Move templates t templates-cfg to let op mode templates also exist.

39 files changed, 495 insertions, 0 deletions

diff --git a/templates-cfg/system/conntrack/expect-table-size/node.def b/templates-cfg/system/conntrack/expect-table-size/node.def
new file mode 100644
index 0000000..f9f1ae5
--- /dev/null
+++ b/templates-cfg/system/conntrack/expect-table-size/node.def
@@ -0,0 +1,32 @@
+#
+# Config template for: system conntrack expect-table-size
+# 
+# This  is  the  table  of expectations.  Connection tracking expectations are 
+# the mechanism used to "expect" RELATED connections to existing ones.  
+# Expectations are generally used by "connection tracking helpers"  (sometimes 
+# called application level gateways [ALGs]) for more complex protocols such as
+# FTP, SIP, H.323. 
+#
+# default value when no conntrack options set - 2048
+# default value when no conntrack options set - 4096
+#
+
+type: u32
+
+help: Size of connection tracking expect table
+
+default: 4096
+
+val_help: u32: 1-50000000; Number of entries allowed in connection tracking expect table
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000"
+
+update:
+	sudo sysctl -q -w net/netfilter/nf_conntrack_expect_max=$VAR(@)
+
+
+
+
+
+
+
diff --git a/templates-cfg/system/conntrack/hash-size/node.def b/templates-cfg/system/conntrack/hash-size/node.def
new file mode 100644
index 0000000..242d0fe
--- /dev/null
+++ b/templates-cfg/system/conntrack/hash-size/node.def
@@ -0,0 +1,18 @@
+help: Hash size for connection tracking table
+type: u32
+
+default: 4096
+
+val_help: u32:1-50000000; Size of hash to use for connection tracking table
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000"
+
+update:
+        if ! grep -q "nf_conntrack hashsize=$VAR(@)$" /etc/modprobe.d/vyatta_nf_conntrack.conf
+        then
+          sudo sh -c "sed -i -e '/options nf_conntrack hashsize/d' \
+                /etc/modprobe.d/vyatta_nf_conntrack.conf"
+          sudo sh -c "echo options nf_conntrack hashsize=$VAR(@) >> \
+                /etc/modprobe.d/vyatta_nf_conntrack.conf"
+          echo "Updated conntrack hash size. This change will take affect when the system is rebooted."
+        fi
diff --git a/templates-cfg/system/conntrack/modules/ftp/disable/node.def b/templates-cfg/system/conntrack/modules/ftp/disable/node.def
new file mode 100644
index 0000000..40a64d5
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/ftp/disable/node.def
@@ -0,0 +1,7 @@
+help: Disable FTP connection tracking
+
+create: sudo rmmod nf_nat_ftp
+        sudo rmmod nf_conntrack_ftp
+        
+delete: sudo modprobe nf_conntrack_ftp
+        sudo modprobe nf_nat_ftp
\ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/ftp/node.def b/templates-cfg/system/conntrack/modules/ftp/node.def
new file mode 100644
index 0000000..74a94b4
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/ftp/node.def
@@ -0,0 +1 @@
+help: FTP connection tracking settings
\ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/gre/disable/node.def b/templates-cfg/system/conntrack/modules/gre/disable/node.def
new file mode 100644
index 0000000..f6f9546
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/gre/disable/node.def
@@ -0,0 +1,21 @@
+help: Disable GRE connection tracking
+
+# GRE shouldn't be disabled when PPTP is enabled because PPTP depends on it
+create: cli-shell-api exists system conntrack modules pptp disable
+        if [ $? == 0 ]; then
+          # Unload PPTP modules if they are loaded
+          lsmod | grep -e "^nf_nat_pptp" 2>&1 >/dev/null
+          if [ $? == 0 ]; then
+            sudo rmmod nf_nat_pptp
+            sudo rmmod nf_conntrack_pptp
+          fi
+          # And GRE modules then
+          sudo rmmod nf_nat_proto_gre
+          sudo rmmod nf_conntrack_proto_gre
+        else
+          echo "Error: can not disable GRE connection tracking when PPTP connection tracking is enabled!"
