Initial commit.debian/0.1

59 files changed, 1422 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..efbb6a2
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,26 @@
+*.orig
+*.rej
+*#
+*~
+.*.swp
+*.[oa]
+*.l[oa]
+*.so
+*.libs
+*.deps
+.dirstamp
+aclocal.m4
+autom4te.cache
+build-stamp
+config
+config.log
+config.guess
+config.status
+config.sub
+configure
+debian/files
+debian/*.log
+debian/*.substvars
+INSTALL
+Makefile.in
+Makefile
diff --git a/AUTHORS b/AUTHORS
new file mode 100644
index 0000000..ee635b2
--- /dev/null
+++ b/AUTHORS
@@ -0,0 +1 @@
+eng@vyatta.com
diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..3912109
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,340 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                       51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/ChangeLog b/ChangeLog
new file mode 120000
index 0000000..d526672
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1 @@
+debian/changelog
\ No newline at end of file
diff --git a/Makefile.am b/Makefile.am
new file mode 100644
index 0000000..c029a82
--- /dev/null
+++ b/Makefile.am
@@ -0,0 +1,11 @@
+cfgdir = $(datadir)/vyatta-cfg/templates
+curverdir = $(sysconfdir)/config-migrate/current
+
+curver_DATA = cfg-version/conntrack@1
+
+cpiop = find  . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \
+  cpio -0pd
+
+install-exec-hook:
+	mkdir -p $(DESTDIR)$(cfgdir)
+	cd templates; $(cpiop) $(DESTDIR)$(cfgdir)
diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000..78fdaa6
--- /dev/null
+++ b/NEWS
@@ -0,0 +1 @@
+see http://www.vyatta.com/news/
diff --git a/README b/README
new file mode 100644
index 0000000..64b37b4
--- /dev/null
+++ b/README
@@ -0,0 +1 @@
+This package has the Vyatta system-level configuration templates and scripts.
diff --git a/cfg-version/conntrack@1 b/cfg-version/conntrack@1
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/cfg-version/conntrack@1
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 0000000..bb7ea9b
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,32 @@
+# Process this file with autoconf to produce a configure script.
+AC_PREREQ(2.59)
+
+m4_define([VERSION_ID], [m4_esyscmd([
+	if test -f .version ; then
+	    head -n 1 .version | tr -d \\n
+	else
+	    echo -n 2.4
+	fi])])
+AC_INIT([vyatta-conntrack], VERSION_ID, [vyatta-support@vyatta.com])
+
+test -n "$VYATTA_VERSION" || VYATTA_VERSION=$PACKAGE_VERSION
+
+AC_CONFIG_AUX_DIR([config])
+AM_INIT_AUTOMAKE([gnu no-dist-gzip dist-bzip2 subdir-objects])
+AC_PREFIX_DEFAULT([/opt/vyatta])
+
+AC_ARG_ENABLE([nostrip],
+	AC_HELP_STRING([--enable-nostrip],
+	[include -nostrip option during packaging]),
+	[NOSTRIP=-nostrip], [NOSTRIP=])
+
+AC_CONFIG_FILES([Makefile])
+
+AC_SUBST(NOSTRIP)
+
+AC_PROG_CC
+AC_PROG_CXX
+AM_PROG_AS
+AM_PROG_CC_C_O
+AC_OUTPUT
+
diff --git a/debian/README b/debian/README
new file mode 100644
index 0000000..b7a8b29
--- /dev/null
+++ b/debian/README
@@ -0,0 +1,6 @@
+The Debian Package vyatta-cfg-system
+----------------------------
+
+This package has Vyatta connection tracking configuration templates and scripts.
+
+ -- Daniil Baturin <daniil.baturin@vyatta.com>  Thu, 3 Nov 2011 12:31:53 -0700
diff --git a/debian/autogen.sh b/debian/autogen.sh
new file mode 100755
index 0000000..e8c94af
--- /dev/null
+++ b/debian/autogen.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+
+rm -rf config
+rm -f aclocal.m4 config.guess config.statusconfig.sub configure INSTALL
+
+autoreconf --force --install
+
+rm -f config.sub config.guess
+ln -s /usr/share/misc/config.sub .
+ln -s /usr/share/misc/config.guess .
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..91b73a8
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,6 @@
+vyatta-conntrack (0.1) unstable; urgency=low
+
+  * Initial Release.
+
+ -- Daniil Baturin <daniil.baturin@vyatta.com>  Thu, 3 Nov 2011 12:31:53 -0700
+
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..7ed6ff8
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+5
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..8671c1f
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,64 @@
+Source: vyatta-conntrack
+Section: contrib/net
+Priority: extra
+Maintainer: Vyatta Package Maintainers <maintainers@vyatta.com>
+Build-Depends: debhelper (>= 5), autotools-dev
+Standards-Version: 3.7.2
+
+Package: vyatta-conntrack
+Architecture: any
+Depends:  acpid,
+ adduser,
+ sed (>= 4.1.5),
+ perl (>= 5.10.1),
+ libnetaddr-ip-perl,
+ procps (>= 1:3.2.7-3),
+ coreutils (>= 5.97-5.3),
+ libpam-radius-auth,
+ vyatta-cfg (>= 0.18.58),
+ libc6 (>= 2.7-6),
+ libpam-runtime (>= 1.0.1-5),
+ vyatta-bash | bash (>= 3.1),
+ sysv-rc,
+ ntp (>= 4.2.4p6+vyatta-7),
+ udev (>= 160-1),
+ rsyslog | system-log-daemon,
+ vyatta-busybox,
+ sudo,
+ snmpd (>= 5.4.2.1-vyatta11),
+ vyatta-keepalived (>= 1.1.15-1-vyatta-5),
+ bridge-utils,
+ ethtool,
+ ssh (>= 1:5.1p1-5),
+ openssh-server (>= 1:5.1p1-5),
+ ed,
+ ifupdown,
+ tshark,
+ iputils-arping,
+ installation-report,
+ laptop-detect,
+ usbutils,
+ mgetty,
+ tasksel,
+ snmp,
+ tcpdump,
+ dnsmasq (>= 2.45-1+lenny1),
+ mdadm,
+ ddclient (>= 3.7.3-4.2),
+ libio-socket-ssl-perl,
+ vyatta-biosdevname,
+ ipvsadm (>= 1:1.24-2.1),
+ radvd (>= 1:1.1-3),
+ apt-transport-https,
+ hostapd (>= 1:0.6.9-3),
+ cpufrequtils,
+ grub-pc (>= 1.98+20100804),
+ libcap2-bin (>= 2.19)
+Pre-Depends: bash-completion
+Suggests: util-linux (>= 2.13-5),
+ net-tools,
+ ncurses-bin (>= 5.5-5),
+ ntpdate
+Replaces: vyatta-cfg-system
+Description: Vyatta conntrack configuration
+ Vyatta conntrack configuration utiliites, templates and scripts.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..8262ab8
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,36 @@
+This package was debianized by Daniil Baturin <daniil.baturin@vyatta.com> on
+Thu, 3 Nov 2011.
