diff options
| author | Daniil Baturin <daniil.baturin@vyatta.com> | 2011-08-16 17:30:01 +0700 |
|---|---|---|
| committer | Daniil Baturin <daniil.baturin@vyatta.com> | 2011-08-16 17:30:01 +0700 |
| commit | f8bffb3660b96ffa6ddb24fe3ed58357f04cefd9 (patch) | |
| tree | eda360dfc42039eaea466e65dda5e0706c724ed7 | |
| parent | 4d6182800218342eb5ee41af742b5deb5cf74978 (diff) | |
| download | vyatta-cfg-system-f8bffb3660b96ffa6ddb24fe3ed58357f04cefd9.tar.gz vyatta-cfg-system-f8bffb3660b96ffa6ddb24fe3ed58357f04cefd9.zip | |
Move conntrack options from firewall to system branch, add options for timeout and modules
35 files changed, 361 insertions, 0 deletions
diff --git a/templates/system/conntrack/expect-table-size/node.def b/templates/system/conntrack/expect-table-size/node.def new file mode 100644 index 00000000..889dbdbc --- /dev/null +++ b/templates/system/conntrack/expect-table-size/node.def @@ -0,0 +1,33 @@ +# +# Config template for: firewall conntrack-expect-table-size +# +# This is the table of expectations. Connection tracking expectations are +# the mechanism used to "expect" RELATED connections to existing ones. +# Expectations are generally used by "connection tracking helpers" (sometimes +# called application level gateways [ALGs]) for more complex protocols such as +# FTP, SIP, H.323. +# +# default value when firewall is not set - 2048 +# default value when firewall is set - 4096 +# + +type: u32 + +help: Size of connection tracking expect table + +default: 4096 + +val_help: u32: 1-50000000; Number of entries allowed in connection tracking expect table + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50,000,000" + +update: + sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/netfilter/nf_conntrack_expect_max" + + + + + + + diff --git a/templates/system/conntrack/hash-size/node.def b/templates/system/conntrack/hash-size/node.def new file mode 100644 index 00000000..16b7c6c5 --- /dev/null +++ b/templates/system/conntrack/hash-size/node.def @@ -0,0 +1,18 @@ +help: Hash size for connection tracking table +type: u32 + +default: 4096 + +val_help: u32:1-50000000; Size of hash to use for connection tracking table + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50,000,000" + +update: + if ! grep -q "nf_conntrack hashsize=$VAR(@)$" /etc/modprobe.d/vyatta_nf_conntrack.conf + then + sudo sh -c "sed -i -e '/options nf_conntrack hashsize/d' \ + /etc/modprobe.d/vyatta_nf_conntrack.conf" + sudo sh -c "echo options nf_conntrack hashsize=$VAR(@) >> \ + /etc/modprobe.d/vyatta_nf_conntrack.conf" + echo "Updated conntrack hash size. This change will take affect when the system is rebooted." + fi diff --git a/templates/system/conntrack/modules/ftp/disable/node.def b/templates/system/conntrack/modules/ftp/disable/node.def new file mode 100644 index 00000000..40a64d53 --- /dev/null +++ b/templates/system/conntrack/modules/ftp/disable/node.def @@ -0,0 +1,7 @@ +help: Disable FTP connection tracking + +create: sudo rmmod nf_nat_ftp + sudo rmmod nf_conntrack_ftp + +delete: sudo modprobe nf_conntrack_ftp + sudo modprobe nf_nat_ftp
\ No newline at end of file diff --git a/templates/system/conntrack/modules/ftp/node.def b/templates/system/conntrack/modules/ftp/node.def new file mode 100644 index 00000000..8e536833 --- /dev/null +++ b/templates/system/conntrack/modules/ftp/node.def @@ -0,0 +1 @@ +help: FTP connection tracking module settings
\ No newline at end of file diff --git a/templates/system/conntrack/modules/gre/disable/node.def b/templates/system/conntrack/modules/gre/disable/node.def new file mode 100644 index 00000000..2e2e5cde --- /dev/null +++ b/templates/system/conntrack/modules/gre/disable/node.def @@ -0,0 +1,7 @@ +help: Disable GRE connection tracking + +create: sudo rmmod nf_nat_proto_gre + sudo rmmod nf_conntrack_proto_gre + +delete: sudo modprobe nf_conntrack_proto_gre + sudo modprobe nf_nat_proto_gre
\ No newline at end of file diff --git a/templates/system/conntrack/modules/gre/node.def b/templates/system/conntrack/modules/gre/node.def new file mode 100644 index 00000000..d192f7d4 --- /dev/null +++ b/templates/system/conntrack/modules/gre/node.def @@ -0,0 +1 @@ +help: GRE connection tracking settings
\ No newline at end of file diff --git a/templates/system/conntrack/modules/h323/disable/node.def b/templates/system/conntrack/modules/h323/disable/node.def new file mode 100644 index 00000000..1fb01176 --- /dev/null +++ b/templates/system/conntrack/modules/h323/disable/node.def @@ -0,0 +1,7 @@ +help: Disable H.323 connection tracking + +create: sudo rmmod nf_nat_h323 + sudo rmmod nf_conntrack_h323 + +delete: sudo modprobe nf_conntrack_h323 + sudo modprobe nf_nat_h323
\ No newline at end of file diff --git a/templates/system/conntrack/modules/h323/node.def b/templates/system/conntrack/modules/h323/node.def new file mode 100644 index 00000000..ae4b787e --- /dev/null +++ b/templates/system/conntrack/modules/h323/node.def @@ -0,0 +1 @@ +help: H.323 connection tracking settings
\ No newline at end of file diff --git a/templates/system/conntrack/modules/node.def b/templates/system/conntrack/modules/node.def new file mode 100644 index 00000000..9666287a --- /dev/null +++ b/templates/system/conntrack/modules/node.def @@ -0,0 +1 @@ +help: Connection tracking modules settings
\ No newline at end of file diff --git a/templates/system/conntrack/modules/sip/disable/node.def b/templates/system/conntrack/modules/sip/disable/node.def new file mode 100644 index 00000000..d0eaf81f --- /dev/null +++ b/templates/system/conntrack/modules/sip/disable/node.def @@ -0,0 +1,7 @@ +help: Disable SIP connection tracking + +create: sudo rmmod nf_nat_sip + sudo rmmod nf_conntrack_sip + +delete: sudo modprobe nf_conntrack_sip + sudo modprobe nf_nat_sip
\ No newline at end of file diff --git a/templates/system/conntrack/modules/sip/enable-indirect-media/node.def b/templates/system/conntrack/modules/sip/enable-indirect-media/node.def new file mode 100644 index 00000000..c29389ec --- /dev/null +++ b/templates/system/conntrack/modules/sip/enable-indirect-media/node.def @@ -0,0 +1 @@ +help: Option to support for indirect media streams diff --git a/templates/system/conntrack/modules/sip/enable-indirect-signalling/node.def b/templates/system/conntrack/modules/sip/enable-indirect-signalling/node.def new file mode 100644 index 00000000..82782ff8 --- /dev/null +++ b/templates/system/conntrack/modules/sip/enable-indirect-signalling/node.def @@ -0,0 +1 @@ +help: Option to support for indirect signalling streams diff --git a/templates/system/conntrack/modules/sip/node.def b/templates/system/conntrack/modules/sip/node.def new file mode 100644 index 00000000..8c236594 --- /dev/null +++ b/templates/system/conntrack/modules/sip/node.def @@ -0,0 +1,61 @@ +help: SIP conntrack options + +end: /bin/cli-shell-api existsEffective system conntrack modules sip disable && exit 0 + reload=0 + sdm=2 + if [ -f /sys/module/nf_conntrack_sip/parameters/sip_direct_media ]; then + sdm=$(sudo cat /sys/module/nf_conntrack_sip/parameters/sip_direct_media) + fi + if [ -n "$VAR(./enable-indirect-media)" ]; then + indirectmedia='sip_direct_media=0' + if [ $sdm -ge 1 ]; then reload=1; fi + else + if [ $sdm -eq 0 ]; then reload=1; fi + fi + + sds=2 + if [ -f /sys/module/nf_conntrack_sip/parameters/sip_direct_signalling ]; then + sds=$(sudo cat /sys/module/nf_conntrack_sip/parameters/sip_direct_signalling) + fi + if [ -n "$VAR(./enable-indirect-signalling)" ]; then + indirectsignalling='sip_direct_signalling=0' + if [ $sds -ge 1 ]; then reload=1; fi + else + if [ $sds -eq 0 ]; then reload=1; fi + fi + + if [ -n "$VAR(./port/@@)" ]; then + numports=0 + for port in $VAR(./port/@@); do + if [ -z "$portval" ]; then + portval=$port + else + portval="${portval},$port" + fi + (( numports++ )) + done + portopt="ports=$portval" + if [ $numports -gt 8 ]; then + echo "Error: Can not specify more than 8 ports." + exit 1 + fi + reload=1 + fi + + if [ -f /etc/modprobe.d/options ]; then + sudo sed -i '/nf_conntrack_sip/d' /etc/modprobe.d/options + fi + + if [ -n "$indirectmedia" ] || [ -n "$indirectsignalling" ] || \ + [ -n "$portopt" ]; then + sudo sh -c "echo \# Auto-generated by `whoami` at `date` > /etc/modprobe.d/vyatta_sip_options.conf" + sudo sh -c "echo options nf_conntrack_sip $indirectmedia $indirectsignalling $portopt >> /etc/modprobe.d/vyatta_sip_options.conf " + else + sudo rm -f /etc/modprobe.d/vyatta_sip_options.conf + fi + + if [ $reload -eq 1 ]; then + sudo modprobe -r nf_nat_sip nf_conntrack_sip + sudo modprobe nf_conntrack_sip + sudo modprobe nf_nat_sip + fi diff --git a/templates/system/conntrack/modules/sip/port/node.def b/templates/system/conntrack/modules/sip/port/node.def new file mode 100644 index 00000000..b72f1ca2 --- /dev/null +++ b/templates/system/conntrack/modules/sip/port/node.def @@ -0,0 +1,8 @@ +multi: +type: u32 + +help: Port number that SIP traffic is carried on + +val_help: u32:1-65535; SIP port number + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <=65535) ; "Port number must be in range 1 to 65535" diff --git a/templates/system/conntrack/modules/tftp/disable/node.def b/templates/system/conntrack/modules/tftp/disable/node.def new file mode 100644 index 00000000..3b5dc112 --- /dev/null +++ b/templates/system/conntrack/modules/tftp/disable/node.def @@ -0,0 +1,5 @@ +help: Disable TFTP connection tracking + +create: sudo rmmod nf_conntrack_tftp + +delete: sudo modprobe nf_conntrack_tftp
\ No newline at end of file diff --git a/templates/system/conntrack/modules/tftp/node.def b/templates/system/conntrack/modules/tftp/node.def new file mode 100644 index 00000000..901f52e0 --- /dev/null +++ b/templates/system/conntrack/modules/tftp/node.def @@ -0,0 +1 @@ +help: TFTP connection tracking settings
\ No newline at end of file diff --git a/templates/system/conntrack/node.def b/templates/system/conntrack/node.def new file mode 100644 index 00000000..8a5cf317 --- /dev/null +++ b/templates/system/conntrack/node.def @@ -0,0 +1 @@ +help: Connection tracking engine options
\ No newline at end of file diff --git a/templates/system/conntrack/table-size/node.def b/templates/system/conntrack/table-size/node.def new file mode 100644 index 00000000..310b995f --- /dev/null +++ b/templates/system/conntrack/table-size/node.def @@ -0,0 +1,40 @@ +# +# Config template for: firewall conntrack-table-size +# +# Sets the size of the TCP connection tracking table in the netfilter +# nf_conntrack module, which is used by firewall and NAT. The size of +# this table determines how many TCP connections can be simultaneously +# tracked. If new connections arrive and the table is full, older +# connections will be dropped out of the table. System administrators +# must set the connection tracking table size based on the number of +# connections they expect their system to track. The connection +# tracking table consumes kernel memory, so the size selected should +# be no larger than necessary. +# +# default value when firewall is not set - 16384 +# default value when firewall is set - 32768 +# + +type: u32 + +help: Size of connection tracking table + +default: 32768 + +val_help: u32:1-50000000; Number of entries allowed in connection tracking table + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50,000,000" + +update: + sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/nf_conntrack_max" + # need to restart conntrackd with updated conntrack table size + if cli-shell-api existsActive service conntrack-sync; then + sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable + fi + + + + + + diff --git a/templates/system/conntrack/tcp-loose/node.def b/templates/system/conntrack/tcp-loose/node.def new file mode 100644 index 00000000..86489b72 --- /dev/null +++ b/templates/system/conntrack/tcp-loose/node.def @@ -0,0 +1,53 @@ +# +# This parameter directs the netfilter TCP connection tracking modules +# (nf_conntrack, and others) to either allow or disallow the tracking +# of TCP connections which are "previously established". This +# includes all cases where the three-way connection opening handshake +# was not seen by this machine. That includes the case the connection +# was opened before this machine booted. It also includes cases where +# the packets comprising the three-way handshake were routed via some +# other router. +# +# If this parameter is set to "enable", tracking such connections is +# allowed. If disabled, such tracking is disabled. +# default value - 1 + +type: txt + +help: Policy to track previously established connections + +val_help: enable; Allow tracking of previously established connections +val_help: disable; Do not allow tracking of previously established connections + +default: "enable" + +syntax:expression: $VAR(@) in "enable", "disable"; "must be either enable or disable" + +update: + if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose ]; then + sudo modprobe nf_conntrack_ipv4 + fi + if [ "$VAR(@)" = "enable" ]; then + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose" + elif [ "$VAR(@)" = "disable" ]; then + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose" + else + echo "Invalid parameter: $VAR(@)" + exit 1 + fi + +delete: + if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose ]; then + sudo modprobe nf_conntrack_ipv4 + fi + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose" + + + + + + + diff --git a/templates/system/conntrack/timeout/generic/node.def b/templates/system/conntrack/timeout/generic/node.def new file mode 100644 index 00000000..570fbbba --- /dev/null +++ b/templates/system/conntrack/timeout/generic/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: Generic connection timeout in seconds + +default: 600 + +update: sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/netfilter/nf_conntrack_generic_timeout"
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/icmp/node.def b/templates/system/conntrack/timeout/icmp/node.def new file mode 100644 index 00000000..4d0c025e --- /dev/null +++ b/templates/system/conntrack/timeout/icmp/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: ICMP timeout in seconds + +default: 30 + +update: sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/netfilter/nf_conntrack_icmp_timeout"
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/node.def b/templates/system/conntrack/timeout/node.def new file mode 100644 index 00000000..f0193c60 --- /dev/null +++ b/templates/system/conntrack/timeout/node.def @@ -0,0 +1 @@ +help: Connection timeout options
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/tcp/close-wait/node.def b/templates/system/conntrack/timeout/tcp/close-wait/node.def new file mode 100644 index 00000000..1c819170 --- /dev/null +++ b/templates/system/conntrack/timeout/tcp/close-wait/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP close wait timeout in seconds + +default: 60 + +update: sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close_wait"
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/tcp/close/node.def b/templates/system/conntrack/timeout/tcp/close/node.def new file mode 100644 index 00000000..30ffad0c --- /dev/null +++ b/templates/system/conntrack/timeout/tcp/close/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP close timeout in seconds + +default: 10 + +update: sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close"
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/tcp/established/node.def b/templates/system/conntrack/timeout/tcp/established/node.def new file mode 100644 index 00000000..6b0c80fa --- /dev/null +++ b/templates/system/conntrack/timeout/tcp/established/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP established timeout in seconds + +default: 432000 + +update: sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established"
