Merge branch 'user_space_helpers' into pacifica

Conflicts:
	lib/Vyatta/Conntrack/ConntrackUtil.pm

9 files changed, 124 insertions, 4 deletions

diff --git a/Makefile.am b/Makefile.am
index 39a08b2..26b6b1f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -23,6 +23,7 @@ bin_sudo_usersdir = $(bindir)/sudo-users
 bin_sudo_users_SCRIPTS = scripts/vyatta-show-conntrack.pl
 bin_sudo_users_SCRIPTS += scripts/vyatta-delete-conntrack.pl
 bin_sudo_users_SCRIPTS += scripts/vyatta-conntrack-timeouts.pl
+bin_sudo_users_SCRIPTS += scripts/vyatta-cthelper.pl
 
 curver_DATA = cfg-version/conntrack@1
 
diff --git a/lib/Vyatta/Conntrack/ConntrackUtil.pm b/lib/Vyatta/Conntrack/ConntrackUtil.pm
index 104f237..bdc4961 100644
--- a/lib/Vyatta/Conntrack/ConntrackUtil.pm
+++ b/lib/Vyatta/Conntrack/ConntrackUtil.pm
@@ -24,9 +24,8 @@
 #
 
 package Vyatta::Conntrack::ConntrackUtil;
+use Vyatta::IpTables::Mgr;
 use base qw(Exporter);
-our @EXPORT = qw(check_for_conntrack_hooks, 
-                 process_protocols);
 
 sub process_protocols {
   my $proto = undef;
@@ -42,6 +41,7 @@ sub process_protocols {
   close $proto;
   return \%proto_hash;
 }
+our @EXPORT = qw(check_for_conntrack_hooks, process_protocols, check_and_add_helpers);
 
