summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/config-mode-dependencies/vyos-1x.json3
-rw-r--r--data/templates/conntrack/nftables-ct.j2182
-rw-r--r--data/templates/conntrack/nftables-helpers.j270
-rw-r--r--data/templates/conntrack/sysctl.conf.j21
-rw-r--r--data/templates/conntrack/vyos_nf_conntrack.conf.j22
5 files changed, 221 insertions, 37 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
index 50473a6a1..81d86cf7e 100644
--- a/data/config-mode-dependencies/vyos-1x.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -1,6 +1,7 @@
{
"firewall": {
- "group_resync": ["nat", "policy_route"]
+ "conntrack": ["system_conntrack"],
+ "group_resync": ["system_conntrack", "nat", "policy_route"]
},
"interfaces_bonding": {
"ethernet": ["interfaces_ethernet"]
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2
index 16a03fc6e..762a6f693 100644
--- a/data/templates/conntrack/nftables-ct.j2
+++ b/data/templates/conntrack/nftables-ct.j2
@@ -1,48 +1,160 @@
#!/usr/sbin/nft -f
-{% set nft_ct_ignore_name = 'VYOS_CT_IGNORE' %}
-{% set nft_ct_timeout_name = 'VYOS_CT_TIMEOUT' %}
-
-# we first flush all chains and render the content from scratch - this makes
-# any delta check obsolete
-flush chain raw {{ nft_ct_ignore_name }}
-flush chain raw {{ nft_ct_timeout_name }}
-
-table raw {
- chain {{ nft_ct_ignore_name }} {
-{% if ignore.rule is vyos_defined %}
-{% for rule, rule_config in ignore.rule.items() %}
+{% import 'conntrack/nftables-helpers.j2' as helper_tmpl %}
+{% import 'firewall/nftables-defines.j2' as group_tmpl %}
+
+{% if first_install is not vyos_defined %}
+delete table ip vyos_conntrack
+{% endif %}
+table ip vyos_conntrack {
+ chain VYOS_CT_IGNORE {
+{% if ignore.ipv4.rule is vyos_defined %}
+{% for rule, rule_config in ignore.ipv4.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
-{% set nft_command = '' %}
-{% if rule_config.inbound_interface is vyos_defined %}
-{% set nft_command = nft_command ~ ' iifname ' ~ rule_config.inbound_interface %}
-{% endif %}
-{% if rule_config.protocol is vyos_defined %}
-{% set nft_command = nft_command ~ ' ip protocol ' ~ rule_config.protocol %}
-{% endif %}
-{% if rule_config.destination.address is vyos_defined %}
-{% set nft_command = nft_command ~ ' ip daddr ' ~ rule_config.destination.address %}
-{% endif %}
-{% if rule_config.destination.port is vyos_defined %}
-{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' dport { ' ~ rule_config.destination.port ~ ' }' %}
-{% endif %}
-{% if rule_config.source.address is vyos_defined %}
-{% set nft_command = nft_command ~ ' ip saddr ' ~ rule_config.source.address %}
-{% endif %}
-{% if rule_config.source.port is vyos_defined %}
-{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' sport { ' ~ rule_config.source.port ~ ' }' %}
-{% endif %}
- {{ nft_command }} counter notrack comment ignore-{{ rule }}
+ {{ rule_config | conntrack_rule(rule, 'ignore', ipv6=False) }}
+{% endfor %}
+{% endif %}
+ return
+ }
+ chain VYOS_CT_TIMEOUT {
+{% if timeout.custom.ipv4.rule is vyos_defined %}
+{% for rule, rule_config in timeout.custom.ipv4.rule.items() %}
+ # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
+ {{ rule_config | conntrack_rule(rule, 'timeout', ipv6=False) }}
{% endfor %}
{% endif %}
return
}
- chain {{ nft_ct_timeout_name }} {
-{% if timeout.custom.rule is vyos_defined %}
-{% for rule, rule_config in timeout.custom.rule.items() %}
+
+{% if timeout.custom.ipv4.rule is vyos_defined %}
+{% for rule, rule_config in timeout.custom.ipv4.rule.items() %}
+ ct timeout ct-timeout-{{ rule }} {
+ l3proto ip;
+{% for protocol, protocol_config in rule_config.protocol.items() %}
+ protocol {{ protocol }};
+ policy = { {{ protocol_config | conntrack_ct_policy() }} }
+{% endfor %}
+ }
+{% endfor %}
+{% endif %}
+
+ chain PREROUTING {
+ type filter hook prerouting priority -300; policy accept;
+{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %}
+ counter jump VYOS_CT_HELPER
+{% endif %}
+ counter jump VYOS_CT_IGNORE
+ counter jump VYOS_CT_TIMEOUT
+ counter jump FW_CONNTRACK
+ counter jump NAT_CONNTRACK
+ counter jump WLB_CONNTRACK
+ notrack
+ }
+
+ chain OUTPUT {
+ type filter hook output priority -300; policy accept;
+{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %}
+ counter jump VYOS_CT_HELPER
+{% endif %}
+ counter jump VYOS_CT_IGNORE
+ counter jump VYOS_CT_TIMEOUT
+ counter jump FW_CONNTRACK
+ counter jump NAT_CONNTRACK
+{% if wlb_local_action %}
+ counter jump WLB_CONNTRACK
+{% endif %}
+ notrack
+ }
+
+{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }}
+
+ chain FW_CONNTRACK {
+ {{ ipv4_firewall_action }}
+ }
+
+ chain NAT_CONNTRACK {
+ {{ ipv4_nat_action }}
+ }
+
+ chain WLB_CONNTRACK {
+ {{ wlb_action }}
+ }
+
+{% if firewall.group is vyos_defined %}
+{{ group_tmpl.groups(firewall.group, False, True) }}
+{% endif %}
+}
+
+{% if first_install is not vyos_defined %}
+delete table ip6 vyos_conntrack
+{% endif %}
+table ip6 vyos_conntrack {
+ chain VYOS_CT_IGNORE {
+{% if ignore.ipv6.rule is vyos_defined %}
+{% for rule, rule_config in ignore.ipv6.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
+ {{ rule_config | conntrack_rule(rule, 'ignore', ipv6=True) }}
{% endfor %}
{% endif %}
return
}
+ chain VYOS_CT_TIMEOUT {
+{% if timeout.custom.ipv6.rule is vyos_defined %}
+{% for rule, rule_config in timeout.custom.ipv6.rule.items() %}
+ # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
+ {{ rule_config | conntrack_rule(rule, 'timeout', ipv6=True) }}
+{% endfor %}
+{% endif %}
+ return
+ }
+
+{% if timeout.custom.ipv6.rule is vyos_defined %}
+{% for rule, rule_config in timeout.custom.ipv6.rule.items() %}
+ ct timeout ct-timeout-{{ rule }} {
+ l3proto ip;
+{% for protocol, protocol_config in rule_config.protocol.items() %}
+ protocol {{ protocol }};
+ policy = { {{ protocol_config | conntrack_ct_policy() }} }
+{% endfor %}
+ }
+{% endfor %}
+{% endif %}
+
+ chain PREROUTING {
+ type filter hook prerouting priority -300; policy accept;
+{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %}
+ counter jump VYOS_CT_HELPER
+{% endif %}
+ counter jump VYOS_CT_IGNORE
+ counter jump VYOS_CT_TIMEOUT
+ counter jump FW_CONNTRACK
+ counter jump NAT_CONNTRACK
+ notrack
+ }
+
+ chain OUTPUT {
+ type filter hook output priority -300; policy accept;
+{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %}
+ counter jump VYOS_CT_HELPER
+{% endif %}
+ counter jump VYOS_CT_IGNORE
+ counter jump VYOS_CT_TIMEOUT
+ counter jump FW_CONNTRACK
+ counter jump NAT_CONNTRACK
+ notrack
+ }
+
+{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }}
+
+ chain FW_CONNTRACK {
+ {{ ipv6_firewall_action }}
+ }
+
+ chain NAT_CONNTRACK {
+ {{ ipv6_nat_action }}
+ }
+
+{% if firewall.group is vyos_defined %}
+{{ group_tmpl.groups(firewall.group, True, True) }}
+{% endif %}
}
diff --git a/data/templates/conntrack/nftables-helpers.j2 b/data/templates/conntrack/nftables-helpers.j2
new file mode 100644
index 000000000..433931162
--- /dev/null
+++ b/data/templates/conntrack/nftables-helpers.j2
@@ -0,0 +1,70 @@
+{% macro conntrack_helpers(module_map, modules, ipv4=True) %}
+{% if modules.ftp is vyos_defined %}
+ ct helper ftp_tcp {
+ type "ftp" protocol tcp;
+ }
+{% endif %}
+
+{% if modules.h323 is vyos_defined %}
+ ct helper ras_udp {
+ type "RAS" protocol udp;
+ }
+
+ ct helper q931_tcp {
+ type "Q.931" protocol tcp;
+ }
+{% endif %}
+
+{% if modules.pptp is vyos_defined and ipv4 %}
+ ct helper pptp_tcp {
+ type "pptp" protocol tcp;
+ }
+{% endif %}
+
+{% if modules.nfs is vyos_defined %}
+ ct helper rpc_tcp {
+ type "rpc" protocol tcp;
+ }
+
+ ct helper rpc_udp {
+ type "rpc" protocol udp;
+ }
+{% endif %}
+
+{% if modules.sip is vyos_defined %}
+ ct helper sip_tcp {
+ type "sip" protocol tcp;
+ }
+
+ ct helper sip_udp {
+ type "sip" protocol udp;
+ }
+{% endif %}
+
+{% if modules.tftp is vyos_defined %}
+ ct helper tftp_udp {
+ type "tftp" protocol udp;
+ }
+{% endif %}
+
+{% if modules.sqlnet is vyos_defined %}
+ ct helper tns_tcp {
+ type "tns" protocol tcp;
+ }
+{% endif %}
+
+ chain VYOS_CT_HELPER {
+{% for module, module_conf in module_map.items() %}
+{% if modules[module] is vyos_defined %}
+{% if 'nftables' in module_conf %}
+{% if module_conf.ipv4 is not vyos_defined or module_conf.ipv4 == ipv4 %}
+{% for rule in module_conf.nftables %}
+ {{ rule }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
+{% endfor %}
+ return
+ }
+{% endmacro %}
diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2
index 9ea1ed2d8..986f75c61 100644
--- a/data/templates/conntrack/sysctl.conf.j2
+++ b/data/templates/conntrack/sysctl.conf.j2
@@ -24,3 +24,4 @@ net.netfilter.nf_conntrack_tcp_timeout_time_wait = {{ timeout.tcp.time_wait }}
net.netfilter.nf_conntrack_udp_timeout = {{ timeout.udp.other }}
net.netfilter.nf_conntrack_udp_timeout_stream = {{ timeout.udp.stream }}
+net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }}
diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
index 290607662..1b12fec5f 100644
--- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2
+++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
@@ -1,2 +1,2 @@
# Autogenerated by system_conntrack.py
-options nf_conntrack hashsize={{ hash_size }} nf_conntrack_helper=1
+options nf_conntrack hashsize={{ hash_size }}