+          exit 1
+        fi
+
+delete: sudo modprobe nf_conntrack_proto_gre
+        sudo modprobe nf_nat_proto_gre
diff --git a/templates-cfg/system/conntrack/modules/gre/node.def b/templates-cfg/system/conntrack/modules/gre/node.def
new file mode 100644
index 0000000..d192f7d
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/gre/node.def
@@ -0,0 +1 @@
+help: GRE connection tracking settings
\ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/h323/disable/node.def b/templates-cfg/system/conntrack/modules/h323/disable/node.def
new file mode 100644
index 0000000..1fb0117
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/h323/disable/node.def
@@ -0,0 +1,7 @@
+help: Disable H.323 connection tracking
+
+create: sudo rmmod nf_nat_h323
+        sudo rmmod nf_conntrack_h323
+        
+delete: sudo modprobe nf_conntrack_h323
+        sudo modprobe nf_nat_h323
\ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/h323/node.def b/templates-cfg/system/conntrack/modules/h323/node.def
new file mode 100644
index 0000000..ae4b787
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/h323/node.def
@@ -0,0 +1 @@
+help: H.323 connection tracking settings
\ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/node.def b/templates-cfg/system/conntrack/modules/node.def
new file mode 100644
index 0000000..9666287
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/node.def
@@ -0,0 +1 @@
+help: Connection tracking modules settings
\ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/pptp/disable/node.def b/templates-cfg/system/conntrack/modules/pptp/disable/node.def
new file mode 100644
index 0000000..4ffd980
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/pptp/disable/node.def
@@ -0,0 +1,20 @@
+help: Disable PPTP connection tracking
+
+create: cli-shell-api exists system conntrack modules gre disable
+        if [ $? == 0 ]; then
+          # Do nothing, this case is handled in GRE module templates
+          :;
+        else
+          sudo rmmod nf_nat_pptp
+          sudo rmmod nf_conntrack_pptp
+        fi
+
+# PPTP shouldn't be enabled when GRE is disabled because PPTP depends on it
+delete: cli-shell-api exists system conntrack modules gre disable
+        if [ $? == 0 ]; then
+          echo "Error: can not enable PPTP connection tracking when GRE connection tracking is disabled!"
+          exit 1
+        else
+          sudo modprobe nf_conntrack_pptp
+          sudo modprobe nf_nat_pptp
+        fi
diff --git a/templates-cfg/system/conntrack/modules/pptp/node.def b/templates-cfg/system/conntrack/modules/pptp/node.def
new file mode 100644
index 0000000..a6ae0c4
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/pptp/node.def
@@ -0,0 +1 @@
+help: PPTP connection tracking settings
\ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/sip/disable/node.def b/templates-cfg/system/conntrack/modules/sip/disable/node.def
new file mode 100644
index 0000000..d0eaf81
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/sip/disable/node.def
@@ -0,0 +1,7 @@
+help: Disable SIP connection tracking
+
+create: sudo rmmod nf_nat_sip
+        sudo rmmod nf_conntrack_sip
+        
+delete: sudo modprobe nf_conntrack_sip
+        sudo modprobe nf_nat_sip
\ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/sip/enable-indirect-media/node.def b/templates-cfg/system/conntrack/modules/sip/enable-indirect-media/node.def
new file mode 100644
index 0000000..c29389e
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/sip/enable-indirect-media/node.def
@@ -0,0 +1 @@
+help: Option to support for indirect media streams 
diff --git a/templates-cfg/system/conntrack/modules/sip/enable-indirect-signalling/node.def b/templates-cfg/system/conntrack/modules/sip/enable-indirect-signalling/node.def
new file mode 100644
index 0000000..82782ff
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/sip/enable-indirect-signalling/node.def
@@ -0,0 +1 @@
+help: Option to support for indirect signalling streams
diff --git a/templates-cfg/system/conntrack/modules/sip/node.def b/templates-cfg/system/conntrack/modules/sip/node.def
new file mode 100644
index 0000000..b5a3225
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/sip/node.def
@@ -0,0 +1,61 @@
+help: SIP connection tracking settings
+
+end: /bin/cli-shell-api existsEffective system conntrack modules sip disable && exit 0
+  reload=0
+  sdm=2
+  if [ -f /sys/module/nf_conntrack_sip/parameters/sip_direct_media ]; then
+    sdm=$(sudo cat /sys/module/nf_conntrack_sip/parameters/sip_direct_media)
+  fi
+  if [ -n "$VAR(./enable-indirect-media)" ]; then
+    indirectmedia='sip_direct_media=0'
+    if [ $sdm -ge 1 ]; then reload=1; fi
+  else
+    if [ $sdm -eq 0 ]; then reload=1; fi
+  fi
+
+  sds=2
+  if [ -f /sys/module/nf_conntrack_sip/parameters/sip_direct_signalling ]; then
+    sds=$(sudo cat /sys/module/nf_conntrack_sip/parameters/sip_direct_signalling)
+  fi
+  if [ -n "$VAR(./enable-indirect-signalling)" ]; then
+    indirectsignalling='sip_direct_signalling=0'
+    if [ $sds -ge 1 ]; then reload=1; fi
+  else
+    if [ $sds -eq 0 ]; then reload=1; fi
+  fi
+
+  if [ -n "$VAR(./port/@@)" ]; then
+     numports=0
+     for port in $VAR(./port/@@); do
+     	 if [ -z "$portval" ]; then
+     	     portval=$port
+	 else
+	     portval="${portval},$port"
+	 fi
+	 (( numports++ ))
+     done
+     portopt="ports=$portval"
+     if [ $numports -gt 8 ]; then
+     	echo "Error: Can not specify more than 8 ports."
+	exit 1
+     fi
+     reload=1
+  fi
+
+  if [ -f /etc/modprobe.d/options ]; then
+    sudo sed -i '/nf_conntrack_sip/d' /etc/modprobe.d/options
+  fi
+
+  if [ -n "$indirectmedia" ] || [ -n "$indirectsignalling" ] || \
+      [ -n "$portopt" ]; then
+      sudo sh -c "echo \# Auto-generated by `whoami` at `date` > /etc/modprobe.d/vyatta_sip_options.conf"
+      sudo sh -c "echo options nf_conntrack_sip $indirectmedia $indirectsignalling $portopt >> /etc/modprobe.d/vyatta_sip_options.conf "
+  else
+      sudo rm -f /etc/modprobe.d/vyatta_sip_options.conf
+  fi
+
+  if [ $reload -eq 1 ]; then
+    sudo modprobe -r nf_nat_sip nf_conntrack_sip
+    sudo modprobe nf_conntrack_sip
+    sudo modprobe nf_nat_sip
+  fi
diff --git a/templates-cfg/system/conntrack/modules/sip/port/node.def b/templates-cfg/system/conntrack/modules/sip/port/node.def
new file mode 100644
index 0000000..b72f1ca
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/sip/port/node.def
@@ -0,0 +1,8 @@
+multi:
+type: u32
+
+help: Port number that SIP traffic is carried on
+
+val_help: u32:1-65535; SIP port number
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <=65535) ; "Port number must be in range 1 to 65535"
diff --git a/templates-cfg/system/conntrack/modules/tftp/disable/node.def b/templates-cfg/system/conntrack/modules/tftp/disable/node.def
new file mode 100644
index 0000000..ebdecf4
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/tftp/disable/node.def
@@ -0,0 +1,7 @@
+help: Disable TFTP connection tracking
+
+create: sudo rmmod nf_nat_tftp
+        sudo rmmod nf_conntrack_tftp
+
+delete: sudo modprobe nf_conntrack_tftp
+        sudo modprobe nf_nat_tftp
diff --git a/templates-cfg/system/conntrack/modules/tftp/node.def b/templates-cfg/system/conntrack/modules/tftp/node.def
new file mode 100644
index 0000000..901f52e
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/tftp/node.def
@@ -0,0 +1 @@
+help: TFTP connection tracking settings
\ No newline at end of file
diff --git a/templates-cfg/system/conntrack/node.def b/templates-cfg/system/conntrack/node.def
new file mode 100644
index 0000000..53488ae
--- /dev/null
+++ b/templates-cfg/system/conntrack/node.def
@@ -0,0 +1,24 @@
+help: Connection tracking engine options
+
+priority: 218 # before NAT and conntrack-sync are configured
+
+delete: # set conntrack table size to standard 16384 entries if conntrack settings are removed
+        sudo sysctl -q -w net/nf_conntrack_max=16384
+
+        # set conntrack expect table size to standard 2048 entries if conntrack settings are removed
+        sudo sysctl -q -w net/netfilter/nf_conntrack_expect_max=2048
+
+        # set conntrack hash size to standard 4096
+        if ! grep -q "nf_conntrack hashsize=4096$" /etc/modprobe.d/vyatta_nf_conntrack.conf
+        then
+          sudo sh -c "sed -i -e '/options nf_conntrack hashsize/d' \
+                /etc/modprobe.d/vyatta_nf_conntrack.conf"
+          sudo sh -c "echo options nf_conntrack hashsize=4096 >> \
+                /etc/modprobe.d/vyatta_nf_conntrack.conf"
+          echo "Conntrack hash size set to default 4096. This change will take effect when the system is rebooted."
+        fi
+
+        # need to restart conntrackd with updated conntrack table size
+        if cli-shell-api existsActive service conntrack-sync; then
+          sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable
+        fi
diff --git a/templates-cfg/system/conntrack/table-size/node.def b/templates-cfg/system/conntrack/table-size/node.def
new file mode 100644
index 0000000..f91b101
--- /dev/null
+++ b/templates-cfg/system/conntrack/table-size/node.def
@@ -0,0 +1,39 @@
+#
+# Config template for: system conntrack table-size
+# 
+# Sets the size of the TCP connection tracking table in the netfilter
+# nf_conntrack module, which is used by firewall and NAT.  The size of
+# this table determines how many TCP connections can be simultaneously
+# tracked.  If new connections arrive and the table is full, older
+# connections will be dropped out of the table.  System administrators
+# must set the connection tracking table size based on the number of
+# connections they expect their system to track.  The connection
+# tracking table consumes kernel memory, so the size selected should
+# be no larger than necessary.
+#
+# default value when contrack is not set - 16384
+# default value when conntrack is set - 32768
+#
+
+type: u32
+
+help: Size of connection tracking table
+
+default: 32768
+
+val_help: u32:1-50000000; Number of entries allowed in connection tracking table
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000"
+
+update:
+	sudo sysctl -q -w net/nf_conntrack_max=$VAR(@)
+  # need to restart conntrackd with updated conntrack table size
+  if cli-shell-api existsActive service conntrack-sync; then
+    sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable
+  fi
+
+
+
+
+
+
diff --git a/templates-cfg/system/conntrack/tcp/half-open-connections/node.def b/templates-cfg/system/conntrack/tcp/half-open-connections/node.def
new file mode 100644
index 0000000..9474463
--- /dev/null
+++ b/templates-cfg/system/conntrack/tcp/half-open-connections/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: Maximum number of TCP half-open connections
+
+default: 512
+
+val_help: u32:1-2147483647; Generic connection timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 2147483647) ; "Value must be between 1 and 2147483647"
+
+update: sudo sysctl -q -w net/ipv4/tcp_max_syn_backlog=$VAR(@)
+
+delete: sudo sysctl -q -w net/ipv4/tcp_max_syn_backlog=512
diff --git a/templates-cfg/system/conntrack/tcp/loose/node.def b/templates-cfg/system/conntrack/tcp/loose/node.def
new file mode 100644
index 0000000..06706a2
--- /dev/null
+++ b/templates-cfg/system/conntrack/tcp/loose/node.def
@@ -0,0 +1,50 @@
+# 
+# This parameter directs the netfilter TCP connection tracking modules
+# (nf_conntrack, and others) to either allow or disallow the tracking
+# of TCP connections which are "previously established".  This
+# includes all cases where the three-way connection opening handshake
+# was not seen by this machine.  That includes the case the connection
+# was opened before this machine booted.  It also includes cases where
+# the packets comprising the three-way handshake were routed via some
+# other router.
+#
+# If this parameter is set to "enable", tracking such connections is
+# allowed.  If disabled, such tracking is disabled.
+# default value - 1
+
+type: txt
+
+help: Policy to track previously established connections
+
+val_help: enable; Allow tracking of previously established connections
+val_help: disable; Do not allow tracking of previously established connections
+
+default: "enable"
+
+syntax:expression: $VAR(@) in "enable", "disable"; "must be either enable or disable"
+
+update:
+	if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose ]; then
+	    sudo modprobe nf_conntrack_ipv4
+	fi
+	if [ "$VAR(@)" = "enable" ]; then
+	    sudo sysctl -q -w net/ipv4/netfilter/ip_conntrack_tcp_loose=1
+	elif [ "$VAR(@)" = "disable" ]; then
+	    sudo sysctl -q -w net/ipv4/netfilter/ip_conntrack_tcp_loose=0
+	else
+	    echo "Invalid parameter: $VAR(@)"
+	    exit 1
+	fi
+
+delete:
+	if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose ]; then
+	    sudo modprobe nf_conntrack_ipv4
+	fi
+	sudo sysctl -q -w net/ipv4/netfilter/ip_conntrack_tcp_loose=1
+
+
+
+
+
+
+
diff --git a/templates-cfg/system/conntrack/tcp/max-retrans/node.def b/templates-cfg/system/conntrack/tcp/max-retrans/node.def
new file mode 100644
index 0000000..bf56f1f
--- /dev/null
+++ b/templates-cfg/system/conntrack/tcp/max-retrans/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP maximum retransmit attempts
+
+default: 3
+
+val_help: u32:1-2147483647; Generic connection timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 2147483647) ; "Value must be between 1 and 2147483647"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_max_retrans=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_max_retrans=3
diff --git a/templates-cfg/system/conntrack/tcp/node.def b/templates-cfg/system/conntrack/tcp/node.def
new file mode 100644
index 0000000..67543ca
--- /dev/null
+++ b/templates-cfg/system/conntrack/tcp/node.def
@@ -0,0 +1 @@
+help: TCP options
\ No newline at end of file
diff --git a/templates-cfg/system/conntrack/timeout/icmp/node.def b/templates-cfg/system/conntrack/timeout/icmp/node.def
new file mode 100644
index 0000000..952178e