 #function to find if connection tracking is enabled. 
 #looks in the iptables to see if any of the features introduced
@@ -64,4 +64,23 @@ sub check_for_conntrack_hooks {
     }
 }
 1;
+
+sub
+check_ct_helper_rules {
+  my $index;
+  my $cthelper_chain = "VYATTA_CT_HELPER";
+    foreach my $label ('PREROUTING', 'OUTPUT') {
+      $index = ipt_find_chain_rule($iptables_cmd, 'raw', $label, $cthelper_chain);
+      if (!defined($index)) {
+        # add VYATTA_CT_HELPER to PREROUTING / OUTPUT
+        print "hook not present\n";        
+      }
+    }
+}
+
+sub check_and_add_helpers {
+  if (check_for_conntrack_hooks()) {
+    check_ct_helper_rules();
+  }
+}
 # end of file
diff --git a/scripts/vyatta-cthelper.pl b/scripts/vyatta-cthelper.pl
new file mode 100644
index 0000000..f038037
--- /dev/null
+++ b/scripts/vyatta-cthelper.pl
@@ -0,0 +1,84 @@
+#!/usr/bin/perl
+
+use lib "/opt/vyatta/share/perl5";
+use warnings;
+use strict;
+
+use Vyatta::Config;
+use Vyatta::Conntrack::ConntrackUtil;
+use Vyatta::IpTables::Mgr;
+use Getopt::Long;
+use Sys::Syslog qw(:standard :macros);
+
+
+#for future 
+my %cmd_hash = ( 'ipv4'        => 'iptables',
+		 'ipv6'   => 'ip6tables');
+
+my $nfct = "sudo /opt/vyatta/sbin/nfct";
+my ($enable_sqlnet, $disable_sqlnet, $enable_nfs, $disable_nfs);
+my $CTERROR = "Conntrack error:";
+
+GetOptions('enable_sqlnet=s'        => \$enable_sqlnet,
+           'disable_sqlnet=s'        => \$disable_sqlnet,
+           'disable_nfs=s'        => \$disable_nfs,
+           'enable_nfs=s'        => \$enable_nfs,
+);
+
+# subroutine to add helper rule to VYATTA_CT_HELPER chain.
+sub 
+add_helper_to_chain {
+  my ($module) = @_;
+  my $iptables_cmd = $cmd_hash {'ipv4'}; 
+  if ($module eq 'sqlnet') {
+#    run_cmd (" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns ");
+    print " $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns \n";
+#    run_cmd (" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns ");
+    print " $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns \n";
+  } elsif ($module eq 'nfs') {
+    print " $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs \n";
+#   run_cmd (" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs ");
+  }
+}
+
+# subroutine to delete helper rule from VYATTA_CT_HELPER chain.
+sub 
+delete_helper_from_chain {
+  my ($module) = @_;
+  my $iptables_cmd = $cmd_hash {'ipv4'}; 
+  if ($module eq 'sqlnet') {
+#    run_cmd (" $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns ");
+    print " $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns \n";
+#    run_cmd (" $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns ");
+    print " $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns \n";
+  } elsif ($module eq 'nfs') {
+    print " $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs \n";
+#   run_cmd (" $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs ");
+  }
+}
+
+# should disable the required helper module
+sub disable_helper_module {
+  my ($module) = @_;
+ 
+  print "disable $module\n"; 
+  delete_helper_from_chain($module);
+}
+
+# should enable the required helper module
+sub enable_helper_module {
+  my ($module) = @_;
+ 
+  print "enable $module\n"; 
+  add_helper_to_chain($module);
+}
+
+if (defined $enable_sqlnet){
+  enable_helper_module("sqlnet"); 
+} elsif (defined $disable_sqlnet) {
+  disable_helper_module("sqlnet"); 
+} elsif (defined $enable_nfs) {
+  enable_helper_module("nfs"); 
+} elsif (defined $disable_nfs) {
+  disable_helper_module("nfs");
+}
diff --git a/templates-cfg/system/conntrack/modules/nfs/disable/node.def b/templates-cfg/system/conntrack/modules/nfs/disable/node.def
new file mode 100644
index 0000000..90f9103
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/nfs/disable/node.def
@@ -0,0 +1,7 @@
+help: disable NFS protocol connection tracking helper 
+
+end: if [ ${COMMIT_ACTION} = 'DELETE' ]; then
+       sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --enable_nfs=nfs
+     else  
+       sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --disable_nfs=nfs
+     fi;
diff --git a/templates-cfg/system/conntrack/modules/nfs/node.def b/templates-cfg/system/conntrack/modules/nfs/node.def
new file mode 100644
index 0000000..3d1fb34
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/nfs/node.def
@@ -0,0 +1 @@
+help: NFS protocol connection tracking helper settting
diff --git a/templates-cfg/system/conntrack/modules/sqlnet/disable/node.def b/templates-cfg/system/conntrack/modules/sqlnet/disable/node.def
new file mode 100644
index 0000000..aac316b
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/sqlnet/disable/node.def
@@ -0,0 +1,7 @@
+help: disable SQLnet protocol connection tracking helper 
+
+end: if [ ${COMMIT_ACTION} = 'DELETE' ]; then
+       sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --enable_sqlnet=sqlnet
+     else  
+       sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --disable_sqlnet=sqlnet
+     fi;
diff --git a/templates-cfg/system/conntrack/modules/sqlnet/node.def b/templates-cfg/system/conntrack/modules/sqlnet/node.def
new file mode 100644
index 0000000..a62048e
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/sqlnet/node.def
@@ -0,0 +1 @@
+help: SQLnet protocol connection tracking helper setting 
diff --git a/templates-cfg/system/conntrack/node.def b/templates-cfg/system/conntrack/node.def
index 53488ae..211c963 100644
--- a/templates-cfg/system/conntrack/node.def
+++ b/templates-cfg/system/conntrack/node.def
@@ -20,5 +20,5 @@ delete: # set conntrack table size to standard 16384 entries if conntrack settin
 
         # need to restart conntrackd with updated conntrack table size
         if cli-shell-api existsActive service conntrack-sync; then
-          sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable
+          sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable 
         fi
diff --git a/templates-cfg/system/conntrack/table-size/node.def b/templates-cfg/system/conntrack/table-size/node.def
index b44b563..6b1decf 100644
--- a/templates-cfg/system/conntrack/table-size/node.def
+++ b/templates-cfg/system/conntrack/table-size/node.def
@@ -28,7 +28,7 @@ update:
 	sudo sysctl -q -w net/nf_conntrack_max=$VAR(@)
   # need to restart conntrackd with updated conntrack table size
   if cli-shell-api existsActive service conntrack-sync; then
-    sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable
+    sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable 
   fi