+
+It's original content from the GIT repository 
+   <http://vyatt.com/git/vyatta-conntrack>
+
+Upstream Author: 
+
+    <eng@vyatta.com>
+
+Copyright: 
+
+    Copyright (C) 2011 Vyatta, Inc.
+    All Rights Reserved.
+
+License:
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+A copy of the GNU General Public License is available as
+`/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution
+or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'.
+You can also obtain it by writing to the Free Software Foundation,
+Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+MA 02110-1301, USA.
+
+The Debian packaging is (C) 2007, Daniil Baturin <daniil.baturin@vyatta.com> and
+is licensed under the GPL, see above.
diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..50bd824
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1,2 @@
+NEWS
+README
diff --git a/debian/lintian b/debian/lintian
new file mode 100644
index 0000000..dde999b
--- /dev/null
+++ b/debian/lintian
@@ -0,0 +1,2 @@
+vyatta-conntrack: file-in-unusual-dir
+vyatta-conntrack: dir-or-file-in-opt
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..07138a2
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,105 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+
+# These are used for cross-compiling and for saving the configure script
+# from having to guess our platform (since we know it already)
+DEB_HOST_GNU_TYPE   ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
+DEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
+PACKAGE=vyatta-conntrack
+PKGDIR=$(CURDIR)/debian/$(PACKAGE)
+
+CFLAGS = -Wall -g
+
+configure	 = ./configure
+configure	+= --host=$(DEB_HOST_GNU_TYPE)
+configure	+= --build=$(DEB_BUILD_GNU_TYPE)
+configure	+= --prefix=/opt/vyatta
+configure	+= --mandir=\$${prefix}/share/man
+configure	+= --infodir=\$${prefix}/share/info
+configure	+= CFLAGS="$(CFLAGS)"
+configure	+= LDFLAGS="-Wl,-z,defs"
+
+ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+	CFLAGS += -O0
+else
+	CFLAGS += -O2
+endif
+
+configure: configure.ac Makefile.am
+	chmod +x debian/autogen.sh
+	debian/autogen.sh
+
+config.status: configure
+	dh_testdir
+	rm -f config.cache
+	$(configure)
+
+build: build-stamp
+
+build-stamp:  config.status
+	dh_testdir
+	$(MAKE)
+	touch $@
+
+clean: clean-patched
+
+# Clean everything up, including everything auto-generated
+# at build time that needs not to be kept around in the Debian diff
+clean-patched:
+	dh_testdir
+	dh_testroot
+	if test -f Makefile ; then $(MAKE) clean distclean ; fi
+	rm -f build-stamp
+	rm -f config.status config.sub config.guess config.log
+	rm -f aclocal.m4 configure Makefile.in Makefile INSTALL
+	rm -rf config
+	dh_clean 
+
+install: build
+	dh_testdir
+	dh_testroot
+	dh_clean -k 
+	dh_installdirs
+
+	$(MAKE) DESTDIR=$(PKGDIR) install
+
+	install -D --mode=0644 debian/lintian $(PKGDIR)/usr/share/lintian/overrides/$(PACKAGE)
+
+# Build architecture-independent files here.
+binary-indep: build install
+	rm -f debian/files
+	dh_testdir
+	dh_testroot
+	dh_installchangelogs ChangeLog
+	dh_installdocs
+	dh_install
+	dh_installdebconf	
+	dh_link
+	dh_strip
+	dh_compress
+	dh_fixperms
+	dh_installdeb
+	if [ -f "../.VYATTA_DEV_BUILD" ]; then \
+		dh_gencontrol -- -v999.dev; \
+	else \
+		dh_gencontrol; \
+	fi
+	dh_md5sums
+	dh_builddeb
+
+# Build architecture-dependent files here.
+binary-arch: build install
+# This is an architecture independent package
+# so; we have nothing to do by default.
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install 
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
new file mode 100644
index 0000000..4e07288
--- /dev/null
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -0,0 +1,269 @@
+#!/bin/bash
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+sysconfdir=@sysconfdir@
+bindir=@bindir@
+sbindir=@sbindir@
+
+# remove init of daemons that are controlled by Vyatta configuration process
+for init in ntp ssh snmpd openhpid logd \
+            ipvsadm dnsmasq ddclient radvd hostapd conntrackd
+do
+  update-rc.d -f ${init} remove >/dev/null
+done
+
+# remove extra call to clock setup only need one. this speeds up boot 
+# Mystery: why does Debian do it twice?
+if [ -L /etc/rcS.d/S*hwclockfirst.sh -a -L /etc/rcS.d/S*hwclock.sh ]; then
+    rm /etc/rcS.d/S*hwclock.sh
+fi
+
+# Udev package asks for user 'tss' early in boot process.
