From 80068c8ce453a385981999c25e4ff5aeaa6bf030 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Thu, 18 Jan 2024 22:05:16 +0100
Subject: conntrack: T5376: T5779: backport from current

Backport of the conntrack system from current branch.

(cherry picked from commit fd0bcaf12)
(cherry picked from commit 5acf5aced)
(cherry picked from commit 42ff4d8a7)
(cherry picked from commit 24a1a7059)
---
 .../conntrack/timeout-custom-protocols.xml.i       | 136 ++++++++
 .../firewall/source-destination-group-ipv4.xml.i   |  41 +++
 .../include/version/conntrack-version.xml.i        |   2 +-
 interface-definitions/system_conntrack.xml.in      | 367 +++++++++++++++------
 4 files changed, 445 insertions(+), 101 deletions(-)
 create mode 100644 interface-definitions/include/conntrack/timeout-custom-protocols.xml.i
 create mode 100644 interface-definitions/include/firewall/source-destination-group-ipv4.xml.i

(limited to 'interface-definitions')

diff --git a/interface-definitions/include/conntrack/timeout-custom-protocols.xml.i b/interface-definitions/include/conntrack/timeout-custom-protocols.xml.i
new file mode 100644
index 000000000..e6bff7e4d
--- /dev/null
+++ b/interface-definitions/include/conntrack/timeout-custom-protocols.xml.i
@@ -0,0 +1,136 @@
+<!-- include start from conntrack/timeout-custom-protocols.xml.i -->
+<node name="tcp">
+  <properties>
+    <help>TCP connection timeout options</help>
+  </properties>
+  <children>
+    <leafNode name="close-wait">
+      <properties>
+        <help>TCP CLOSE-WAIT timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP CLOSE-WAIT timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="close">
+      <properties>
+        <help>TCP CLOSE timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP CLOSE timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="established">
+      <properties>
+        <help>TCP ESTABLISHED timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP ESTABLISHED timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="fin-wait">
+      <properties>
+        <help>TCP FIN-WAIT timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP FIN-WAIT timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="last-ack">
+      <properties>
+        <help>TCP LAST-ACK timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP LAST-ACK timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="syn-recv">
+      <properties>
+        <help>TCP SYN-RECEIVED timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP SYN-RECEIVED timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="syn-sent">
+      <properties>
+        <help>TCP SYN-SENT timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP SYN-SENT timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="time-wait">
+      <properties>
+        <help>TCP TIME-WAIT timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP TIME-WAIT timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="udp">
+  <properties>
+    <help>UDP timeout options</help>
+  </properties>
+  <children>
+    <leafNode name="replied">
+      <properties>
+        <help>Timeout for UDP connection seen in both directions</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>Timeout for UDP connection seen in both directions</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="unreplied">
+      <properties>
+        <help>Timeout for unreplied UDP</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>Timeout for unreplied UDP</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i b/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i
new file mode 100644
index 000000000..8c34fb933
--- /dev/null
+++ b/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i
@@ -0,0 +1,41 @@
+<!-- include start from firewall/source-destination-group-ipv4.xml.i -->
+<node name="group">
+  <properties>
+    <help>Group</help>
+  </properties>
+  <children>
+    <leafNode name="address-group">
+      <properties>
+        <help>Group of addresses</help>
+        <completionHelp>
+          <path>firewall group address-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="domain-group">
+      <properties>
+        <help>Group of domains</help>
+        <completionHelp>
+          <path>firewall group domain-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="network-group">
+      <properties>
+        <help>Group of networks</help>
+        <completionHelp>
+          <path>firewall group network-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="port-group">
+      <properties>
+        <help>Group of ports</help>
+        <completionHelp>
+          <path>firewall group port-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/version/conntrack-version.xml.i b/interface-definitions/include/version/conntrack-version.xml.i
index 696f76362..6995ce119 100644
--- a/interface-definitions/include/version/conntrack-version.xml.i
+++ b/interface-definitions/include/version/conntrack-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/conntrack-version.xml.i -->
-<syntaxVersion component='conntrack' version='3'></syntaxVersion>
+<syntaxVersion component='conntrack' version='5'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/system_conntrack.xml.in b/interface-definitions/system_conntrack.xml.in
index ed5b7e8e0..a348097cc 100644
--- a/interface-definitions/system_conntrack.xml.in
+++ b/interface-definitions/system_conntrack.xml.in
@@ -9,6 +9,12 @@
           <priority>218</priority>
         </properties>
         <children>
+          <leafNode name="flow-accounting">
+            <properties>
+              <help>Enable connection tracking flow accounting</help>
+              <valueless/>
+            </properties>
+          </leafNode>
           <leafNode name="expect-table-size">
             <properties>
               <help>Size of connection tracking expect table</help>
@@ -40,82 +46,179 @@
               <help>Customized rules to ignore selective connection tracking</help>
             </properties>
             <children>
-              <tagNode name="rule">
+              <node name="ipv4">
                 <properties>
-                  <help>Rule number</help>
-                  <valueHelp>
-                    <format>u32:1-999999</format>