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/tcp/fin-wait/node.def b/templates/system/conntrack/timeout/tcp/fin-wait/node.def new file mode 100644 index 00000000..33966170 --- /dev/null +++ b/templates/system/conntrack/timeout/tcp/fin-wait/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP FIN wait timeout in seconds + +default: 120 + +update: sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_fin_wait"
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/tcp/last-ack/node.def b/templates/system/conntrack/timeout/tcp/last-ack/node.def new file mode 100644 index 00000000..767f80e7 --- /dev/null +++ b/templates/system/conntrack/timeout/tcp/last-ack/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP last ACK timeout + +default: 30 + +update: sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_last_ack"
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/tcp/max-retrans/node.def b/templates/system/conntrack/timeout/tcp/max-retrans/node.def new file mode 100644 index 00000000..986a4f57 --- /dev/null +++ b/templates/system/conntrack/timeout/tcp/max-retrans/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP max retrans + +default: 3 + +update: sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/netfilter/nf_conntrack_tcp_max_retrans"
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/tcp/node.def b/templates/system/conntrack/timeout/tcp/node.def new file mode 100644 index 00000000..2b67c51c --- /dev/null +++ b/templates/system/conntrack/timeout/tcp/node.def @@ -0,0 +1 @@ +help: TCP connection timeout options
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/tcp/syn-recv/node.def b/templates/system/conntrack/timeout/tcp/syn-recv/node.def new file mode 100644 index 00000000..70fe4306 --- /dev/null +++ b/templates/system/conntrack/timeout/tcp/syn-recv/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP SYN received timeout in seconds + +default: 60 + +update: sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_recv"
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/tcp/syn-sent/node.def b/templates/system/conntrack/timeout/tcp/syn-sent/node.def new file mode 100644 index 00000000..5ca64627 --- /dev/null +++ b/templates/system/conntrack/timeout/tcp/syn-sent/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP SYN received timeout in seconds + +default: 120 + +update: sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_sent"
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/tcp/time-wait/node.def b/templates/system/conntrack/timeout/tcp/time-wait/node.def new file mode 100644 index 00000000..d439ac6e --- /dev/null +++ b/templates/system/conntrack/timeout/tcp/time-wait/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP time wait + +default: 120 + +update: sudo sh -c "echo $VAR(@) > \ + /proc/sys/ net/netfilter/nf_conntrack_tcp_timeout_time_wait"
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/udp/generic/node.def b/templates/system/conntrack/timeout/udp/generic/node.def new file mode 100644 index 00000000..b15bc39e --- /dev/null +++ b/templates/system/conntrack/timeout/udp/generic/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: UDP generic timeout in seconds + +default: 30 + +update: sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/netfilter/nf_conntrack_udp_timeout"
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/udp/node.def b/templates/system/conntrack/timeout/udp/node.def new file mode 100644 index 00000000..7ee8fd31 --- /dev/null +++ b/templates/system/conntrack/timeout/udp/node.def @@ -0,0 +1 @@ +help: UDP timeout
\ No newline at end of file diff --git a/templates/system/conntrack/timeout/udp/stream/node.def b/templates/system/conntrack/timeout/udp/stream/node.def new file mode 100644 index 00000000..96c67ed5 --- /dev/null +++ b/templates/system/conntrack/timeout/udp/stream/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: UDP stream timeout in seconds + +default: 180 + +update: sudo sh -c "echo $VAR(@) > \ + /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream"
\ No newline at end of file |