diff options
Diffstat (limited to 'data')
-rw-r--r-- | data/config-mode-dependencies/vyos-1x.json | 3 | ||||
-rw-r--r-- | data/templates/conntrack/nftables-ct.j2 | 182 | ||||
-rw-r--r-- | data/templates/conntrack/nftables-helpers.j2 | 70 | ||||
-rw-r--r-- | data/templates/conntrack/sysctl.conf.j2 | 1 | ||||
-rw-r--r-- | data/templates/conntrack/vyos_nf_conntrack.conf.j2 | 2 |
5 files changed, 221 insertions, 37 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json index 50473a6a1..81d86cf7e 100644 --- a/data/config-mode-dependencies/vyos-1x.json +++ b/data/config-mode-dependencies/vyos-1x.json @@ -1,6 +1,7 @@ { "firewall": { - "group_resync": ["nat", "policy_route"] + "conntrack": ["system_conntrack"], + "group_resync": ["system_conntrack", "nat", "policy_route"] }, "interfaces_bonding": { "ethernet": ["interfaces_ethernet"] diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2 index 16a03fc6e..762a6f693 100644 --- a/data/templates/conntrack/nftables-ct.j2 +++ b/data/templates/conntrack/nftables-ct.j2 @@ -1,48 +1,160 @@ #!/usr/sbin/nft -f -{% set nft_ct_ignore_name = 'VYOS_CT_IGNORE' %} -{% set nft_ct_timeout_name = 'VYOS_CT_TIMEOUT' %} - -# we first flush all chains and render the content from scratch - this makes -# any delta check obsolete -flush chain raw {{ nft_ct_ignore_name }} -flush chain raw {{ nft_ct_timeout_name }} - -table raw { - chain {{ nft_ct_ignore_name }} { -{% if ignore.rule is vyos_defined %} -{% for rule, rule_config in ignore.rule.items() %} +{% import 'conntrack/nftables-helpers.j2' as helper_tmpl %} +{% import 'firewall/nftables-defines.j2' as group_tmpl %} + +{% if first_install is not vyos_defined %} +delete table ip vyos_conntrack +{% endif %} +table ip vyos_conntrack { + chain VYOS_CT_IGNORE { +{% if ignore.ipv4.rule is vyos_defined %} +{% for rule, rule_config in ignore.ipv4.rule.items() %} # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} -{% set nft_command = '' %} -{% if rule_config.inbound_interface is vyos_defined %} -{% set nft_command = nft_command ~ ' iifname ' ~ rule_config.inbound_interface %} -{% endif %} -{% if rule_config.protocol is vyos_defined %} -{% set nft_command = nft_command ~ ' ip protocol ' ~ rule_config.protocol %} -{% endif %} -{% if rule_config.destination.address is vyos_defined %} -{% set nft_command = nft_command ~ ' ip daddr ' ~ rule_config.destination.address %} -{% endif %} -{% if rule_config.destination.port is vyos_defined %} -{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' dport { ' ~ rule_config.destination.port ~ ' }' %} -{% endif %} -{% if rule_config.source.address is vyos_defined %} -{% set nft_command = nft_command ~ ' ip saddr ' ~ rule_config.source.address %} -{% endif %} -{% if rule_config.source.port is vyos_defined %} -{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' sport { ' ~ rule_config.source.port ~ ' }' %} -{% endif %} - {{ nft_command }} counter notrack comment ignore-{{ rule }} + {{ rule_config | conntrack_rule(rule, 'ignore', ipv6=False) }} +{% endfor %} +{% endif %} + return + } + chain VYOS_CT_TIMEOUT { +{% if timeout.custom.ipv4.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv4.rule.items() %} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} + {{ rule_config | conntrack_rule(rule, 'timeout', ipv6=False) }} {% endfor %} {% endif %} return } - chain {{ nft_ct_timeout_name }} { -{% if timeout.custom.rule is vyos_defined %} -{% for rule, rule_config in timeout.custom.rule.items() %} + +{% if timeout.custom.ipv4.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv4.rule.items() %} + ct timeout ct-timeout-{{ rule }} { + l3proto ip; +{% for protocol, protocol_config in rule_config.protocol.items() %} + protocol {{ protocol }}; + policy = { {{ protocol_config | conntrack_ct_policy() }} } +{% endfor %} + } +{% endfor %} +{% endif %} + + chain PREROUTING { + type filter hook prerouting priority -300; policy accept; +{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + counter jump VYOS_CT_HELPER +{% endif %} + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump FW_CONNTRACK + counter jump NAT_CONNTRACK + counter jump WLB_CONNTRACK + notrack + } + + chain OUTPUT { + type filter hook output priority -300; policy accept; +{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + counter jump VYOS_CT_HELPER +{% endif %} + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump FW_CONNTRACK + counter jump NAT_CONNTRACK +{% if wlb_local_action %} + counter jump WLB_CONNTRACK +{% endif %} + notrack + } + +{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }} + + chain FW_CONNTRACK { + {{ ipv4_firewall_action }} + } + + chain NAT_CONNTRACK { + {{ ipv4_nat_action }} + } + + chain WLB_CONNTRACK { + {{ wlb_action }} + } + +{% if firewall.group is vyos_defined %} +{{ group_tmpl.groups(firewall.group, False, True) }} +{% endif %} +} + +{% if first_install is not vyos_defined %} +delete table ip6 vyos_conntrack +{% endif %} +table ip6 vyos_conntrack { + chain VYOS_CT_IGNORE { +{% if ignore.ipv6.rule is vyos_defined %} +{% for rule, rule_config in ignore.ipv6.rule.items() %} # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} + {{ rule_config | conntrack_rule(rule, 'ignore', ipv6=True) }} {% endfor %} {% endif %} return } + chain VYOS_CT_TIMEOUT { +{% if timeout.custom.ipv6.