-                    <description>Number of conntrack ignore rule</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="numeric" argument="--range 1-999999"/>
-                  </constraint>
-                  <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
+                  <help>IPv4 rules</help>
                 </properties>
                 <children>
-                  #include <include/generic-description.xml.i>
-                  <node name="destination">
+                  <tagNode name="rule">
                     <properties>
-                      <help>Destination parameters</help>
+                      <help>Rule number</help>
+                      <valueHelp>
+                        <format>u32:1-999999</format>
+                        <description>Number of conntrack ignore rule</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 1-999999"/>
+                      </constraint>
+                      <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
                     </properties>
                     <children>
-                      #include <include/nat-address.xml.i>
-                      #include <include/nat-port.xml.i>
+                      #include <include/generic-description.xml.i>
+                      <node name="destination">
+                        <properties>
+                          <help>Destination parameters</help>
+                        </properties>
+                        <children>
+                          #include <include/firewall/source-destination-group-ipv4.xml.i>
+                          #include <include/nat-address.xml.i>
+                          #include <include/nat-port.xml.i>
+                        </children>
+                      </node>
+                      <leafNode name="inbound-interface">
+                        <properties>
+                          <help>Interface to ignore connections tracking on</help>
+                          <completionHelp>
+                            <list>any</list>
+                            <script>${vyos_completion_dir}/list_interfaces</script>
+                          </completionHelp>
+                        </properties>
+                      </leafNode>
+                      #include <include/ip-protocol.xml.i>
+                      <leafNode name="protocol">
+                        <properties>
+                          <help>Protocol to match (protocol name, number, or "all")</help>
+                          <completionHelp>
+                            <script>${vyos_completion_dir}/list_protocols.sh</script>
+                            <list>all tcp_udp</list>
+                          </completionHelp>
+                          <valueHelp>
+                            <format>all</format>
+                            <description>All IP protocols</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>tcp_udp</format>
+                            <description>Both TCP and UDP</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>u32:0-255</format>
+                            <description>IP protocol number</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>&lt;protocol&gt;</format>
+                            <description>IP protocol name</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>!&lt;protocol&gt;</format>
+                            <description>IP protocol name</description>
+                          </valueHelp>
+                          <constraint>
+                            <validator name="ip-protocol"/>
+                          </constraint>
+                        </properties>
+                      </leafNode>
+                      <node name="source">
+                        <properties>
+                          <help>Source parameters</help>
+                        </properties>
+                        <children>
+                          #include <include/firewall/source-destination-group-ipv4.xml.i>
+                          #include <include/nat-address.xml.i>
+                          #include <include/nat-port.xml.i>
+                        </children>
+                      </node>
+                      #include <include/firewall/tcp-flags.xml.i>
                     </children>
-                  </node>
-                  <leafNode name="inbound-interface">
-                    <properties>
-                      <help>Interface to ignore connections tracking on</help>
-                      <completionHelp>
-                        <list>any</list>
-                        <script>${vyos_completion_dir}/list_interfaces</script>
-                      </completionHelp>
-                    </properties>
-                  </leafNode>
-                  #include <include/ip-protocol.xml.i>
-                  <leafNode name="protocol">
+                  </tagNode>
+                </children>
+              </node>
+              <node name="ipv6">
+                <properties>
+                  <help>IPv6 rules</help>
+                </properties>
+                <children>
+                  <tagNode name="rule">
                     <properties>
-                      <help>Protocol to match (protocol name, number, or "all")</help>
-                      <completionHelp>
-                        <script>${vyos_completion_dir}/list_protocols.sh</script>
-                        <list>all tcp_udp</list>
-                      </completionHelp>
-                      <valueHelp>
-                        <format>all</format>
-                        <description>All IP protocols</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>tcp_udp</format>
-                        <description>Both TCP and UDP</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>u32:0-255</format>
-                        <description>IP protocol number</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>&lt;protocol&gt;</format>
-                        <description>IP protocol name</description>
-                      </valueHelp>
+                      <help>Rule number</help>
                       <valueHelp>
-                        <format>!&lt;protocol&gt;</format>
-                        <description>IP protocol name</description>
