diff options
| author | Gaurav <gaurav.sinha@vyatta.com> | 2012-03-20 20:39:02 -0700 |
|---|---|---|
| committer | Gaurav <gaurav.sinha@vyatta.com> | 2012-03-20 20:39:02 -0700 |
| commit | 544fd5facd786cd2a0eca1f46399c62e2d8ab667 (patch) | |
| tree | 0839b56f058c27ae5a4ac653a0c2a69db3aaf634 | |
| parent | 1cf46da939878377ef6e1195af4eb4b68ca672fa (diff) | |
| parent | 9e6dec7e0fbf269074a15b0fcfa0aee2e4cc43fb (diff) | |
| download | vyatta-conntrack-544fd5facd786cd2a0eca1f46399c62e2d8ab667.tar.gz vyatta-conntrack-544fd5facd786cd2a0eca1f46399c62e2d8ab667.zip | |
ct timeouts changes
| -rw-r--r-- | .frlog | 2 | ||||
| -rw-r--r-- | debian/changelog | 6 | ||||
| -rw-r--r-- | lib/Vyatta/Conntrack/RuleCT.pm | 16 | ||||
| -rw-r--r-- | scripts/vyatta-conntrack-timeouts.pl | 36 | ||||
| -rw-r--r-- | templates-cfg/system/conntrack/timeout/custom/node.def | 12 |
5 files changed, 28 insertions, 44 deletions
@@ -1,4 +1,4 @@ Fri Nov 4 05:42:12 NOVT 2011: [Force build] at [debian/0.1] Wed Jan 4 01:55:59 NOVT 2012: [Force release] at [debian/0.26] Tue Jan 31 11:14:11 PST 2012: [reset epoch] at [debian/0.27] -Sat Mar 3 02:25:48 PST 2012: [new branch] at [debian/0.28] +Sat Mar 3 02:23:05 PST 2012: [new branch] at [debian/0.28] diff --git a/debian/changelog b/debian/changelog index d41ac7d..8c030d9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -49,13 +49,13 @@ vyatta-conntrack (0.30) unstable; urgency=low * fixing 7866 - -- Gaurav Sinha <gaurav.sinha@vyatta.com> Fri, 16 Mar 2012 15:49:43 -0700 + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Fri, 16 Mar 2012 15:42:47 -0700 -vyatta-conntrack (0.29) unstable; urgency=low +vyatta-conntrack (0.28+oxnard1) unstable; urgency=low * new branch - -- Deepti Kulkarni <deepti@vyatta.com> Sat, 03 Mar 2012 02:25:49 -0800 + -- Deepti Kulkarni <deepti@vyatta.com> Sat, 03 Mar 2012 02:23:06 -0800 vyatta-conntrack (0.28) unstable; urgency=low diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index bab941e..319edb4 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -81,7 +81,7 @@ sub rule { } elsif ($self->{_protocol} eq "icmp") { $rule .= " -p icmp"; } elsif ($self->{_protocol} eq "other") { - $rule .= " -p 255"; + $rule .= " -p all"; } $rule .= " $srcrule $dstrule "; return $rule; @@ -199,22 +199,22 @@ sub get_policy_command { $command .= " close $self->{_tcp}->{_close}"; } if ($self->{_tcp}->{_close_wait}) { - $command .= " close-wait $self->{_tcp}->{_close_wait}"; + $command .= " close_wait $self->{_tcp}->{_close_wait}"; } if ($self->{_tcp}->{_time_wait}) { - $command .= " time-wait $self->{_tcp}->{_time_wait}"; + $command .= " time_wait $self->{_tcp}->{_time_wait}"; } if ($self->{_tcp}->{_syn_recv}) { - $command .= " syn-recv $self->{_tcp}->{_syn_recv}"; + $command .= " syn_recv $self->{_tcp}->{_syn_recv}"; } if ($self->{_tcp}->{_syn_sent}) { - $command .= " syn-sent $self->{_tcp}->{_syn_sent}"; + $command .= " syn_sent $self->{_tcp}->{_syn_sent}"; } if ($self->{_tcp}->{_last_ack}) { - $command .= " last-ack $self->{_tcp}->{_last_ack}"; + $command .= " last_ack $self->{_tcp}->{_last_ack}"; } if ($self->{_tcp}->{_fin_wait}) { - $command .= " fin-wait $self->{_tcp}->{_fin_wait}"; + $command .= " fin_wait $self->{_tcp}->{_fin_wait}"; } if ($self->{_tcp}->{_established}) { $command .= " established $self->{_tcp}->{_established}"; @@ -228,7 +228,7 @@ sub get_policy_command { $command .= " replied $self->{_udp}->{_stream}"; } } elsif ($self->{_protocol} eq 'icmp') { - $command .= " icmp $self->{_icmp}"; + $command .= " icmp timeout $self->{_icmp}"; } elsif ($self->{_protocol} eq 'other') { $command .