+#  Want to avoid going out to remote services to look for this local user
+if ! grep -q '^tss' /etc/passwd; then
+    adduser --system --group --shell /usr/sbin/nologin --home /var/lib/tpm tss
+fi
+
+# Remove leftover udev files from earlier release
+if [ -d /etc/udev/rules.d/ ]; then
+    rm -f /etc/udev/rules.d/*vyatta-net.rules
+fi
+
+# Remove rsyslog logrotate since it has hardcoded assumptions about syslog files
+rm -f /etc/logrotate.d/rsyslog
+
+# Force screenblanker to be off, it can be enabled later if desired
+if [ -f /etc/console-tools/config ]; then
+    sed -i -e '/^POWERDOWN/s/=.*$/=0/' \
+	   -e '/^BLANK_TIME/s/=.*$/=0/' \
+	   -e '/^BLANK_DPMS/s/=.*$/=off/' /etc/console-tools/config
+fi
+
+if [ "$sysconfdir" != "/etc" ]; then
+    touch /etc/sudoers
+    cp -p /etc/sudoers /etc/sudoers.bak
+
+    # enable ssh banner
+    sed -i 's/^#Banner/Banner/' /etc/ssh/sshd_config
+    # make sure PermitRoot is off
+    sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
+    # make sure PasswordAuthentication is on
+    sed -i 's/^#PasswordAuthentication/PasswordAuthentication/' /etc/ssh/sshd_config
+    sed -i '/^PasswordAuthentication/s/no/yes/' /etc/ssh/sshd_config
+
+    # add HostKeys for protocol version 1
+    if ! grep -q '^HostKey /etc/ssh/ssh_host_key' /etc/ssh/sshd_config; then
+	echo '# HostKey for protocol version 1' >> /etc/ssh/sshd_config
+	echo 'HostKey /etc/ssh/ssh_host_key' >> /etc/ssh/sshd_config
+    fi
+
+    # add UseDNS line
+    sed -i '/^UseDNS/d' /etc/ssh/sshd_config
+    echo 'UseDNS yes' >>/etc/ssh/sshd_config
+
+    # for "admin" level
+    sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers
+    if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then
+	echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers
+    fi
+
+    # cleanup any old entries from previous versions
+    sed -i /etc/sudoers \
+	-e '/### BEGIN VYATTA/,/### END VYATTA/d' \
+	-e '/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d' \
+	-e '/sudo-users/d' \
+	-e '/env_keep+=VYATTA/d' || true
+
+    # Add Vyatta entries
+    cat <<"EOF" >>/etc/sudoers
+### BEGIN VYATTA 
+Defaults syslog_goodpri=info
+Defaults env_keep+=VYATTA_*
+
+Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\
+		      /sbin/iptables -L -vn,\
+                      /sbin/iptables -L * -vn,\
+		      /sbin/iptables -t * -L *, \
+                      /sbin/iptables -Z *,\
+		      /sbin/iptables -Z -t nat, \
+                      /sbin/iptables -t * -Z *
+Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \
+                       /sbin/ip6tables -t * -L *
+Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \
+                       /usr/sbin/conntrack -G *, \
+		       /usr/sbin/conntrack -E *
+Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \
+		     /sbin/ip route flush cache *,\
+		     /sbin/ip neigh flush to *, \
+		     /sbin/ip neigh flush dev *, \
+                     /sbin/ip -f inet6 route flush cache, \
+		     /sbin/ip -f inet6 route flush cache *,\
+		     /sbin/ip -f inet6 neigh flush to *, \
+		     /sbin/ip -f inet6 neigh flush dev * 
+Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \
+                     /sbin/ethtool -S *, \
+                     /sbin/ethtool -a *, \
+                     /sbin/ethtool -c *, \
+                     /sbin/ethtool -i *
+Cmnd_Alias DISK    = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d *
+Cmnd_Alias DATE    = /bin/date, /usr/sbin/ntpdate
+Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats
+Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump
+Cmnd_Alias HWINFO   = /usr/bin/lspci
+%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
+			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
+                        DISK, CONNTRACK, IP6TABLES
+EOF
+    cat <<EOF >>/etc/sudoers
+%users ALL=NOPASSWD: ${bindir}/sudo-users/
+### END VYATTA
+EOF
+
+    # set up blacklists
+    for f in blacklist.DSA-1024 blacklist.RSA-2048; do
+        if [ -r "/etc/ssh/$f" ]; then
+            l=$(head -1 $sysconfdir/$f)
+            if ! grep -q "$l" /etc/ssh/$f; then
+                tmp=$(mktemp /tmp/bl.XXXXXXXXXX)
+                cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp
+                mv $tmp /etc/ssh/$f
+            fi
+        else
+            cp $sysconfdir/$f /etc/ssh/$f
+        fi
+    done
+
+    # purge off ancient devfs stuff from /etc/securetty
+    cp $sysconfdir/securetty /etc/securetty
+
+    for f in issue issue.net; do
+	if [ ! -e /etc/$f.old ]; then
+            cp $sysconfdir/$f /etc/$f
+        fi
+    done
+
+    cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf
+
+     # Set file capabilities
+    sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' < $sysconfdir/filecaps | \
+    while read capability path; do 
+       touch -c $path
+       setcap $capability $path
+    done
+
+    # Install pam_cap config
+    cp $sysconfdir/capability.conf /etc/security/capability.conf
+
+    # Install our own version of rsyslog.conf without
+    # default targets
+    mv /etc/rsyslog.conf /etc/rsyslog.conf.orig
+    cp $sysconfdir/rsyslog.conf /etc/rsyslog.conf
+
+    # Install own version of cpufrequtils config
+    cp $sysconfdir/cpufrequtils /etc/default/cpufrequtils
+fi
+
+# create needed directories
+mkdir -p /var/log/user
+mkdir -p /var/core
+mkdir -p /opt/vyatta/etc/config/auth
+mkdir -p /opt/vyatta/etc/config/scripts
+mkdir -p /opt/vyatta/etc/config/user-data
+mkdir -p /opt/vyatta/etc/config/support
+chown -R root.vyattacfg /opt/vyatta/etc/config
+chmod -R 775 /opt/vyatta/etc/config
+
+# create /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
+# this should be after 'mkdir -p /opt/vyatta/etc/config/scripts' above
+if [ ! -x /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script ]; then
+    touch /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
+    chmod 755 /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
+    cat <<EOF >>/opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
+#!/bin/sh
+# This script is called from /etc/rc.local on boot after the Vyatta
+# configuration is fully applied. Any modifications done to work around
+# unfixed bugs and implement enhancements which are not complete in the Vyatta
+# system can be placed here.