+                        <format>u32:1-999999</format>
+                        <description>Number of conntrack ignore rule</description>
                       </valueHelp>
                       <constraint>
-                        <validator name="ip-protocol"/>
+                        <validator name="numeric" argument="--range 1-999999"/>
                       </constraint>
-                    </properties>
-                  </leafNode>
-                  <node name="source">
-                    <properties>
-                      <help>Source parameters</help>
+                      <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
                     </properties>
                     <children>
-                      #include <include/nat-address.xml.i>
-                      #include <include/nat-port.xml.i>
+                      #include <include/generic-description.xml.i>
+                      <node name="destination">
+                        <properties>
+                          <help>Destination parameters</help>
+                        </properties>
+                        <children>
+                          #include <include/firewall/address-ipv6.xml.i>
+                          #include <include/firewall/source-destination-group-ipv6.xml.i>
+                          #include <include/nat-port.xml.i>
+                        </children>
+                      </node>
+                      <leafNode name="inbound-interface">
+                        <properties>
+                          <help>Interface to ignore connections tracking on</help>
+                          <completionHelp>
+                            <list>any</list>
+                            <script>${vyos_completion_dir}/list_interfaces</script>
+                          </completionHelp>
+                        </properties>
+                      </leafNode>
+                      #include <include/ip-protocol.xml.i>
+                      <leafNode name="protocol">
+                        <properties>
+                          <help>Protocol to match (protocol name, number, or "all")</help>
+                          <completionHelp>
+                            <script>${vyos_completion_dir}/list_protocols.sh</script>
+                            <list>all tcp_udp</list>
+                          </completionHelp>
+                          <valueHelp>
+                            <format>all</format>
+                            <description>All IP protocols</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>tcp_udp</format>
+                            <description>Both TCP and UDP</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>u32:0-255</format>
+                            <description>IP protocol number</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>&lt;protocol&gt;</format>
+                            <description>IP protocol name</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>!&lt;protocol&gt;</format>
+                            <description>IP protocol name</description>
+                          </valueHelp>
+                          <constraint>
+                            <validator name="ip-protocol"/>
+                          </constraint>
+                        </properties>
+                      </leafNode>
+                      <node name="source">
+                        <properties>
+                          <help>Source parameters</help>
+                        </properties>
+                        <children>
+                          #include <include/firewall/address-ipv6.xml.i>
+                          #include <include/firewall/source-destination-group-ipv6.xml.i>
+                          #include <include/nat-port.xml.i>
+                        </children>
+                      </node>
+                      #include <include/firewall/tcp-flags.xml.i>
                     </children>
-                  </node>
+                  </tagNode>
                 </children>
-              </tagNode>
+              </node>
+
             </children>
           </node>
           <node name="log">
@@ -282,58 +385,122 @@
                   <help>Define custom timeouts per connection</help>
                 </properties>
                 <children>
-                  <tagNode name="rule">
+                  <node name="ipv4">
                     <properties>
-                      <help>Rule number</help>
-                      <valueHelp>
-                        <format>u32:1-999999</format>
-                        <description>Number of conntrack rule</description>
-                      </valueHelp>
-                      <constraint>
-                        <validator name="numeric" argument="--range 1-999999"/>
-                      </constraint>
-                      <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
+                      <help>IPv4 rules</help>
                     </properties>
                     <children>
-                      #include <include/generic-description.xml.i>
-                      <node name="destination">
+                      <tagNode name="rule">
                         <properties>
-                          <help>Destination parameters</help>
+                          <help>Rule number</help>
+                          <valueHelp>
+                            <format>u32:1-999999</format>
+                            <description>Number of conntrack rule</description>
+                          </valueHelp>
+                          <constraint>
+                            <validator name="numeric" argument="--range 1-999999"/>
+                          </constraint>
+                          <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
                         </properties>
                         <children>
-                          #include <include/nat-address.xml.i>
-                          #include <include/nat-port.xml.i>
+                          #include <include/generic-description.xml.i>
+                          <node name="destination">
+                            <properties>
+                              <help>Destination parameters</help>
+                            </properties>
+                            <children>
+                              #include <include/nat-address.xml.i>
+                              #include <include/nat-port.xml.i>
+                            </children>
+                          </node>
+                          <leafNode name="inbound-interface">
+                            <properties>
+                              <help>Interface to ignore connections tracking on</help>
+                              <completionHelp>
+                                <list>any</list>
+                                <script>${vyos_completion_dir}/list_interfaces</script>
+                              </completionHelp>
+                            </properties>
+                          </leafNode>
+                          <node name="protocol">
+                            <properties>
+                              <help>Customize protocol specific timers, one protocol configuration per rule</help>
+                            </properties>
+                            <children>
+                              #include <include/conntrack/timeout-custom-protocols.xml.i>
+                            </children>
+                          </node>
+                          <node name="source">
+                            <properties>
+                              <help>Source parameters</help>
+                            </properties>
+                            <children>
+                              #include <include/nat-address.xml.i>
+                              #include <include/nat-port.xml.i>
+                            </children>
+                          </node>
                         </children>
-                      </node>
-                      <leafNode name="inbound-interface">
-                        <properties>
-                          <help>Interface to ignore connections tracking on</help>
-                          <completionHelp>
-                            <list>any</list>
-                            <script>${vyos_completion_dir}/list_interfaces</script>
-                          </completionHelp>
-                        </properties>
-                      </leafNode>
-                      #include <include/ip-protocol.xml.i>
-                      <node name="protocol">
-                        <properties>
-                          <help>Customize protocol specific timers, one protocol configuration per rule</help>
-                        </properties>
-                        <children>
-                          #include <include/conntrack/timeout-common-protocols.xml.i>
-                        </children>
-                      </node>
-                      <node name="source">
+                      </tagNode>
+                    </children>
+                  </node>
+                  <node name="ipv6">
+                    <properties>
+                      <help>IPv6 rules</help>
+                    </properties>
+                    <children>
+                      <tagNode name="rule">
                         <properties>
-                          <help>Source parameters</help>
+                          <help>Rule number</help>
+                          <valueHelp>
+                            <format>u32:1-999999</format>
+                            <description>Number of conntrack rule</description>
+                          </valueHelp>
+                          <constraint>
+                            <validator name="numeric" argument="--range 1-999999"/>
+                          </constraint>
+                          <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
                         </properties>
                         <children>
-                          #include <include/nat-address.xml.i>
-                          #include <include/nat-port.xml.i>
+                          #include <include/generic-description.xml.i>
+                          <node name="destination">
+                            <properties>
+                              <help>Destination parameters</help>
+                            </properties>
+                            <children>
+                              #include <include/firewall/address-ipv6.xml.i>
+                              #include <include/nat-port.xml.i>
+                            </children>
+                          </node>
+                          <leafNode name="inbound-interface">
+                            <properties>
+                              <help>Interface to ignore connections tracking on</help>
+                              <completionHelp>
+                                <list>any</list>
+                                <script>${vyos_completion_dir}/list_interfaces</script>
+                              </completionHelp>
+                            </properties>
+                          </leafNode>
+                          <node name="protocol">
+                            <properties>
+                              <help>Customize protocol specific timers, one protocol configuration per rule</help>
+                            </properties>
+                            <children>
+                              #include <include/conntrack/timeout-custom-protocols.xml.i>
+                            </children>
+                          </node>
+                          <node name="source">
+                            <properties>
+                              <help>Source parameters</help>
+                            </properties>
+                            <children>
+                              #include <include/firewall/address-ipv6.xml.i>
+                              #include <include/nat-port.xml.i>
+                            </children>
+                          </node>
                         </children>
-                      </node>
+                      </tagNode>
                     </children>
-                  </tagNode>
+                  </node>
                 </children>
               </node>
               #include <include/conntrack/timeout-common-protocols.xml.i>
-- 
cgit v1.2.3