From 05b5d09ca70c5cc868f2108df4bcd3fcf6a7d865 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 9 Jan 2022 20:54:39 +0100 Subject: conntrack: T3579: migrate "conntrack ignore" tree to vyos-1x and nftables --- data/templates/conntrack/nftables-ct-ignore.tmpl | 40 ++++ .../include/conntrack/log-common.xml.i | 20 ++ interface-definitions/system-conntrack.xml.in | 205 +++++++++++++++++++++ src/conf_mode/conntrack.py | 12 ++ 4 files changed, 277 insertions(+) create mode 100644 data/templates/conntrack/nftables-ct-ignore.tmpl create mode 100644 interface-definitions/include/conntrack/log-common.xml.i diff --git a/data/templates/conntrack/nftables-ct-ignore.tmpl b/data/templates/conntrack/nftables-ct-ignore.tmpl new file mode 100644 index 000000000..59c1cb1d2 --- /dev/null +++ b/data/templates/conntrack/nftables-ct-ignore.tmpl @@ -0,0 +1,40 @@ +#!/usr/sbin/nft -f + +# we first flush the chains content and then render the new statements from CLI +# if applicable +{% set nft_ct_ignore_name = 'VYOS_CT_IGNORE' %} +flush chain raw {{ nft_ct_ignore_name }} +table raw { + chain {{ nft_ct_ignore_name }} { +{% if ignore is defined and ignore.rule is defined and ignore.rule is not none %} +{% for rule, rule_config in ignore.rule.items() %} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is defined and rule_config.description is not none }} +{% set nft_command = '' %} +{% if rule_config.inbound_interface is defined and rule_config.inbound_interface is not none %} +{% set nft_command = nft_command ~ ' iifname ' ~ rule_config.inbound_interface %} +{% endif %} +{% if rule_config.protocol is defined and rule_config.protocol is not none %} +{% set nft_command = nft_command ~ ' ip protocol ' ~ rule_config.protocol %} +{% endif %} +{% if rule_config.destination is defined and rule_config.destination is not none %} +{% if rule_config.destination.address is defined and rule_config.destination.address is not none %} +{% set nft_command = nft_command ~ ' ip daddr ' ~ rule_config.destination.address %} +{% endif %} +{% if rule_config.destination.port is defined and rule_config.destination.port is not none %} +{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' dport { ' ~ rule_config.destination.port ~ ' }' %} +{% endif %} +{% endif %} +{% if rule_config.source is defined and rule_config.source is not none %} +{% if rule_config.source.address is defined and rule_config.source.address is not none %} +{% set nft_command = nft_command ~ ' ip saddr ' ~ rule_config.source.address %} +{% endif %} +{% if rule_config.source.port is defined and rule_config.source.port is not none %} +{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' sport { ' ~ rule_config.source.port ~ ' }' %} +{% endif %} +{% endif %} + {{ nft_command }} counter return comment ignore-{{ rule }} +{% endfor %} +{% endif %} + return + } +} diff --git a/interface-definitions/include/conntrack/log-common.xml.i b/interface-definitions/include/conntrack/log-common.xml.i new file mode 100644 index 000000000..38799f8f4 --- /dev/null +++ b/interface-definitions/include/conntrack/log-common.xml.i @@ -0,0 +1,20 @@ + + + + Log connection deletion + + + + + + Log connection creation + + + + + + Log connection updates + + + + diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in index daa4177c9..88f96a078 100644 --- a/interface-definitions/system-conntrack.xml.in +++ b/interface-definitions/system-conntrack.xml.in @@ -35,6 +35,128 @@ 32768 + + + Customized rules to ignore selective connection tracking + + + + + Rule number + + u32:1-999999 + Number of conntrack ignore rule + + + + + Ignore rule number must be between 1 and 999999 + + + #include + + + Destination parameters + + + #include + #include + + + + + Interface to ignore connections tracking on + + any + + + + + #include + + + Protocol to match (protocol name, number, or "all") + + + all tcp_udp + + + all + All IP protocols + + + tcp_udp + Both TCP and UDP + + + u32:0-255 + IP protocol number + + + <protocol> + IP protocol name + + + !<protocol> + IP protocol name + + + + + + + + + Source parameters + + + #include + #include + + + + + + + + + Log connection tracking events per protocol + + + + + Log connection tracking events for ICMP + + + #include + + + + + Log connection tracking events for all protocols other than TCP, UDP and ICMP + + + #include + + + + + Log connection tracking events for TCP + + + #include + + + + + Log connection tracking events for UDP + + + #include + + + + Connection tracking modules @@ -155,6 +277,89 @@ Connection timeout options + + + Define custom timeouts per connection + + + + + Rule number + + u32:1-999999 + Number of conntrack rule + + + + + Ignore rule number must be between 1 and 999999 + + + #include + + + Destination parameters + + + #include + #include + + + + + Interface to ignore connections tracking on + + any + + + + + #include + + + Protocol to match (protocol name, number, or "all") + + + all tcp_udp + + + all + All IP protocols + + + tcp_udp + Both TCP and UDP + + + u32:0-255 + IP protocol number + + + <protocol> + IP protocol name + + + !<protocol> + IP protocol name + + + + + + + + + Source parameters + + + #include + #include + + + + + + ICMP timeout in seconds diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py index c65ef9540..3cb0dd1e2 100755 --- a/src/conf_mode/conntrack.py +++ b/src/conf_mode/conntrack.py @@ -35,6 +35,7 @@ airbag.enable() conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf' sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf' +nftables_ct_ignore_file = r'/run/nftables-ct-ignore.conf' # Every ALG (Application Layer Gateway) consists of either a Kernel Object # also called a Kernel Module/Driver or some rules present in iptables @@ -86,11 +87,19 @@ def get_config(config=None): return conntrack def verify(conntrack): + if dict_search('ignore.rule', conntrack) != None: + for rule, rule_config in conntrack['ignore']['rule'].items(): + if dict_search('destination.port', rule_config) or \ + dict_search('source.port', rule_config): + if 'protocol' not in rule_config or rule_config['protocol'] not in ['tcp', 'udp']: + raise ConfigError(f'Port requires tcp or udp as protocol in rule {rule}') + return None def generate(conntrack): render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.tmpl', conntrack) render(sysctl_file, 'conntrack/sysctl.conf.tmpl', conntrack) + render(nftables_ct_ignore_file, 'conntrack/nftables-ct-ignore.tmpl', conntrack) return None @@ -127,6 +136,9 @@ def apply(conntrack): if not find_nftables_ct_rule(rule): cmd(f'nft insert rule ip raw VYOS_CT_HELPER {rule}') + # Load new nftables ruleset + cmd(f'nft -f {nftables_ct_ignore_file}') + if process_named_running('conntrackd'): # Reload conntrack-sync daemon to fetch new sysctl values resync_conntrackd() -- cgit v1.2.3