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv6.rule.items() %} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} + {{ rule_config | conntrack_rule(rule, 'timeout', ipv6=True) }} +{% endfor %} +{% endif %} + return + } + +{% if timeout.custom.ipv6.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv6.rule.items() %} + ct timeout ct-timeout-{{ rule }} { + l3proto ip; +{% for protocol, protocol_config in rule_config.protocol.items() %} + protocol {{ protocol }}; + policy = { {{ protocol_config | conntrack_ct_policy() }} } +{% endfor %} + } +{% endfor %} +{% endif %} + + chain PREROUTING { + type filter hook prerouting priority -300; policy accept; +{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + counter jump VYOS_CT_HELPER +{% endif %} + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump FW_CONNTRACK + counter jump NAT_CONNTRACK + notrack + } + + chain OUTPUT { + type filter hook output priority -300; policy accept; +{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + counter jump VYOS_CT_HELPER +{% endif %} + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump FW_CONNTRACK + counter jump NAT_CONNTRACK + notrack + } + +{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }} + + chain FW_CONNTRACK { + {{ ipv6_firewall_action }} + } + + chain NAT_CONNTRACK { + {{ ipv6_nat_action }} + } + +{% if firewall.group is vyos_defined %} +{{ group_tmpl.groups(firewall.group, True, True) }} +{% endif %} } diff --git a/data/templates/conntrack/nftables-helpers.j2 b/data/templates/conntrack/nftables-helpers.j2 new file mode 100644 index 000000000..433931162 --- /dev/null +++ b/data/templates/conntrack/nftables-helpers.j2 @@ -0,0 +1,70 @@ +{% macro conntrack_helpers(module_map, modules, ipv4=True) %} +{% if modules.ftp is vyos_defined %} + ct helper ftp_tcp { + type "ftp" protocol tcp; + } +{% endif %} + +{% if modules.h323 is vyos_defined %} + ct helper ras_udp { + type "RAS" protocol udp; + } + + ct helper q931_tcp { + type "Q.931" protocol tcp; + } +{% endif %} + +{% if modules.pptp is vyos_defined and ipv4 %} + ct helper pptp_tcp { + type "pptp" protocol tcp; + } +{% endif %} + +{% if modules.nfs is vyos_defined %} + ct helper rpc_tcp { + type "rpc" protocol tcp; + } + + ct helper rpc_udp { + type "rpc" protocol udp; + } +{% endif %} + +{% if modules.sip is vyos_defined %} + ct helper sip_tcp { + type "sip" protocol tcp; + } + + ct helper sip_udp { + type "sip" protocol udp; + } +{% endif %} + +{% if modules.tftp is vyos_defined %} + ct helper tftp_udp { + type "tftp" protocol udp; + } +{% endif %} + +{% if modules.sqlnet is vyos_defined %} + ct helper tns_tcp { + type "tns" protocol tcp; + } +{% endif %} + + chain VYOS_CT_HELPER { +{% for module, module_conf in module_map.items() %} +{% if modules[module] is vyos_defined %} +{% if 'nftables' in module_conf %} +{% if module_conf.ipv4 is not vyos_defined or module_conf.ipv4 == ipv4 %} +{% for rule in module_conf.nftables %} + {{ rule }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} +{% endfor %} + return + } +{% endmacro %} diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2 index 9ea1ed2d8..986f75c61 100644 --- a/data/templates/conntrack/sysctl.conf.j2 +++ b/data/templates/conntrack/sysctl.conf.j2 @@ -24,3 +24,4 @@ net.netfilter.nf_conntrack_tcp_timeout_time_wait = {{ timeout.tcp.time_wait }} net.netfilter.nf_conntrack_udp_timeout = {{ timeout.udp.other }} net.netfilter.nf_conntrack_udp_timeout_stream = {{ timeout.udp.stream }} +net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }} diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2 index 290607662..1b12fec5f 100644 --- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 +++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2 @@ -1,2 +1,2 @@ # Autogenerated by system_conntrack.py -options nf_conntrack hashsize={{ hash_size }} nf_conntrack_helper=1 +options nf_conntrack hashsize={{ hash_size }} |