diff options
author | Gaurav Sinha <gaurav.sinha@vyatta.com> | 2012-02-14 15:23:28 -0800 |
---|---|---|
committer | Gaurav Sinha <gaurav.sinha@vyatta.com> | 2012-03-16 16:39:57 -0700 |
commit | a78433c8796593aad8e18be6216ea007d08dcaff (patch) | |
tree | 43ae853b65b654939d1ddfb725cde09e1f43e37e | |
parent | fe3908e77451c419c9e4b8351cb72cde9c875312 (diff) | |
download | vyatta-conntrack-a78433c8796593aad8e18be6216ea007d08dcaff.tar.gz vyatta-conntrack-a78433c8796593aad8e18be6216ea007d08dcaff.zip |
timeouts script, and new nodes
(cherry picked from commit e49e60bca2262760575b2a4b488e6acfe1dc0cb6)
16 files changed, 181 insertions, 21 deletions
diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl new file mode 100644 index 0000000..7725a3b --- /dev/null +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -0,0 +1,34 @@ +#!/usr/bin/perl + +use lib "/opt/vyatta/share/perl5"; +use warnings; +use strict; + +use Vyatta::Config; +use Vyatta::IpTables::Rule; +use Vyatta::IpTables::AddressFilter; +use Vyatta::IpTables::Mgr; +use Getopt::Long; +use Vyatta::Zone; +use Sys::Syslog qw(:standard :macros); + +my ($create, $delete, $update); + +GetOptions("create=s" => \$create, + "delete=s" => \$delete, + "update=s" => \$update, +); + +if ($create and ($create eq 'true')) { + print "create\n"; + # create a nfct-timeout policy based on protocol specific timers + # check if the rule has protocol configured + # if configured, check what the protocol is and get the appropriate timers. +} + +if ($delete and ($delete eq 'true')) { + print "delete"; +} +if ($update and ($update eq 'true')) { + print "update"; +} diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def new file mode 100644 index 0000000..2997e58 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def @@ -0,0 +1,10 @@ +type: u32 + +help: ICMP timeout in seconds + +default: 30 + +val_help: u32:1-21474836; ICMP timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def index 1f235f7..6fffc43 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def @@ -1,22 +1,2 @@ -type: txt +help: Customize protocol specific timers -help: Protocol to match (protocol name in /etc/protocols or protocol number or "all") - -val_help: txt; IP protocol name from /etc/protocols (e.g. "tcp" or "udp") -val_help: u32:0-255; IP protocol number -val_help: tcp_udp; Both TCP and UDP -val_help: all; All IP protocols -val_help: !<protocol>; All IP protocols except for the specified name or number - -syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'`\" ] \ - && [ \"$VAR(@)\" != 'tcp_udp' ]; then \ - echo invalid protocol \"$VAR(@)\" ; \ - exit 1 ; \ - fi ; " - -# Provide some help for command completion. Doesn't return negated -# values or protocol numbers -allowed: - protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }' | grep -v 'v6'` - protos="all $protos tcp_udp" - echo -n $protos diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def new file mode 100644 index 0000000..5653056 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def @@ -0,0 +1,10 @@ +type: u32 + +help: Generic connection timeout in seconds + +default: 600 + +val_help: u32:1-21474836; Generic connection timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def new file mode 100644 index 0000000..0491b68 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP CLOSE-WAIT timeout in seconds + +default: 60 + +val_help: u32:1-21474836; TCP CLOSE-WAIT timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=60 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def new file mode 100644 index 0000000..38317d5 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP CLOSE timeout in seconds + +default: 10 + +val_help: u32:1-21474836; TCP CLOSE timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=10 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def new file mode 100644 index 0000000..9e47f1e --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP ESTABLISHED timeout in seconds + +default: 432000 + +val_help: u32:1-21474836; TCP ESTABLISHED timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=432000 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def new file mode 100644 index 0000000..985a6a4 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP FIN-WAIT timeout in seconds + +default: 120 + +val_help: u32:1-21474836; TCP FIN-WAIT timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=120 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def new file mode 100644 index 0000000..3e07fe4 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP LAST-ACK timeout in seconds + +default: 30 + +val_help: u32:1-21474836; TCP LAST-ACK timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=30 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def new file mode 100644 index 0000000..2b67c51 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def @@ -0,0 +1 @@ +help: TCP connection timeout options
\ No newline at end of file diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def new file mode 100644 index 0000000..50c5512 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP SYN-RECEIVED timeout in seconds + +default: 60 + +val_help: u32:1-21474836; TCP SYN-RECEIVED timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=60 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def new file mode 100644 index 0000000..5856ba7 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP SYN-SENT timeout in seconds + +default: 120 + +val_help: u32:1-21474836; TCP SYN-SENT timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=120 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def new file mode 100644 index 0000000..f6bd1c8 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP TIME-WAIT timeout in seconds + +default: 120 + +val_help: u32:1-21474836; TCP TIME-WAIT timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=120 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def new file mode 100644 index 0000000..7ee8fd3 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def @@ -0,0 +1 @@ +help: UDP timeout
\ No newline at end of file diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def new file mode 100644 index 0000000..c0c1824 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def @@ -0,0 +1,10 @@ +type: u32 + +help: UDP generic timeout in seconds + +default: 30 + +val_help: u32:1-21474836; UDP generic timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def new file mode 100644 index 0000000..0670477 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def @@ -0,0 +1,10 @@ +type: u32 + +help: UDP stream timeout in seconds + +default: 180 + +val_help: u32:1-21474836; UDP stream timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + |