diff options
| author | Daniil Baturin <daniil@vyos.io> | 2021-09-11 08:43:31 +0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-09-11 08:43:31 +0700 |
| commit | cfa304a4c6fafdb43d04f00159ac3203552f5704 (patch) | |
| tree | 56b9a98f4358827d79e34e7c54af09dc2603f6ff | |
| parent | a61ce05031a7dc27c1cde85fae54510d32b92b3e (diff) | |
| parent | c79318fb72da1f2d49142b69f3b938d2107a7913 (diff) | |
| download | vyatta-conntrack-cfa304a4c6fafdb43d04f00159ac3203552f5704.tar.gz vyatta-conntrack-cfa304a4c6fafdb43d04f00159ac3203552f5704.zip | |
Merge pull request #5 from erkin/equuleus
T3275: conntrack: Migrate conntrack helper
44 files changed, 0 insertions, 563 deletions
diff --git a/Makefile.am b/Makefile.am index 0a490bb..d35ad8e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,6 @@ cfgdir = $(datadir)/vyatta-cfg/templates opdir = $(datadir)/vyatta-op/templates share_perl5dir = $(datarootdir)/perl5/Vyatta/Conntrack -curverdir = $(sysconfdir)/config-migrate/current modprobedir = /etc/modprobe.d vprefix = /opt/vyatta @@ -24,12 +23,9 @@ bin_sudo_usersdir = $(bindir)/sudo-users bin_sudo_users_SCRIPTS = scripts/vyatta-show-conntrack.pl bin_sudo_users_SCRIPTS += scripts/vyatta-delete-conntrack.pl bin_sudo_users_SCRIPTS += scripts/vyatta-conntrack-timeouts.pl -bin_sudo_users_SCRIPTS += scripts/vyatta-cthelper.pl bin_sudo_users_SCRIPTS += scripts/vyatta-conntrack-ignore.pl bin_sudo_users_SCRIPTS += scripts/vyatta-show-ignore.pl -curver_DATA = cfg-version/conntrack@2 - modprobe_DATA = etc/modprobe.d/vyatta_nf_conntrack.conf cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ diff --git a/cfg-version/conntrack@2 b/cfg-version/conntrack@2 deleted file mode 100644 index e69de29..0000000 --- a/cfg-version/conntrack@2 +++ /dev/null diff --git a/scripts/vyatta-cthelper.pl b/scripts/vyatta-cthelper.pl deleted file mode 100644 index 8063586..0000000 --- a/scripts/vyatta-cthelper.pl +++ /dev/null @@ -1,78 +0,0 @@ -#!/usr/bin/perl - -use lib "/opt/vyatta/share/perl5"; -use warnings; -use strict; - -use Vyatta::Config; -use Vyatta::Conntrack::ConntrackUtil; -use Vyatta::IpTables::Mgr; -use Getopt::Long; -use Sys::Syslog qw(:standard :macros); - -#for future -my %cmd_hash = ( - 'ipv4' => 'iptables', - 'ipv6' => 'ip6tables' -); - -my $nfct = "sudo /usr/sbin/nfct"; -my ($enable_sqlnet, $disable_sqlnet, $enable_nfs, $disable_nfs); -my $CTERROR = "Conntrack error:"; - -GetOptions( - 'enable_sqlnet=s' => \$enable_sqlnet, - 'disable_sqlnet=s' => \$disable_sqlnet, - 'disable_nfs=s' => \$disable_nfs, - 'enable_nfs=s' => \$enable_nfs, -); - -# subroutine to add helper rule to VYATTA_CT_HELPER chain. -sub add_helper_to_chain { - my ($module) = @_; - my $iptables_cmd = $cmd_hash{'ipv4'}; - if ($module eq 'sqlnet') { - run_cmd("$iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper tns"); - run_cmd("$iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper tns"); - run_cmd("$iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1536 -j CT --helper tns"); - } elsif ($module eq 'nfs') { - run_cmd(" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper rpc"); - run_cmd(" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p udp --dport 111 -j CT --helper rpc"); - } -} - -# subroutine to delete helper rule from VYATTA_CT_HELPER chain. -sub delete_helper_from_chain { - my ($module) = @_; - my $iptables_cmd = $cmd_hash{'ipv4'}; - if ($module eq 'sqlnet') { - run_cmd("$iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper tns"); - run_cmd("$iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper tns"); - run_cmd("$iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1536 -j CT --helper tns"); - } elsif ($module eq 'nfs') { - run_cmd("$iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper rpc"); - run_cmd("$iptables_cmd -D VYATTA_CT_HELPER -t raw -p udp --dport 111 -j CT --helper rpc"); - } -} - -# should disable the required helper module -sub disable_helper_module { - my ($module) = @_; - delete_helper_from_chain($module); -} - -# should enable the required helper module -sub enable_helper_module { - my ($module) = @_; - add_helper_to_chain($module); -} - -if (defined $enable_sqlnet){ - enable_helper_module("sqlnet"); -} elsif (defined $disable_sqlnet) { - disable_helper_module("sqlnet"); -} elsif (defined $enable_nfs) { - enable_helper_module("nfs"); -} elsif (defined $disable_nfs) { - disable_helper_module("nfs"); -} diff --git a/templates-cfg/system/conntrack/expect-table-size/node.def b/templates-cfg/system/conntrack/expect-table-size/node.def deleted file mode 100644 index 9ff72c7..0000000 --- a/templates-cfg/system/conntrack/expect-table-size/node.def +++ /dev/null @@ -1,31 +0,0 @@ -# -# Config template for: system conntrack expect-table-size -# -# This is the table of expectations. Connection tracking expectations are -# the mechanism used to "expect" RELATED connections to existing ones. -# Expectations are generally used by "connection tracking helpers" (sometimes -# called application level gateways [ALGs]) for more complex protocols such as -# FTP, SIP, H.323. -# -# default value: 2048 -# - -type: u32 - -help: Size of connection tracking expect table - -default: 2048 - -val_help: u32: 1-50000000; Number of entries allowed in connection tracking expect table - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000" - -update: - sudo sysctl -q -w net/netfilter/nf_conntrack_expect_max=$VAR(@) - - - - - - - diff --git a/templates-cfg/system/conntrack/hash-size/node.def b/templates-cfg/system/conntrack/hash-size/node.def deleted file mode 100644 index 8e702c7..0000000 --- a/templates-cfg/system/conntrack/hash-size/node.def +++ /dev/null @@ -1,18 +0,0 @@ -help: Hash size for connection tracking table -type: u32 - -default: 32768 - -val_help: u32:1-50000000; Size of hash to use for connection tracking table - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000" - -update: - if ! grep -q "nf_conntrack hashsize=$VAR(@)$" /etc/modprobe.d/vyatta_nf_conntrack.conf - then - sudo sh -c "sed -i -e '/options nf_conntrack hashsize/d' \ - /etc/modprobe.d/vyatta_nf_conntrack.conf" - sudo sh -c "echo options nf_conntrack hashsize=$VAR(@) nf_conntrack_helper=1 >> \ - /etc/modprobe.d/vyatta_nf_conntrack.conf" - echo "Updated conntrack hash size. This change will take affect when the system is rebooted." - fi diff --git a/templates-cfg/system/conntrack/modules/ftp/disable/node.def b/templates-cfg/system/conntrack/modules/ftp/disable/node.def deleted file mode 100644 index 0b2b53e..0000000 --- a/templates-cfg/system/conntrack/modules/ftp/disable/node.def +++ /dev/null @@ -1,7 +0,0 @@ -help: Disable FTP connection tracking - -create: sudo rmmod nf_nat_ftp - sudo rmmod nf_conntrack_ftp - -delete: sudo modprobe nf_conntrack_ftp - sudo modprobe nf_nat_ftp diff --git a/templates-cfg/system/conntrack/modules/ftp/node.def b/templates-cfg/system/conntrack/modules/ftp/node.def deleted file mode 100644 index 52859ac..0000000 --- a/templates-cfg/system/conntrack/modules/ftp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: FTP connection tracking settings diff --git a/templates-cfg/system/conntrack/modules/h323/disable/node.def b/templates-cfg/system/conntrack/modules/h323/disable/node.def deleted file mode 100644 index e20d36b..0000000 --- a/templates-cfg/system/conntrack/modules/h323/disable/node.def +++ /dev/null @@ -1,7 +0,0 @@ -help: Disable H.323 connection tracking - -create: sudo rmmod nf_nat_h323 - sudo rmmod nf_conntrack_h323 - -delete: sudo modprobe nf_conntrack_h323 - sudo modprobe nf_nat_h323 diff --git a/templates-cfg/system/conntrack/modules/h323/node.def b/templates-cfg/system/conntrack/modules/h323/node.def deleted file mode 100644 index 33f0eca..0000000 --- a/templates-cfg/system/conntrack/modules/h323/node.def +++ /dev/null @@ -1 +0,0 @@ -help: H.323 connection tracking settings diff --git a/templates-cfg/system/conntrack/modules/nfs/disable/node.def