Merge branch 'cttimeout_pacifica' into oxnard

Brings in the changes needed for connection tracking timeouts per connection.

Conflicts:
	.frlog
	debian/changelog

1 files changed, 174 insertions, 0 deletions

diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl
new file mode 100644
index 0000000..525a438
--- /dev/null
+++ b/scripts/vyatta-conntrack-timeouts.pl
@@ -0,0 +1,174 @@
+#!/usr/bin/perl
+
+use lib "/opt/vyatta/share/perl5";
+use warnings;
+use strict;
+
+use Vyatta::Config;
+use Vyatta::Conntrack::RuleCT;
+use Vyatta::IpTables::AddressFilter;
+use Getopt::Long;
+use Vyatta::Zone;
+use Sys::Syslog qw(:standard :macros);
+
+#for future use when v6 timeouts need to be set
+my %cmd_hash = ( 'ipv4'        => 'iptables',
+		 'ipv6'   => 'ip6tables');
+# Enable printing debug output to stdout.
+my $debug_flag = 0;
+
+# Enable sending debug output to syslog.
+my $syslog_flag = 0;
+my $nfct = "sudo /opt/vyatta/sbin/nfct";
+my ($create, $delete, $update);
+my $CTERROR = "Conntrack timeout error:";
+GetOptions("create=s"        => \$create,
+           "delete=s"        => \$delete,
+           "update=s"        => \$update,
+);
+
+update_config();
+
+openlog("vyatta-conntrack", "pid", "local0");
+
+sub log_msg {
+  my $message = shift;
+
+  print "DEBUG: $message\n" if $debug_flag;
+  syslog(LOG_DEBUG, "%s", $message) if $syslog_flag;
+}
+# Run command and capture output
+# run_cmd("$iptables_cmd -t $table -F $name", 1);
+# if command fails, then send output to syslog
+sub run_cmd {
+  my ($cmd_to_run, $redirect) = @_;
+
+  log_msg("Running: $cmd_to_run");
+#  print "$cmd_to_run\n";
+
+  if ($redirect) {
+    open (my $out, '-|',  $cmd_to_run . ' 2>&1')
+        or die "Can't run command \"$cmd_to_run\": $!";
+    my @cmd_out = <$out>;
+  
+    # if command suceeds to do nothing.
+    return if (close ($out));
+  
+    foreach my $line (@cmd_out) {
+      chomp $line;
+      syslog(LOG_INFO, "%s", $line);
+    }
+  } else {
+    system($cmd_to_run);
+  }
+}
+
+sub remove_timeout_policy {
+    my ($rule_string, $timeout_policy) = @_;
+    my @tokens = split (' ', $timeout_policy);
+    # First remove the iptables rules before removing policy.
+    my $iptables_cmd1 = "iptables -D PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]";
+    my $iptables_cmd2 = "iptables -D OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]";
+    my $nfct_timeout_cmd = "$nfct timeout delete $timeout_policy"; 
+    run_cmd($iptables_cmd2);
+    if ($? >> 8) {
+      print "$CTERROR failed to run $iptables_cmd2\n";    
+      #dont exit, try to clean as much. 
+    }
+    run_cmd($iptables_cmd1);
+    if ($? >> 8) {
+      print "$CTERROR failed to run $iptables_cmd1\n";    
+    }
+    run_cmd($nfct_timeout_cmd);
+    if ($? >> 8) {
+      print "$CTERROR failed to run $nfct_timeout_cmd\n";    
+    }
+}
+
+# nfct-timeout create policy1 tcp established 1200 close-wait 100 fin-wait 10
+# iptables -I PREROUTING -t raw -s 1.1.1.1 -d 2.2.2.2 -j CT --timeout policy1
+sub apply_timeout_policy {
+    my ($rule_string, $timeout_policy, $rule) = @_;
+    my $nfct_timeout_cmd = "$nfct timeout add $timeout_policy"; 
+    my @tokens = split (' ', $timeout_policy);
+    my $iptables_cmd1 = "iptables -I PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]";
+    my $iptables_cmd2 = "iptables -I OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]";
+    run_cmd($nfct_timeout_cmd);
+    if ($? >> 8) {
+      print "$CTERROR failed to run $nfct_timeout_cmd\n";    
+      exit 1; 
+    }
+    run_cmd($iptables_cmd1);
+    if ($? >> 8) {
+      #cleanup the policy before exit. 
+      run_cmd("nfct timeout delete policy_timeout_$rule");   
+      print "$CTERROR failed to run $iptables_cmd1\n";    
+      exit 1; 
+    }
+    run_cmd($iptables_cmd2);
+    if ($? >> 8) {
+      run_cmd("nfct timeout delete policy_timeout_$rule");   
+      run_cmd("iptables -D PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]");   
+      print "$CTERROR failed to run $iptables_cmd2\n";    
+      exit 1;
+    }
+}
+
+sub handle_rule_creation {
+  my ($rule) = @_;
+  my $node = new Vyatta::Conntrack::RuleCT;
+  my ($rule_string, $timeout_policy);
+  do_protocol_check($rule);
+  $node->setup("system conntrack timeout custom rule $rule");
+  $rule_string = $node->rule();
+  $timeout_policy = $node->get_policy_command("add"); #nfct-timeout command string
+  apply_timeout_policy($rule_string, $timeout_policy, $rule);
+}
+
+# we mandate only one protocol configuration per rule
+sub do_protocol_check {
+  my ($rule) = @_;
+  my $config = new Vyatta::Config;
+  my $protocol_nos = $config->listNodes("system conntrack timeout custom rule $rule protocol");
+  if (($protocol_nos > 1) or ($protocol_nos < 1)) {
+    Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: please configure exactly one protocol in rule $rule");
+    exit 1;
+  }
+}
+
+sub handle_rule_modification {
+  my ($rule) = @_;
+  do_protocol_check($rule);
+  handle_rule_deletion($rule);
+  handle_rule_creation($rule);
+}
+
+sub handle_rule_deletion {
+  my ($rule) = @_;
+  my $node = new Vyatta::Conntrack::RuleCT;
+  my ($rule_string, $timeout_policy);
+  $node->setupOrig("system conntrack timeout custom rule $rule");
+  $rule_string = $node->rule();
+  $timeout_policy = $node->get_policy_command("delete"); #nfct-timeout command string
+  remove_timeout_policy($rule_string, $timeout_policy);
+}
+
+sub update_config {
+  my $config = new Vyatta::Config;
+  my %rules = (); #hash of timeout config rules  
+  my $iptables_cmd = $cmd_hash{'ipv4'};
+
+  $config->setLevel("system conntrack timeout custom rule");
+  %rules = $config->listNodeStatus();
+  foreach my $rule (sort keys %rules) { 
+    if ("$rules{$rule}" eq 'static') {
+    } elsif ("$rules{$rule}" eq 'added') {      
+        handle_rule_creation($rule);
+    } elsif ("$rules{$rule}" eq 'changed') {
+        handle_rule_modification($rule);
+    } elsif ("$rules{$rule}" eq 'deleted') {
+        handle_rule_deletion($rule);
+    }  
+  }
+}
+