Initial conntrack-ignore rule handling script.

author: Gaurav Sinha <gaurav.sinha@vyatta.com> 2012-08-06 16:57:51 -0700
committer: Gaurav Sinha <gaurav.sinha@vyatta.com> 2012-08-06 16:57:51 -0700
commit: 66971a32b157e1dfe4491843ab28857aa5495a4f (patch)
tree: 66c35f722bc98f69b70d624e539ae568f34c8d70
parent: f1315989a14f89e1629180bc16e36f21ddef2285 (diff)
download: vyatta-conntrack-66971a32b157e1dfe4491843ab28857aa5495a4f.tar.gz
vyatta-conntrack-66971a32b157e1dfe4491843ab28857aa5495a4f.zip
3 files changed, 258 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
index 26b6b1f..62642b0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -17,6 +17,7 @@ checkparamsonreboot_SCRIPTS += scripts/check-params-on-reboot.d/conntrack-hash-s
 share_perl5_DATA = lib/Vyatta/Conntrack/Config.pm
 share_perl5_DATA  += lib/Vyatta/Conntrack/ConntrackUtil.pm
 share_perl5_DATA  += lib/Vyatta/Conntrack/RuleCT.pm
+share_perl5_DATA  += lib/Vyatta/Conntrack/RuleIgnore.pm
 
 sbin_SCRIPTS = scripts/vyatta-update-conntrack-log.pl
 bin_sudo_usersdir = $(bindir)/sudo-users
@@ -24,6 +25,7 @@ bin_sudo_users_SCRIPTS = scripts/vyatta-show-conntrack.pl
 bin_sudo_users_SCRIPTS += scripts/vyatta-delete-conntrack.pl
 bin_sudo_users_SCRIPTS += scripts/vyatta-conntrack-timeouts.pl
 bin_sudo_users_SCRIPTS += scripts/vyatta-cthelper.pl
+bin_sudo_users_SCRIPTS += scripts/vyatta-conntrack-ignore.pl
 
 curver_DATA = cfg-version/conntrack@1
 
diff --git a/lib/Vyatta/Conntrack/RuleIgnore.pm b/lib/Vyatta/Conntrack/RuleIgnore.pm
new file mode 100644
index 0000000..fd10e09
--- /dev/null
+++ b/lib/Vyatta/Conntrack/RuleIgnore.pm
@@ -0,0 +1,119 @@
+# 
+# The timeouts are implemented using nfct-timeout policies that are
+# later applied to the corresponding iptables rules. The rules and 
+# policies are distinguished based on the rule number.   
+
+package Vyatta::Conntrack::RuleIgnore;
+
+use strict;
+use Vyatta::Config;
+require Vyatta::IpTables::AddressFilter;
+
+my $src = new Vyatta::IpTables::AddressFilter;
+my $dst = new Vyatta::IpTables::AddressFilter;
+my %fields = (
+  _rule_number => undef,
+  _protocol    => undef, 
+  _comment => undef,
+);
+
+my %dummy_rule = (
+  _rule_number => 10000,
+  _protocol    => undef, 
+     _comment => undef,
+);
+
+my $DEBUG = 'false';
+
+sub rule {
+  my ( $self ) = @_;
+  my ($rule, $srcrule, $dstrule, $err_str);
+  my $tcp_and_udp = 0;
+  # set CLI rule num as comment
+  my @level_nodes = split (' ', $self->{_comment});
+  print "level nodes is @level_nodes\n";
+  $rule .= "-m comment --comment \"$level_nodes[2]-$level_nodes[5]\" ";
+  ($srcrule, $err_str) = $src->rule();
+  if (defined($err_str)) {
+        Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str");
+        exit 1;
+  }
+  ($dstrule, $err_str) = $dst->rule();
+  if (defined($err_str)) {
+        Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str");
+        exit 1;
+  }
+  if (defined($self->{_protocol})) {
+    $rule .= " -p $self->{_protocol}";
+  }
+  $rule .= " $srcrule $dstrule ";
+  print "rule is $rule\n";
+  return $rule;
+}
+
+sub new {
+  my $that = shift;
+  my $class = ref ($that) || $that;
+  my $self = {
+    %fields,
+  };
+
+  bless $self, $class;
+  return $self;
+}
+
+sub setup_base {
+  my ($self, $level, $val_func, $exists_func, $addr_setup) = @_;
+  my $config = new Vyatta::Config;
+
+  $config->setLevel("$level");
+  $self->{_comment} = $level;
+  $self->{_rule_number} = $config->returnParent("..");
+
+  $src->$addr_setup("$level source");
+  $src->{_protocol} = $self->{_protocol};#needed to use address filter
+  if (($src->{_protocol}) and (($src->{_protocol} ne 'tcp') or ($src->{_protocol} ne 'udp')) and (defined($src->{_port})) ) { 
+    die "Error: Cannot specify port with protocol $src->{_protocol}\n"; 
+  }
+  $dst->$addr_setup("$level destination");
+  $dst->{_protocol} = $self->{_protocol};#needed to use address filter
+  if (($dst->{_protocol}) and (($dst->{_protocol} ne 'tcp') or ($dst->{_protocol} ne 'udp')) and (defined($dst->{_port})) ) { 
+    die "Error: Cannot specify port with protocol $dst->{_protocol}\n"; 
+  }
+
+  return 0;
+}
+
+sub setup {
+  my ($self, $level) = @_;
+  
+  $self->setup_base($level, 'returnValue', 'exists', 'setup');
+  return 0;
+}
+
+sub setupOrig {
+  my ($self, $level) = @_;
+  $self->setup_base($level, 'returnOrigValue', 'existsOrig', 'setupOrig');
+  return 0;
+}
+
+sub print {
+  my ( $self ) = @_;
+
+  print "rulenum: $self->{_rule_number}\n" if defined $self->{_rule_number};
+  print "protocol: $self->{_protocol}\n"   if defined $self->{_protocol};
+  print "inbound interface: $self->{_interface}\n"   if defined $self->{_interface};
+  $src->print();
+  $dst->print();
+}
+
+
+
+
+1;
+
+# Local Variables:
+# mode: perl
+# indent-tabs-mode: nil
+# perl-indent-level: 2
+# End:
diff --git a/scripts/vyatta-conntrack-ignore.pl b/scripts/vyatta-conntrack-ignore.pl
new file mode 100644
index 0000000..ed5b23a
--- /dev/null
+++ b/scripts/vyatta-conntrack-ignore.pl
@@ -0,0 +1,137 @@
+#!/usr/bin/perl
+
+use lib "/opt/vyatta/share/perl5";
+use warnings;
+use strict;
+
+use Vyatta::Config;
+use Vyatta::Conntrack::RuleCT;
+use Vyatta::Conntrack::RuleIgnore;
+use Vyatta::IpTables::AddressFilter;
+use Vyatta::Conntrack::ConntrackUtil;
+use Getopt::Long;
+use Vyatta::Zone;
+use Sys::Syslog qw(:standard :macros);
+
+#for future use when v6 timeouts need to be set
+my %cmd_hash = ( 'ipv4'        => 'iptables',
+		 'ipv6'   => 'ip6tables');
+# Enable printing debug output to stdout.
+my $debug_flag = 0;
+
+# Enable sending debug output to syslog.
+my $syslog_flag = 0;
+my $nfct = "sudo /usr/sbin/nfct";
+my ($create, $delete, $update);
+my $CTERROR = "Conntrack timeout error:";
+GetOptions("create=s"        => \$create,
+           "delete=s"        => \$delete,
+           "update=s"        => \$update,
+);
+
+update_config();
+
+openlog("vyatta-conntrack", "pid", "local0");
+
+sub remove_ignore_policy {
+    my ($rule_string) = @_;
+#    my $iptables_cmd1 = "iptables -D VYATTA_CT_TIMEOUT -t raw $rule_string -j CT --timeout $tokens[0]";
+ #   my $iptables_cmd2 = "iptables -D VYATTA_CT_TIMEOUT -t raw $rule_string -j RETURN";
+ #   run_cmd($iptables_cmd2);
+ #   if ($? >> 8) {
+  #    print "$CTERROR failed to run $iptables_cmd2\n";    
+      #dont exit, try to clean as much. 