+EOF
+fi
+
+# call vyatta-postconfig-bootup.script from /etc/rc.local
+if ! grep -q /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script \
+    /etc/rc.local
+then
+    cat <<EOF >>/etc/rc.local
+# Do not remove the following call to vyatta-postconfig-bootup.script.
+# Any boot time workarounds should be put in script below so that they
+# get preserved for the new image during image upgrade.
+sudo /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
+EOF
+    sh -c "sed -i -e '/exit 0/d' /etc/rc.local"
+    cat <<EOF >>/etc/rc.local
+exit 0
+EOF
+fi
+
+touch /etc/environment
+
+if [ ! -f /etc/bash_completion ]; then
+  echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion
+  echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion
+fi
+
+sed -i 's/^set /builtin set /' /etc/bash_completion
+
+dpkg-reconfigure -f noninteractive openssh-server
+rm -f /etc/ssh/*.broken
+update-rc.d -f ssh remove >/dev/null
+
+# Fix up PAM configuration for login so that invalid users are prompted
+# for password
+sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
+
+# Change default shell for new accounts
+sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf
+
+# Do not allow users to change full name field (controlled by Vyatta config)
+sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs
+
+# Only allow root to use passwd command
+if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then
+    sed -i -e '/^@include/i \
+password	requisite pam_succeed_if.so user = root
+' /etc/pam.d/passwd
+fi
+
+#
+# Ask mdadm to call our own event handling daemon
+#
+if [ -e /etc/default/mdadm ]; then
+    sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm
+fi
+
+# remove unnecessary ddclient script in /etc/ppp/ip-up.d/
+# this logs unnecessary messages trying to start ddclient
+rm -f /etc/ppp/ip-up.d/ddclient
+
+# remove old init that should have been cleaned up during upgrade but isn't
+if [ -f /etc/init.d/vyatta-ofr ]; then
+    update-rc.d -f /etc/init.d/vyatta-ofr remove
+    rm -f /etc/init.d/vyatta-ofr
+fi
+
+# comply with Squeeze version of modprobe
+# remove old versions of files during upgrade
+for modprobe in vyatta_blacklist_ipv6 vyatta_disable_ipv6
+do
+  if [ -f /etc/modprobe.d/${modprobe} ]; then
+      mv -f /etc/modprobe.d/${modprobe} /etc/modprobe.d/${modprobe}.conf
+  fi
+done
+
+# add vyatta-config-reboot-params to start at boot up
+update-rc.d vyatta-config-reboot-params defaults
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 4
+# End:
diff --git a/debian/vyatta-cfg-system.postrm b/debian/vyatta-cfg-system.postrm
new file mode 100644
index 0000000..413780b
--- /dev/null
+++ b/debian/vyatta-cfg-system.postrm
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+if [ "$1" = "purge" ]; then
+    sed -i -e '/### BEGIN VYATTA/,/### END VYATTA/d' /etc/sudoers
+    sed -i -e 'g/^password/d' /etc/pam.d/password
+    update-rc.d vyatta-config-reboot-params remove
+fi
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 4
+# End:
diff --git a/templates/system/conntrack/expect-table-size/node.def b/templates/system/conntrack/expect-table-size/node.def
new file mode 100644
index 0000000..f9f1ae5
--- /dev/null
+++ b/templates/system/conntrack/expect-table-size/node.def
@@ -0,0 +1,32 @@
+#
+# Config template for: system conntrack expect-table-size
+# 
+# This  is  the  table  of expectations.  Connection tracking expectations are 
+# the mechanism used to "expect" RELATED connections to existing ones.  
+# Expectations are generally used by "connection tracking helpers"  (sometimes 
+# called application level gateways [ALGs]) for more complex protocols such as
+# FTP, SIP, H.323. 
+#
+# default value when no conntrack options set - 2048
+# default value when no conntrack options set - 4096
+#
+
+type: u32
+
+help: Size of connection tracking expect table
+
+default: 4096
+
+val_help: u32: 1-50000000; Number of entries allowed in connection tracking expect table
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000"
+
+update:
+	sudo sysctl -q -w net/netfilter/nf_conntrack_expect_max=$VAR(@)
+
+
+
+
+
+
+
diff --git a/templates/system/conntrack/hash-size/node.def b/templates/system/conntrack/hash-size/node.def
new file mode 100644
index 0000000..242d0fe
--- /dev/null
+++ b/templates/system/conntrack/hash-size/node.def
@@ -0,0 +1,18 @@
+help: Hash size for connection tracking table
+type: u32
+
+default: 4096
+
+val_help: u32:1-50000000; Size of hash to use for connection tracking table
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000"
+
+update:
+        if ! grep -q "nf_conntrack hashsize=$VAR(@)$" /etc/modprobe.d/vyatta_nf_conntrack.conf
+        then
+          sudo sh -c "sed -i -e '/options nf_conntrack hashsize/d' \
+                /etc/modprobe.d/vyatta_nf_conntrack.conf"
+          sudo sh -c "echo options nf_conntrack hashsize=$VAR(@) >> \
+                /etc/modprobe.d/vyatta_nf_conntrack.conf"
+          echo "Updated conntrack hash size. This change will take affect when the system is rebooted."
+        fi
diff --git a/templates/system/conntrack/modules/ftp/disable/node.def b/templates/system/conntrack/modules/ftp/disable/node.def
new file mode 100644
index 0000000..40a64d5
--- /dev/null
+++ b/templates/system/conntrack/modules/ftp/disable/node.def
@@ -0,0 +1,7 @@
+help: Disable FTP connection tracking
+
+create: sudo rmmod nf_nat_ftp
+        sudo rmmod nf_conntrack_ftp
+        
+delete: sudo modprobe nf_conntrack_ftp
+        sudo modprobe nf_nat_ftp
\ No newline at end of file
diff --git a/templates/system/conntrack/modules/ftp/node.def b/templates/system/conntrack/modules/ftp/node.def
new file mode 100644
index 0000000..74a94b4
--- /dev/null
+++ b/templates/system/conntrack/modules/ftp/node.def
@@ -0,0 +1 @@
+help: FTP connection tracking settings
\ No newline at end of file
diff --git a/templates/system/conntrack/modules/gre/disable/node.def b/templates/system/conntrack/modules/gre/disable/node.def
new file mode 100644
index 0000000..f6f9546
--- /dev/null
+++ b/templates/system/conntrack/modules/gre/disable/node.def
@@ -0,0 +1,21 @@
+help: Disable GRE connection tracking
+
+# GRE shouldn't be disabled when PPTP is enabled because PPTP depends on it
+create: cli-shell-api exists system conntrack modules pptp disable
+        if [ $? == 0 ]; then
+          # Unload PPTP modules if they are loaded
+          lsmod | grep -e "^nf_nat_pptp" 2>&1 >/dev/null
+          if [ $? == 0 ]; then
+            sudo rmmod nf_nat_pptp
+            sudo rmmod nf_conntrack_pptp
+          fi
+          # And GRE modules then
+          sudo rmmod nf_nat_proto_gre
+          sudo rmmod nf_conntrack_proto_gre
+        else
+          echo "Error: can not disable GRE connection tracking when PPTP connection tracking is enabled!"
+          exit 1
+        fi
+
+delete: sudo modprobe nf_conntrack_proto_gre
+        sudo modprobe nf_nat_proto_gre
diff --git a/templates/system/conntrack/modules/gre/node.def b/templates/system/conntrack/modules/gre/node.def
new file mode 100644
index 0000000..d192f7d
--- /dev/null
+++ b/templates/system/conntrack/modules/gre/node.def
@@ -0,0 +1 @@
+help: GRE connection tracking settings
\ No newline at end of file
diff --git a/templates/system/conntrack/modules/h323/disable/node.def b/templates/system/conntrack/modules/h323/disable/node.def
new file mode 100644
index 0000000..1fb0117
--- /dev/null
+++ b/templates/system/conntrack/modules/h323/disable/node.def
@@ -0,0 +1,7 @@
+help: Disable H.323 connection tracking
+
+create: sudo rmmod nf_nat_h323
+        sudo rmmod nf_conntrack_h323
+        
+delete: sudo modprobe nf_conntrack_h323
+        sudo modprobe nf_nat_h323
\ No newline at end of file
diff --git a/templates/system/conntrack/modules/h323/node.def b/templates/system/conntrack/modules/h323/node.def
new file mode 100644
index 0000000..ae4b787
--- /dev/null
+++ b/templates/system/conntrack/modules/h323/node.def
@@ -0,0 +1 @@
+help: H.323 connection tracking settings
\ No newline at end of file
diff --git a/templates/system/conntrack/modules/node.def b/templates/system/conntrack/modules/node.def
new file mode 100644
index 0000000..9666287
--- /dev/null
+++ b/templates/system/conntrack/modules/node.def
@@ -0,0 +1 @@
+help: Connection tracking modules settings
\ No newline at end of file
diff --git a/templates/system/conntrack/modules/pptp/disable/node.def b/templates/system/conntrack/modules/pptp/disable/node.def
new file mode 100644
index 0000000..4ffd980
--- /dev/null
+++ b/templates/system/conntrack/modules/pptp/disable/node.def
@@ -0,0 +1,20 @@
+help: Disable PPTP connection tracking
+
+create: cli-shell-api exists system conntrack modules gre disable
+        if [ $? == 0 ]; then
+          # Do nothing, this case is handled in GRE module templates
+          :;
+        else
+          sudo rmmod nf_nat_pptp
+          sudo rmmod nf_conntrack_pptp
+        fi
+
+# PPTP shouldn't be enabled when GRE is disabled because PPTP depends on it
+delete: cli-shell-api exists system conntrack modules gre disable
+        if [ $? == 0 ]; then
+          echo "Error: can not enable PPTP connection tracking when GRE connection tracking is disabled!"