b/templates-cfg/system/conntrack/modules/nfs/disable/node.def deleted file mode 100644 index 90f9103..0000000 --- a/templates-cfg/system/conntrack/modules/nfs/disable/node.def +++ /dev/null @@ -1,7 +0,0 @@ -help: disable NFS protocol connection tracking helper - -end: if [ ${COMMIT_ACTION} = 'DELETE' ]; then - sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --enable_nfs=nfs - else - sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --disable_nfs=nfs - fi; diff --git a/templates-cfg/system/conntrack/modules/nfs/node.def b/templates-cfg/system/conntrack/modules/nfs/node.def deleted file mode 100644 index 3d1fb34..0000000 --- a/templates-cfg/system/conntrack/modules/nfs/node.def +++ /dev/null @@ -1 +0,0 @@ -help: NFS protocol connection tracking helper settting diff --git a/templates-cfg/system/conntrack/modules/node.def b/templates-cfg/system/conntrack/modules/node.def deleted file mode 100644 index 25cba5d..0000000 --- a/templates-cfg/system/conntrack/modules/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Connection tracking modules settings diff --git a/templates-cfg/system/conntrack/modules/pptp/disable/node.def b/templates-cfg/system/conntrack/modules/pptp/disable/node.def deleted file mode 100644 index 8051889..0000000 --- a/templates-cfg/system/conntrack/modules/pptp/disable/node.def +++ /dev/null @@ -1,7 +0,0 @@ -help: Disable PPTP connection tracking - -create: sudo rmmod nf_nat_pptp - sudo rmmod nf_conntrack_pptp - -delete: sudo modprobe nf_conntrack_pptp - sudo modprobe nf_nat_pptp diff --git a/templates-cfg/system/conntrack/modules/pptp/node.def b/templates-cfg/system/conntrack/modules/pptp/node.def deleted file mode 100644 index 3733f31..0000000 --- a/templates-cfg/system/conntrack/modules/pptp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: PPTP connection tracking settings diff --git a/templates-cfg/system/conntrack/modules/sip/disable/node.def b/templates-cfg/system/conntrack/modules/sip/disable/node.def deleted file mode 100644 index cea57e1..0000000 --- a/templates-cfg/system/conntrack/modules/sip/disable/node.def +++ /dev/null @@ -1,7 +0,0 @@ -help: Disable SIP connection tracking - -create: sudo rmmod nf_nat_sip - sudo rmmod nf_conntrack_sip - -delete: sudo modprobe nf_conntrack_sip - sudo modprobe nf_nat_sip diff --git a/templates-cfg/system/conntrack/modules/sip/enable-indirect-media/node.def b/templates-cfg/system/conntrack/modules/sip/enable-indirect-media/node.def deleted file mode 100644 index c29389e..0000000 --- a/templates-cfg/system/conntrack/modules/sip/enable-indirect-media/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Option to support for indirect media streams diff --git a/templates-cfg/system/conntrack/modules/sip/enable-indirect-signalling/node.def b/templates-cfg/system/conntrack/modules/sip/enable-indirect-signalling/node.def deleted file mode 100644 index 82782ff..0000000 --- a/templates-cfg/system/conntrack/modules/sip/enable-indirect-signalling/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Option to support for indirect signalling streams diff --git a/templates-cfg/system/conntrack/modules/sip/node.def b/templates-cfg/system/conntrack/modules/sip/node.def deleted file mode 100644 index 320fb71..0000000 --- a/templates-cfg/system/conntrack/modules/sip/node.def +++ /dev/null @@ -1,75 +0,0 @@ -help: SIP connection tracking settings - -end: /bin/cli-shell-api exists system conntrack modules sip disable && exit 0 - reload=0 - sdm=2 - defaultport=5060 - portopt="ports=" - portval="" - portpath="system conntrack modules sip port" - - if [ -f /sys/module/nf_conntrack_sip/parameters/sip_direct_media ]; then - sdm=$(sudo cat /sys/module/nf_conntrack_sip/parameters/sip_direct_media) - fi - if [ -n "$VAR(./enable-indirect-media)" ]; then - indirectmedia='sip_direct_media=0' - if [ $sdm -ge 1 ]; then reload=1; fi - else - if [ $sdm -eq 0 ]; then reload=1; fi - fi - - sds=2 - if [ -f /sys/module/nf_conntrack_sip/parameters/sip_direct_signalling ]; then - sds=$(sudo cat /sys/module/nf_conntrack_sip/parameters/sip_direct_signalling) - fi - if [ -n "$VAR(./enable-indirect-signalling)" ]; then - indirectsignalling='sip_direct_signalling=0' - if [ $sds -ge 1 ]; then reload=1; fi - else - if [ $sds -eq 0 ]; then reload=1; fi - fi - - if [ -n "$VAR(./port/@@)" ]; then - numports=0 - for port in $VAR(./port/@@); do - if [ -z "$portval" ]; then - portval=$port - else - portval="${portval},$port" - fi - (( numports++ )) - done - if [ $numports -gt 8 ]; then - echo "Error: Can not specify more than 8 ports." - exit 1 - fi - fi - - if [ "$portval" != "" ]; then - portopt="${portopt}$portval" - else - portopt="${portopt}$defaultport" - fi - - if [ "`cli-shell-api returnValues $portpath`" != "`cli-shell-api returnEffectiveValues $portpath`" ]; then - reload=1 - fi - - if [ -f /etc/modprobe.d/options ]; then - sudo sed -i '/nf_conntrack_sip/d' /etc/modprobe.d/options - fi - - if [ -n "$indirectmedia" ] || [ -n "$indirectsignalling" ] || \ - [ -n "$portopt" ]; then - sudo sh -c "echo \# Auto-generated by `whoami` at `date` > /etc/modprobe.d/vyatta_sip_options.conf" - sudo sh -c "echo options nf_conntrack_sip $indirectmedia $indirectsignalling $portopt >> /etc/modprobe.d/vyatta_sip_options.conf " - else - sudo rm -f /etc/modprobe.d/vyatta_sip_options.conf - fi - - if [ $reload -eq 1 ]; then - sudo modprobe -r nf_nat_sip nf_conntrack_sip - sudo modprobe nf_conntrack_sip - sudo modprobe nf_nat_sip - fi - diff --git a/templates-cfg/system/conntrack/modules/sip/port/node.def b/templates-cfg/system/conntrack/modules/sip/port/node.def deleted file mode 100644 index b72f1ca..0000000 --- a/templates-cfg/system/conntrack/modules/sip/port/node.def +++ /dev/null @@ -1,8 +0,0 @@ -multi: -type: u32 - -help: Port number that SIP traffic is carried on - -val_help: u32:1-65535; SIP port number - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <=65535) ; "Port number must be in range 1 to 65535" diff --git a/templates-cfg/system/conntrack/modules/sqlnet/disable/node.def b/templates-cfg/system/conntrack/modules/sqlnet/disable/node.def deleted file mode 100644 index aac316b..0000000 --- a/templates-cfg/system/conntrack/modules/sqlnet/disable/node.def +++ /dev/null @@ -1,7 +0,0 @@ -help: disable SQLnet protocol connection tracking helper - -end: if [ ${COMMIT_ACTION} = 'DELETE' ]; then - sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --enable_sqlnet=sqlnet - else - sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --disable_sqlnet=sqlnet - fi; diff --git a/templates-cfg/system/conntrack/modules/sqlnet/node.def b/templates-cfg/system/conntrack/modules/sqlnet/node.def deleted file mode 100644 index a62048e..0000000 --- a/templates-cfg/system/conntrack/modules/sqlnet/node.def +++ /dev/null @@ -1 +0,0 @@ -help: SQLnet protocol connection tracking helper setting diff --git a/templates-cfg/system/conntrack/modules/tftp/disable/node.def b/templates-cfg/system/conntrack/modules/tftp/disable/node.def deleted file mode 100644 index ebdecf4..0000000 --- a/templates-cfg/system/conntrack/modules/tftp/disable/node.def +++ /dev/null @@ -1,7 +0,0 @@ -help: Disable TFTP connection tracking - -create: sudo rmmod nf_nat_tftp - sudo rmmod nf_conntrack_tftp - -delete: sudo modprobe nf_conntrack_tftp - sudo modprobe nf_nat_tftp diff --git a/templates-cfg/system/conntrack/modules/tftp/node.def b/templates-cfg/system/conntrack/modules/tftp/node.def deleted file mode 100644 index cbb0496..0000000 --- a/templates-cfg/system/conntrack/modules/tftp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: TFTP connection tracking settings diff --git a/templates-cfg/system/conntrack/node.def b/templates-cfg/system/conntrack/node.def deleted file mode 100644 index acffd98..0000000 --- a/templates-cfg/system/conntrack/node.def +++ /dev/null @@ -1,24 +0,0 @@ -help: Connection tracking engine options - -priority: 218 # before NAT and conntrack-sync are configured - -delete: # set conntrack table size to standard 262144 entries if conntrack settings are removed - sudo sysctl -q -w net/nf_conntrack_max=262144 - - # set conntrack expect table size to standard 2048 entries if conntrack settings are removed - sudo sysctl -q -w net/netfilter/nf_conntrack_expect_max=2048 - - # set conntrack hash size to standard 32768 - if ! grep -q "nf_conntrack hashsize=32768$" /etc/modprobe.d/vyatta_nf_conntrack.conf - then - sudo sh -c "sed -i -e '/options nf_conntrack hashsize/d' \ - /etc/modprobe.d/vyatta_nf_conntrack.conf" - sudo sh -c "echo options nf_conntrack hashsize=32768 nf_conntrack_helper=1 >> \ - /etc/modprobe.d/vyatta_nf_conntrack.conf" - echo "Conntrack hash size set to default 32768. This change will take effect when the system is rebooted." - fi - - # need to restart conntrackd with updated conntrack table size - if cli-shell-api existsActive service conntrack-sync; then - sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable - fi diff --git a/templates-cfg/system/conntrack/table-size/node.def b/templates-cfg/system/conntrack/table-size/node.def deleted file mode 100644 index 6fceb44..0000000 --- a/templates-cfg/system/conntrack/table-size/node.def +++ /dev/null @@ -1,38 +0,0 @@ -# -# Config template for: system conntrack table-size -# -# Sets the size of the TCP connection tracking table in the netfilter -# nf_conntrack module, which is used by firewall and NAT. The size of -# this table determines how many TCP connections can be simultaneously -# tracked. If new connections arrive and the table is full, older -# connections will be dropped out of the table. System administrators -# must set the connection tracking table size based on the number of -# connections they expect their system to track. The connection -# tracking table consumes kernel memory, so the size selected should -# be no larger than necessary. -# -# default value: 16384 -# - -type: u32 - -help: Size of connection tracking table - -default: 262144 - -val_help: u32:1-50000000; Number of entries allowed in connection tracking table - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000" - -update: - sudo sysctl -q -w net/nf_conntrack_max=$VAR(@) - # need to restart conntrackd with updated conntrack table size - if cli-shell-api existsActive service conntrack-sync; then - sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable - fi - - - - - - diff --git a/templates-cfg/system/conntrack/tcp/half-open-connections/node.def b/templates-cfg/system/conntrack/tcp/half-open-connections/node.def deleted file mode 100644 index 9474463..0000000 --- a/templates-cfg/system/conntrack/tcp/half-open-connections/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: Maximum number of TCP half-open connections - -default: 512 - -val_help: u32:1-2147483647; Generic connection timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 2147483647) ; "Value must be between 1 and 2147483647" - -update: sudo sysctl -q -w net/ipv4/tcp_max_syn_backlog=$VAR(@) - -delete: sudo sysctl -q -w net/ipv4/tcp_max_syn_backlog=512 diff --git a/templates-cfg/system/conntrack/tcp/loose/node.def b/templates-cfg/system/conntrack/tcp/loose/node.def deleted file mode 100644 index f84b786..0000000 --- a/templates-cfg/system/conntrack/tcp/loose/node.def +++ /dev/null @@ -1,43 +0,0 @@ -# -# This parameter directs the netfilter TCP connection tracking modules -# (nf_conntrack, and others) to either allow or disallow the tracking -# of TCP connections which are "previously established". This -# includes all cases where the three-way connection opening handshake -# was not seen by this machine. That includes the case the connection -# was opened before this machine booted. It also includes cases where -# the packets comprising the three-way handshake were routed via some -# other router. -# -# If this parameter is set to "enable", tracking such connections is -# allowed. If disabled, such tracking is disabled. -# default value - 1 - -type: txt - -help: Policy to track previously established connections - -val_help: enable; Allow tracking of previously established connections -val_help: disable; Do not allow tracking of previously established connections - -default: "enable" - -syntax:expression: $VAR(@) in "enable", "disable"; "must be either enable or disable" - -update: - if [ ! -e /proc/sys/net/netfilter/nf_conntrack_tcp_loose ]; then - sudo modprobe nf_conntrack_ipv4 - fi - if [ "$VAR(@)" = "enable" ]; then - sudo sysctl -q -w net.netfilter.nf_conntrack_tcp_loose=1 - elif [ "$VAR(@)" = "disable" ]; then - sudo sysctl -q -w net.netfilter.nf_conntrack_tcp_loose=0 - else - echo "Invalid parameter: $VAR(@)" - exit 1 - fi - -delete: - if [ ! -e /proc/sys/net/netfilter/nf_conntrack_tcp_loose ]; then - sudo modprobe nf_conntrack_ipv4 - fi - sudo sysctl -q -w net.netfilter.nf_conntrack_tcp_loose=1 diff --git a/templates-cfg/system/conntrack/tcp/max-retrans/node.def b/templates-cfg/system/conntrack/tcp/max-retrans/node.def deleted file mode 100644 index bf56f1f..0000000 --- a/templates-cfg/system/conntrack/tcp/max-retrans/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP maximum retransmit attempts - -default: 3 - -val_help: u32:1-2147483647; Generic connection timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 2147483647) ; "Value must be between 1 and 2147483647" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_max_retrans=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_max_retrans=3 diff --git a/templates-cfg/system/conntrack/tcp/node.def b/templates-cfg/system/conntrack/tcp/node.def deleted file mode 100644 index c04af19..0000000 --- a/templates-cfg/system/conntrack/tcp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: TCP options diff --git a/templates-cfg/system/conntrack/timeout/icmp/node.def b/templates-cfg/system/conntrack/timeout/icmp/node.def deleted file mode 100644 index 952178e..0000000 --- a/templates-cfg/system/conntrack/timeout/icmp/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: ICMP timeout in seconds - -default: 30 - -val_help: u32:1-21474836; ICMP timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_icmp_timeout=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_icmp_timeout=30 diff --git a/templates-cfg/system/conntrack/timeout/node.def b/templates-cfg/system/conntrack/timeout/node.def deleted file mode 100644 index 8696247..0000000 --- a/templates-cfg/system/conntrack/timeout/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Connection timeout options diff --git a/templates-cfg/system/conntrack/timeout/other/node.def b/templates-cfg/system/conntrack/timeout/other/node.def deleted file mode 100644 index a794bb7..0000000 --- a/templates-cfg/system/conntrack/timeout/other/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: Generic connection timeout in seconds - -default: 600 - -val_help: u32:1-21474836; Generic connection timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_generic_timeout=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_generic_timeout=600 diff --git a/templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def b/templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def deleted file mode 100644 index 0491b68..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP CLOSE-WAIT timeout in seconds - -default: 60 - -val_help: u32:1-21474836; TCP CLOSE-WAIT timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=60 diff --git a/templates-cfg/system/conntrack/timeout/tcp/close/node.def b/templates-cfg/system/conntrack/timeout/tcp/close/node.def deleted file mode 100644 index 38317d5..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/close/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP CLOSE timeout in seconds - -default: 10 - -val_help: u32:1-21474836; TCP CLOSE timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=10 diff --git a/templates-cfg/system/conntrack/timeout/tcp/established/node.def b/templates-cfg/system/conntrack/timeout/tcp/established/node.def deleted file mode 100644 index 9e47f1e..