= " generic timeout $self->{_other}"; } diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index 8fe2e39..525a438 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -44,7 +44,7 @@ sub run_cmd { my ($cmd_to_run, $redirect) = @_; log_msg("Running: $cmd_to_run"); - print "$cmd_to_run\n"; +# print "$cmd_to_run\n"; if ($redirect) { open (my $out, '-|', $cmd_to_run . ' 2>&1') @@ -72,51 +72,45 @@ sub remove_timeout_policy { my $nfct_timeout_cmd = "$nfct timeout delete $timeout_policy"; run_cmd($iptables_cmd2); if ($? >> 8) { - # FIXME: as of now, dont print/handle/exit as these always fail in iptables. - #print "$CTERROR failed to run $iptables_cmd2\n"; + print "$CTERROR failed to run $iptables_cmd2\n"; #dont exit, try to clean as much. } run_cmd($iptables_cmd1); if ($? >> 8) { - # FIXME: as of now, dont print/handle/exit as these always fail in iptables. - #print "$CTERROR failed to run $iptables_cmd1\n"; + print "$CTERROR failed to run $iptables_cmd1\n"; } run_cmd($nfct_timeout_cmd); if ($? >> 8) { - # FIXME: as of now, dont print/handle/exit as these always fail in iptables. - #print "$CTERROR failed to run $nfct_timeout_cmd\n"; + print "$CTERROR failed to run $nfct_timeout_cmd\n"; } } # nfct-timeout create policy1 tcp established 1200 close-wait 100 fin-wait 10 # iptables -I PREROUTING -t raw -s 1.1.1.1 -d 2.2.2.2 -j CT --timeout policy1 sub apply_timeout_policy { - my ($rule_string, $timeout_policy) = @_; + my ($rule_string, $timeout_policy, $rule) = @_; my $nfct_timeout_cmd = "$nfct timeout add $timeout_policy"; my @tokens = split (' ', $timeout_policy); my $iptables_cmd1 = "iptables -I PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"; my $iptables_cmd2 = "iptables -I OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]"; run_cmd($nfct_timeout_cmd); if ($? >> 8) { - # FIXME: as of now, dont print/handle/exit as these always fail in iptables. -# print "$CTERROR failed to run $nfct_timeout_cmd\n"; -# exit 1; + print "$CTERROR failed to run $nfct_timeout_cmd\n"; + exit 1; } run_cmd($iptables_cmd1); if ($? >> 8) { #cleanup the policy before exit. - # FIXME: as of now, dont print/handle/exit as these always fail in iptables. -# run_cmd("nfct timeout remove $timeout_policy"); -# print "$CTERROR failed to run $iptables_cmd1\n"; -# exit 1; + run_cmd("nfct timeout delete policy_timeout_$rule"); + print "$CTERROR failed to run $iptables_cmd1\n"; + exit 1; } run_cmd($iptables_cmd2); if ($? >> 8) { - # FIXME: as of now, dont print/handle/exit as these always fail in iptables. -# run_cmd("nfct timeout remove $timeout_policy"); -# run_cmd("iptables -D PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"); -# print "$CTERROR failed to run $iptables_cmd2\n"; -# exit 1; + run_cmd("nfct timeout delete policy_timeout_$rule"); + run_cmd("iptables -D PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"); + print "$CTERROR failed to run $iptables_cmd2\n"; + exit 1; } } @@ -128,7 +122,7 @@ sub handle_rule_creation { $node->setup("system conntrack timeout custom rule $rule"); $rule_string = $node->rule(); $timeout_policy = $node->get_policy_command("add"); #nfct-timeout command string - apply_timeout_policy($rule_string, $timeout_policy); + apply_timeout_policy($rule_string, $timeout_policy, $rule); } # we mandate only one protocol configuration per rule diff --git a/templates-cfg/system/conntrack/timeout/custom/node.def b/templates-cfg/system/conntrack/timeout/custom/node.def index 94039fe..4421b83 100644 --- a/templates-cfg/system/conntrack/timeout/custom/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/node.def @@ -1,13 +1,3 @@ help: Define custom timeouts per connection -end: if sudo /opt/vyatta/bin/sudo-users/vyatta-conntrack-timeouts.pl --update 'true'; - then - if [ ${COMMIT_ACTION} = 'DELETE' ] ; - then - sudo /opt/vyatta/bin/sudo-users/vyatta-conntrack-timeouts.pl --delete 'true'; - fi - else - exit 1; - fi - -create: sudo /opt/vyatta/bin/sudo-users/vyatta-conntrack-timeouts.pl --create 'true' +end:expression: "sudo /opt/vyatta/bin/sudo-users/vyatta-conntrack-timeouts.pl" |