+          exit 1
+        else
+          sudo modprobe nf_conntrack_pptp
+          sudo modprobe nf_nat_pptp
+        fi
diff --git a/templates/system/conntrack/modules/pptp/node.def b/templates/system/conntrack/modules/pptp/node.def
new file mode 100644
index 0000000..a6ae0c4
--- /dev/null
+++ b/templates/system/conntrack/modules/pptp/node.def
@@ -0,0 +1 @@
+help: PPTP connection tracking settings
\ No newline at end of file
diff --git a/templates/system/conntrack/modules/sip/disable/node.def b/templates/system/conntrack/modules/sip/disable/node.def
new file mode 100644
index 0000000..d0eaf81
--- /dev/null
+++ b/templates/system/conntrack/modules/sip/disable/node.def
@@ -0,0 +1,7 @@
+help: Disable SIP connection tracking
+
+create: sudo rmmod nf_nat_sip
+        sudo rmmod nf_conntrack_sip
+        
+delete: sudo modprobe nf_conntrack_sip
+        sudo modprobe nf_nat_sip
\ No newline at end of file
diff --git a/templates/system/conntrack/modules/sip/enable-indirect-media/node.def b/templates/system/conntrack/modules/sip/enable-indirect-media/node.def
new file mode 100644
index 0000000..c29389e
--- /dev/null
+++ b/templates/system/conntrack/modules/sip/enable-indirect-media/node.def
@@ -0,0 +1 @@
+help: Option to support for indirect media streams 
diff --git a/templates/system/conntrack/modules/sip/enable-indirect-signalling/node.def b/templates/system/conntrack/modules/sip/enable-indirect-signalling/node.def
new file mode 100644
index 0000000..82782ff
--- /dev/null
+++ b/templates/system/conntrack/modules/sip/enable-indirect-signalling/node.def
@@ -0,0 +1 @@
+help: Option to support for indirect signalling streams
diff --git a/templates/system/conntrack/modules/sip/node.def b/templates/system/conntrack/modules/sip/node.def
new file mode 100644
index 0000000..b5a3225
--- /dev/null
+++ b/templates/system/conntrack/modules/sip/node.def
@@ -0,0 +1,61 @@
+help: SIP connection tracking settings
+
+end: /bin/cli-shell-api existsEffective system conntrack modules sip disable && exit 0
+  reload=0
+  sdm=2
+  if [ -f /sys/module/nf_conntrack_sip/parameters/sip_direct_media ]; then
+    sdm=$(sudo cat /sys/module/nf_conntrack_sip/parameters/sip_direct_media)
+  fi
+  if [ -n "$VAR(./enable-indirect-media)" ]; then
+    indirectmedia='sip_direct_media=0'
+    if [ $sdm -ge 1 ]; then reload=1; fi
+  else
+    if [ $sdm -eq 0 ]; then reload=1; fi
+  fi
+
+  sds=2
+  if [ -f /sys/module/nf_conntrack_sip/parameters/sip_direct_signalling ]; then
+    sds=$(sudo cat /sys/module/nf_conntrack_sip/parameters/sip_direct_signalling)
+  fi
+  if [ -n "$VAR(./enable-indirect-signalling)" ]; then
+    indirectsignalling='sip_direct_signalling=0'
+    if [ $sds -ge 1 ]; then reload=1; fi
+  else
+    if [ $sds -eq 0 ]; then reload=1; fi
+  fi
+
+  if [ -n "$VAR(./port/@@)" ]; then
+     numports=0
+     for port in $VAR(./port/@@); do
+     	 if [ -z "$portval" ]; then
+     	     portval=$port
+	 else
+	     portval="${portval},$port"
+	 fi
+	 (( numports++ ))
+     done
+     portopt="ports=$portval"
+     if [ $numports -gt 8 ]; then
+     	echo "Error: Can not specify more than 8 ports."
+	exit 1
+     fi
+     reload=1
+  fi
+
+  if [ -f /etc/modprobe.d/options ]; then
+    sudo sed -i '/nf_conntrack_sip/d' /etc/modprobe.d/options
+  fi
+
+  if [ -n "$indirectmedia" ] || [ -n "$indirectsignalling" ] || \
+      [ -n "$portopt" ]; then
+      sudo sh -c "echo \# Auto-generated by `whoami` at `date` > /etc/modprobe.d/vyatta_sip_options.conf"
+      sudo sh -c "echo options nf_conntrack_sip $indirectmedia $indirectsignalling $portopt >> /etc/modprobe.d/vyatta_sip_options.conf "
+  else
+      sudo rm -f /etc/modprobe.d/vyatta_sip_options.conf
+  fi
+
+  if [ $reload -eq 1 ]; then
+    sudo modprobe -r nf_nat_sip nf_conntrack_sip
+    sudo modprobe nf_conntrack_sip
+    sudo modprobe nf_nat_sip
+  fi
diff --git a/templates/system/conntrack/modules/sip/port/node.def b/templates/system/conntrack/modules/sip/port/node.def
new file mode 100644
index 0000000..b72f1ca
--- /dev/null
+++ b/templates/system/conntrack/modules/sip/port/node.def
@@ -0,0 +1,8 @@
+multi:
+type: u32
+
+help: Port number that SIP traffic is carried on
+
+val_help: u32:1-65535; SIP port number
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <=65535) ; "Port number must be in range 1 to 65535"
diff --git a/templates/system/conntrack/modules/tftp/disable/node.def b/templates/system/conntrack/modules/tftp/disable/node.def
new file mode 100644
index 0000000..ebdecf4
--- /dev/null
+++ b/templates/system/conntrack/modules/tftp/disable/node.def
@@ -0,0 +1,7 @@
+help: Disable TFTP connection tracking
+
+create: sudo rmmod nf_nat_tftp
+        sudo rmmod nf_conntrack_tftp
+
+delete: sudo modprobe nf_conntrack_tftp
+        sudo modprobe nf_nat_tftp
diff --git a/templates/system/conntrack/modules/tftp/node.def b/templates/system/conntrack/modules/tftp/node.def
new file mode 100644
index 0000000..901f52e
--- /dev/null
+++ b/templates/system/conntrack/modules/tftp/node.def
@@ -0,0 +1 @@
+help: TFTP connection tracking settings
\ No newline at end of file
diff --git a/templates/system/conntrack/node.def b/templates/system/conntrack/node.def
new file mode 100644
index 0000000..53488ae
--- /dev/null
+++ b/templates/system/conntrack/node.def
@@ -0,0 +1,24 @@
+help: Connection tracking engine options
+
+priority: 218 # before NAT and conntrack-sync are configured
+
+delete: # set conntrack table size to standard 16384 entries if conntrack settings are removed
+        sudo sysctl -q -w net/nf_conntrack_max=16384
+
+        # set conntrack expect table size to standard 2048 entries if conntrack settings are removed
+        sudo sysctl -q -w net/netfilter/nf_conntrack_expect_max=2048
+
+        # set conntrack hash size to standard 4096
+        if ! grep -q "nf_conntrack hashsize=4096$" /etc/modprobe.d/vyatta_nf_conntrack.conf
+        then
+          sudo sh -c "sed -i -e '/options nf_conntrack hashsize/d' \
+                /etc/modprobe.d/vyatta_nf_conntrack.conf"
+          sudo sh -c "echo options nf_conntrack hashsize=4096 >> \
+                /etc/modprobe.d/vyatta_nf_conntrack.conf"
+          echo "Conntrack hash size set to default 4096. This change will take effect when the system is rebooted."