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/established/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP ESTABLISHED timeout in seconds - -default: 432000 - -val_help: u32:1-21474836; TCP ESTABLISHED timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=432000 diff --git a/templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def b/templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def deleted file mode 100644 index 985a6a4..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP FIN-WAIT timeout in seconds - -default: 120 - -val_help: u32:1-21474836; TCP FIN-WAIT timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=120 diff --git a/templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def b/templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def deleted file mode 100644 index 3e07fe4..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP LAST-ACK timeout in seconds - -default: 30 - -val_help: u32:1-21474836; TCP LAST-ACK timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=30 diff --git a/templates-cfg/system/conntrack/timeout/tcp/node.def b/templates-cfg/system/conntrack/timeout/tcp/node.def deleted file mode 100644 index fd1c34f..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: TCP connection timeout options diff --git a/templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def b/templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def deleted file mode 100644 index 50c5512..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP SYN-RECEIVED timeout in seconds - -default: 60 - -val_help: u32:1-21474836; TCP SYN-RECEIVED timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=60 diff --git a/templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def b/templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def deleted file mode 100644 index 5856ba7..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP SYN-SENT timeout in seconds - -default: 120 - -val_help: u32:1-21474836; TCP SYN-SENT timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=120 diff --git a/templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def b/templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def deleted file mode 100644 index f6bd1c8..0000000 --- a/templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: TCP TIME-WAIT timeout in seconds - -default: 120 - -val_help: u32:1-21474836; TCP TIME-WAIT timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=120 diff --git a/templates-cfg/system/conntrack/timeout/udp/node.def b/templates-cfg/system/conntrack/timeout/udp/node.def deleted file mode 100644 index c6586b7..0000000 --- a/templates-cfg/system/conntrack/timeout/udp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: UDP timeout diff --git a/templates-cfg/system/conntrack/timeout/udp/other/node.def b/templates-cfg/system/conntrack/timeout/udp/other/node.def deleted file mode 100644 index 0018f1c..0000000 --- a/templates-cfg/system/conntrack/timeout/udp/other/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: UDP generic timeout in seconds - -default: 30 - -val_help: u32:1-21474836; UDP generic timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout=30 diff --git a/templates-cfg/system/conntrack/timeout/udp/stream/node.def b/templates-cfg/system/conntrack/timeout/udp/stream/node.def deleted file mode 100644 index d86e683..0000000 --- a/templates-cfg/system/conntrack/timeout/udp/stream/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: u32 - -help: UDP stream timeout in seconds - -default: 180 - -val_help: u32:1-21474836; UDP stream timeout in seconds - -syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -update: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout_stream=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout_stream=180 |