+  #  }
+  #  run_cmd($iptables_cmd1);
+  #  if ($? >> 8) {
+  #    print "$CTERROR failed to run $iptables_cmd1\n";    
+  #  }
+}
+
+sub apply_ignore_policy {
+ #   my ($rule_string, $timeout_policy, $rule, $num_rules) = @_;
+    # insert at num_rules + 1 as there are so many rules already. 
+ #  my $iptables_cmd1 = "iptables -I VYATTA_CT_TIMEOUT $num_rules -t raw $rule_string -j CT --timeout $tokens[0]";
+ # $num_rules +=1;
+ #   my $iptables_cmd2 = "iptables -I VYATTA_CT_TIMEOUT $num_rules -t raw $rule_string -j RETURN";
+ #   run_cmd($nfct_timeout_cmd);
+ #  if ($? >> 8) {
+ #     print "$CTERROR failed to run $nfct_timeout_cmd\n";    
+ #     exit 1; 
+ #   }
+ #  run_cmd($iptables_cmd1);
+ #   if ($? >> 8) {
+ #   #cleanup the policy before exit. 
+ #    run_cmd("nfct timeout delete policy_timeout_$rule");   
+ #    print "$CTERROR failed to run $iptables_cmd1\n";    
+ #    exit 1; 
+ #  }
+}
+
+sub handle_rule_creation {
+  my ($rule, $num_rules) = @_;
+  my $node = new Vyatta::Conntrack::RuleIgnore;
+  my ($rule_string, $timeout_policy);
+
+  print "handle_rule_creation\n";
+  do_interface_check($rule);
+  $node->setup("system conntrack ignore rule $rule");
+  $rule_string = $node->rule();
+  #apply_ignore_policy($rule_string, $rule, $num_rules);
+}
+
+# mandate only one interface configuration per rule
+sub do_interface_check {
+  my ($rule) = @_;
+  my $config = new Vyatta::Config;
+  my $intf_nos = $config->listNodes("system conntrack ignore rule $rule inbound-interface");
+  if (($intf_nos > 1)) {
+    Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: configure at most one inbound interface in rule $rule");
+    exit 1;
+  }
+}
+
+sub handle_rule_modification {
+  my ($rule, $num_rules) = @_;
+  print "handle_rule_modification\n";
+  do_interface_check($rule);
+  handle_rule_deletion($rule);
+  handle_rule_creation($rule, $num_rules);
+}
+
+sub handle_rule_deletion {
+  my ($rule) = @_;
+  my $node = new Vyatta::Conntrack::RuleIgnore;
+  my ($rule_string);
+  print "handle_rule_deletion\n";
+  $node->setupOrig("system conntrack ignore rule $rule");
+  $rule_string = $node->rule();
+  remove_ignore_policy($rule_string);
+}
+
+sub numerically { $a <=> $b; }
+
+sub update_config {
+  my $config = new Vyatta::Config;
+  my %rules = (); #hash of ignore config rules  
+  my $iptables_cmd = $cmd_hash{'ipv4'};
+
+  $config->setLevel("system conntrack ignore rule");
+  %rules = $config->listNodeStatus();
+
+  my $iptablesrule = 1;
+  foreach my $rule (sort numerically keys %rules) { 
+    if ("$rules{$rule}" eq 'static') {
+      $iptablesrule+=2;
+    } elsif ("$rules{$rule}" eq 'added') {      
+        handle_rule_creation($rule, $iptablesrule);
+        $iptablesrule+=2;
+    } elsif ("$rules{$rule}" eq 'changed') {
+        handle_rule_modification($rule, $iptablesrule);
+        $iptablesrule+=2;
+    } elsif ("$rules{$rule}" eq 'deleted') {
+        handle_rule_deletion($rule);
+    }  
+  }
+}
+
author	Gaurav Sinha <gaurav.sinha@vyatta.com>	2012-08-06 16:57:51 -0700
committer	Gaurav Sinha <gaurav.sinha@vyatta.com>	2012-08-06 16:57:51 -0700
commit	66971a32b157e1dfe4491843ab28857aa5495a4f (patch)
tree	66c35f722bc98f69b70d624e539ae568f34c8d70
parent	f1315989a14f89e1629180bc16e36f21ddef2285 (diff)
download	vyatta-conntrack-66971a32b157e1dfe4491843ab28857aa5495a4f.tar.gz vyatta-conntrack-66971a32b157e1dfe4491843ab28857aa5495a4f.zip