+        fi
+
+        # need to restart conntrackd with updated conntrack table size
+        if cli-shell-api existsActive service conntrack-sync; then
+          sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable
+        fi
diff --git a/templates/system/conntrack/table-size/node.def b/templates/system/conntrack/table-size/node.def
new file mode 100644
index 0000000..f91b101
--- /dev/null
+++ b/templates/system/conntrack/table-size/node.def
@@ -0,0 +1,39 @@
+#
+# Config template for: system conntrack table-size
+# 
+# Sets the size of the TCP connection tracking table in the netfilter
+# nf_conntrack module, which is used by firewall and NAT.  The size of
+# this table determines how many TCP connections can be simultaneously
+# tracked.  If new connections arrive and the table is full, older
+# connections will be dropped out of the table.  System administrators
+# must set the connection tracking table size based on the number of
+# connections they expect their system to track.  The connection
+# tracking table consumes kernel memory, so the size selected should
+# be no larger than necessary.
+#
+# default value when contrack is not set - 16384
+# default value when conntrack is set - 32768
+#
+
+type: u32
+
+help: Size of connection tracking table
+
+default: 32768
+
+val_help: u32:1-50000000; Number of entries allowed in connection tracking table
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000"
+
+update:
+	sudo sysctl -q -w net/nf_conntrack_max=$VAR(@)
+  # need to restart conntrackd with updated conntrack table size
+  if cli-shell-api existsActive service conntrack-sync; then
+    sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable
+  fi
+
+
+
+
+
+
diff --git a/templates/system/conntrack/tcp/half-open-connections/node.def b/templates/system/conntrack/tcp/half-open-connections/node.def
new file mode 100644
index 0000000..9474463
--- /dev/null
+++ b/templates/system/conntrack/tcp/half-open-connections/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: Maximum number of TCP half-open connections
+
+default: 512
+
+val_help: u32:1-2147483647; Generic connection timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 2147483647) ; "Value must be between 1 and 2147483647"
+
+update: sudo sysctl -q -w net/ipv4/tcp_max_syn_backlog=$VAR(@)
+
+delete: sudo sysctl -q -w net/ipv4/tcp_max_syn_backlog=512
diff --git a/templates/system/conntrack/tcp/loose/node.def b/templates/system/conntrack/tcp/loose/node.def
new file mode 100644
index 0000000..06706a2
--- /dev/null
+++ b/templates/system/conntrack/tcp/loose/node.def
@@ -0,0 +1,50 @@
+# 
+# This parameter directs the netfilter TCP connection tracking modules
+# (nf_conntrack, and others) to either allow or disallow the tracking
+# of TCP connections which are "previously established".  This
+# includes all cases where the three-way connection opening handshake
+# was not seen by this machine.  That includes the case the connection
+# was opened before this machine booted.  It also includes cases where
+# the packets comprising the three-way handshake were routed via some
+# other router.
+#
+# If this parameter is set to "enable", tracking such connections is
+# allowed.  If disabled, such tracking is disabled.
+# default value - 1
+
+type: txt
+
+help: Policy to track previously established connections
+
+val_help: enable; Allow tracking of previously established connections
+val_help: disable; Do not allow tracking of previously established connections
+
+default: "enable"
+
+syntax:expression: $VAR(@) in "enable", "disable"; "must be either enable or disable"
+
+update:
+	if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose ]; then
+	    sudo modprobe nf_conntrack_ipv4
+	fi
+	if [ "$VAR(@)" = "enable" ]; then
+	    sudo sysctl -q -w net/ipv4/netfilter/ip_conntrack_tcp_loose=1
+	elif [ "$VAR(@)" = "disable" ]; then
+	    sudo sysctl -q -w net/ipv4/netfilter/ip_conntrack_tcp_loose=0
+	else
+	    echo "Invalid parameter: $VAR(@)"
+	    exit 1
+	fi
+
+delete:
+	if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose ]; then
+	    sudo modprobe nf_conntrack_ipv4
+	fi
+	sudo sysctl -q -w net/ipv4/netfilter/ip_conntrack_tcp_loose=1
+
+
+
+
+
+
+
diff --git a/templates/system/conntrack/tcp/max-retrans/node.def b/templates/system/conntrack/tcp/max-retrans/node.def
new file mode 100644
index 0000000..bf56f1f
--- /dev/null
+++ b/templates/system/conntrack/tcp/max-retrans/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP maximum retransmit attempts
+
+default: 3
+
+val_help: u32:1-2147483647; Generic connection timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 2147483647) ; "Value must be between 1 and 2147483647"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_max_retrans=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_max_retrans=3
diff --git a/templates/system/conntrack/tcp/node.def b/templates/system/conntrack/tcp/node.def
new file mode 100644
index 0000000..67543ca
--- /dev/null
+++ b/templates/system/conntrack/tcp/node.def
@@ -0,0 +1 @@
+help: TCP options
\ No newline at end of file
diff --git a/templates/system/conntrack/timeout/icmp/node.def b/templates/system/conntrack/timeout/icmp/node.def
new file mode 100644
index 0000000..952178e
--- /dev/null
+++ b/templates/system/conntrack/timeout/icmp/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: ICMP timeout in seconds
+
+default: 30
+
+val_help: u32:1-21474836; ICMP timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_icmp_timeout=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_icmp_timeout=30
diff --git a/templates/system/conntrack/timeout/node.def b/templates/system/conntrack/timeout/node.def
new file mode 100644
index 0000000..f0193c6
--- /dev/null
