5aced)
(cherry picked from commit 42ff4d8a7)
(cherry picked from commit 24a1a7059)
Diffstat (limited to 'python/vyos')
-rw-r--r-- | python/vyos/template.py | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/python/vyos/template.py b/python/vyos/template.py index b65386654..4b6dca254 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -659,6 +659,107 @@ def nat_static_rule(rule_conf, rule_id, nat_type): from vyos.nat import parse_nat_static_rule return parse_nat_static_rule(rule_conf, rule_id, nat_type) +@register_filter('conntrack_rule') +def conntrack_rule(rule_conf, rule_id, action, ipv6=False): + ip_prefix = 'ip6' if ipv6 else 'ip' + def_suffix = '6' if ipv6 else '' + output = [] + + if 'inbound_interface' in rule_conf: + ifname = rule_conf['inbound_interface'] + if ifname != 'any': + output.append(f'iifname {ifname}') + + if 'protocol' in rule_conf: + if action != 'timeout': + proto = rule_conf['protocol'] + else: + for protocol, protocol_config in rule_conf['protocol'].items(): + proto = protocol + output.append(f'meta l4proto {proto}') + + tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags') + if tcp_flags and action != 'timeout': + from vyos.firewall import parse_tcp_flags + output.append(parse_tcp_flags(tcp_flags)) + + for side in ['source', 'destination']: + if side in rule_conf: + side_conf = rule_conf[side] + prefix = side[0] + + if 'address' in side_conf: + address = side_conf['address'] + operator = '' + if address[0] == '!': + operator = '!=' + address = address[1:] + output.append(f'{ip_prefix} {prefix}addr {operator} {address}') + + if 'port' in side_conf: + port = side_conf['port'] + operator = '' + if port[0] == '!': + operator = '!=' + port = port[1:] + output.append(f'th {prefix}port {operator} {port}') + + if 'group' in side_conf: + group = side_conf['group'] + + if 'address_group' in group: + group_name = group['address_group'] + operator = '' + if group_name[0] == '!': + operator = '!=' + group_name = group_name[1:] + output.append(f'{ip_prefix} {prefix}addr {operator} @A{def_suffix}_{group_name}') + # Generate firewall group domain-group + elif 'domain_group' in group: + group_name = group['domain_group'] + operator = '' + if group_name[0] == '!': + operator = '!=' + group_name = group_name[1:] + output.append(f'{ip_prefix} {prefix}addr {operator} @D_{group_name}') + elif 'network_group' in group: + group_name = group['network_group'] + operator = '' + if group_name[0] == '!': + operator = '!=' + group_name = group_name[1:] + output.append(f'{ip_prefix} {prefix}addr {operator} @N{def_suffix}_{group_name}') + if 'port_group' in group: + group_name = group['port_group'] + + if proto == 'tcp_udp': + proto = 'th' + + operator = '' + if group_name[0] == '!': + operator = '!=' + group_name = group_name[1:] + + output.append(f'{proto} {prefix}port {operator} @P_{group_name}') + + if action == 'ignore': + output.append('counter notrack') + output.append(f'comment "ignore-{rule_id}"') + else: + output.append(f'counter ct timeout set ct-timeout-{rule_id}') + output.append(f'comment "timeout-{rule_id}"') + + return " ".join(output) + +@register_filter('conntrack_ct_policy') +def conntrack_ct_policy(protocol_conf): + output = [] + for item in protocol_conf: + item_value = protocol_conf[item] + output.append(f'{item}: {item_value}') + + return ", ".join(output) + @register_filter('range_to_regex') def range_to_regex(num_range): """Convert range of numbers or list of ranges |