+++ b/templates/system/conntrack/timeout/node.def
@@ -0,0 +1 @@
+help: Connection timeout options
\ No newline at end of file
diff --git a/templates/system/conntrack/timeout/other/node.def b/templates/system/conntrack/timeout/other/node.def
new file mode 100644
index 0000000..a794bb7
--- /dev/null
+++ b/templates/system/conntrack/timeout/other/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: Generic connection timeout in seconds
+
+default: 600
+
+val_help: u32:1-21474836; Generic connection timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_generic_timeout=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_generic_timeout=600
diff --git a/templates/system/conntrack/timeout/tcp/close-wait/node.def b/templates/system/conntrack/timeout/tcp/close-wait/node.def
new file mode 100644
index 0000000..0491b68
--- /dev/null
+++ b/templates/system/conntrack/timeout/tcp/close-wait/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP CLOSE-WAIT timeout in seconds
+
+default: 60
+
+val_help: u32:1-21474836; TCP CLOSE-WAIT timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=60
diff --git a/templates/system/conntrack/timeout/tcp/close/node.def b/templates/system/conntrack/timeout/tcp/close/node.def
new file mode 100644
index 0000000..38317d5
--- /dev/null
+++ b/templates/system/conntrack/timeout/tcp/close/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP CLOSE timeout in seconds
+
+default: 10
+
+val_help: u32:1-21474836; TCP CLOSE timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=10
diff --git a/templates/system/conntrack/timeout/tcp/established/node.def b/templates/system/conntrack/timeout/tcp/established/node.def
new file mode 100644
index 0000000..9e47f1e
--- /dev/null
+++ b/templates/system/conntrack/timeout/tcp/established/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP ESTABLISHED timeout in seconds
+
+default: 432000
+
+val_help: u32:1-21474836; TCP ESTABLISHED timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=432000
diff --git a/templates/system/conntrack/timeout/tcp/fin-wait/node.def b/templates/system/conntrack/timeout/tcp/fin-wait/node.def
new file mode 100644
index 0000000..985a6a4
--- /dev/null
+++ b/templates/system/conntrack/timeout/tcp/fin-wait/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP FIN-WAIT timeout in seconds
+
+default: 120
+
+val_help: u32:1-21474836; TCP FIN-WAIT timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=120
diff --git a/templates/system/conntrack/timeout/tcp/last-ack/node.def b/templates/system/conntrack/timeout/tcp/last-ack/node.def
new file mode 100644
index 0000000..3e07fe4
--- /dev/null
+++ b/templates/system/conntrack/timeout/tcp/last-ack/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP LAST-ACK timeout in seconds
+
+default: 30
+
+val_help: u32:1-21474836; TCP LAST-ACK timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=30
diff --git a/templates/system/conntrack/timeout/tcp/node.def b/templates/system/conntrack/timeout/tcp/node.def
new file mode 100644
index 0000000..2b67c51
--- /dev/null
+++ b/templates/system/conntrack/timeout/tcp/node.def
@@ -0,0 +1 @@
+help: TCP connection timeout options
\ No newline at end of file
diff --git a/templates/system/conntrack/timeout/tcp/syn-recv/node.def b/templates/system/conntrack/timeout/tcp/syn-recv/node.def
new file mode 100644
index 0000000..50c5512
--- /dev/null
+++ b/templates/system/conntrack/timeout/tcp/syn-recv/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP SYN-RECEIVED timeout in seconds
+
+default: 60
+
+val_help: u32:1-21474836; TCP SYN-RECEIVED timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=60
diff --git a/templates/system/conntrack/timeout/tcp/syn-sent/node.def b/templates/system/conntrack/timeout/tcp/syn-sent/node.def
new file mode 100644
index 0000000..5856ba7
--- /dev/null
+++ b/templates/system/conntrack/timeout/tcp/syn-sent/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP SYN-SENT timeout in seconds
+
+default: 120
+
+val_help: u32:1-21474836; TCP SYN-SENT timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=120
diff --git a/templates/system/conntrack/timeout/tcp/time-wait/node.def b/templates/system/conntrack/timeout/tcp/time-wait/node.def
new file mode 100644
index 0000000..f6bd1c8
--- /dev/null
+++ b/templates/system/conntrack/timeout/tcp/time-wait/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP TIME-WAIT timeout in seconds
+
+default: 120
+
+val_help: u32:1-21474836; TCP TIME-WAIT timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=120
diff --git a/templates/system/conntrack/timeout/udp/node.def b/templates/system/conntrack/timeout/udp/node.def
new file mode 100644
index 0000000..7ee8fd3
--- /dev/null
+++ b/templates/system/conntrack/timeout/udp/node.def
@@ -0,0 +1 @@
+help: UDP timeout
\ No newline at end of file
diff --git a/templates/system/conntrack/timeout/udp/other/node.def b/templates/system/conntrack/timeout/udp/other/node.def
new file mode 100644
index 0000000..0018f1c
--- /dev/null
+++ b/templates/system/conntrack/timeout/udp/other/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: UDP generic timeout in seconds
+
+default: 30
+
+val_help: u32:1-21474836; UDP generic timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout=30
diff --git a/templates/system/conntrack/timeout/udp/stream/node.def b/templates/system/conntrack/timeout/udp/stream/node.def
new file mode 100644
index 0000000..d86e683
--- /dev/null
+++ b/templates/system/conntrack/timeout/udp/stream/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: UDP stream timeout in seconds
+
+default: 180
+
+val_help: u32:1-21474836; UDP stream timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout_stream=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout_stream=180