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/icmp/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: ICMP timeout in seconds
+
+default: 30
+
+val_help: u32:1-21474836; ICMP timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_icmp_timeout=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_icmp_timeout=30
diff --git a/templates-cfg/system/conntrack/timeout/node.def b/templates-cfg/system/conntrack/timeout/node.def
new file mode 100644
index 0000000..f0193c6
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/node.def
@@ -0,0 +1 @@
+help: Connection timeout options
\ No newline at end of file
diff --git a/templates-cfg/system/conntrack/timeout/other/node.def b/templates-cfg/system/conntrack/timeout/other/node.def
new file mode 100644
index 0000000..a794bb7
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/other/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: Generic connection timeout in seconds
+
+default: 600
+
+val_help: u32:1-21474836; Generic connection timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_generic_timeout=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_generic_timeout=600
diff --git a/templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def b/templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def
new file mode 100644
index 0000000..0491b68
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP CLOSE-WAIT timeout in seconds
+
+default: 60
+
+val_help: u32:1-21474836; TCP CLOSE-WAIT timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=60
diff --git a/templates-cfg/system/conntrack/timeout/tcp/close/node.def b/templates-cfg/system/conntrack/timeout/tcp/close/node.def
new file mode 100644
index 0000000..38317d5
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/close/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP CLOSE timeout in seconds
+
+default: 10
+
+val_help: u32:1-21474836; TCP CLOSE timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=10
diff --git a/templates-cfg/system/conntrack/timeout/tcp/established/node.def b/templates-cfg/system/conntrack/timeout/tcp/established/node.def
new file mode 100644
index 0000000..9e47f1e
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/established/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP ESTABLISHED timeout in seconds
+
+default: 432000
+
+val_help: u32:1-21474836; TCP ESTABLISHED timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=432000
diff --git a/templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def b/templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def
new file mode 100644
index 0000000..985a6a4
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP FIN-WAIT timeout in seconds
+
+default: 120
+
+val_help: u32:1-21474836; TCP FIN-WAIT timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=120
diff --git a/templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def b/templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def
new file mode 100644
index 0000000..3e07fe4
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP LAST-ACK timeout in seconds
+
+default: 30
+
+val_help: u32:1-21474836; TCP LAST-ACK timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=30
diff --git a/templates-cfg/system/conntrack/timeout/tcp/node.def b/templates-cfg/system/conntrack/timeout/tcp/node.def
new file mode 100644
index 0000000..2b67c51
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/node.def
@@ -0,0 +1 @@
+help: TCP connection timeout options
\ No newline at end of file
diff --git a/templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def b/templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def
new file mode 100644
index 0000000..50c5512
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP SYN-RECEIVED timeout in seconds
+
+default: 60
+
+val_help: u32:1-21474836; TCP SYN-RECEIVED timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=60
diff --git a/templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def b/templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def
new file mode 100644
index 0000000..5856ba7
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP SYN-SENT timeout in seconds
+
+default: 120
+
+val_help: u32:1-21474836; TCP SYN-SENT timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=120
diff --git a/templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def b/templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def
new file mode 100644
index 0000000..f6bd1c8
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP TIME-WAIT timeout in seconds
+
+default: 120
+
+val_help: u32:1-21474836; TCP TIME-WAIT timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=120
diff --git a/templates-cfg/system/conntrack/timeout/udp/node.def b/templates-cfg/system/conntrack/timeout/udp/node.def
new file mode 100644
index 0000000..7ee8fd3
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/udp/node.def
@@ -0,0 +1 @@
+help: UDP timeout
\ No newline at end of file
diff --git a/templates-cfg/system/conntrack/timeout/udp/other/node.def b/templates-cfg/system/conntrack/timeout/udp/other/node.def
new file mode 100644
index 0000000..0018f1c
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/udp/other/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: UDP generic timeout in seconds
+
+default: 30
+
+val_help: u32:1-21474836; UDP generic timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout=30
diff --git a/templates-cfg/system/conntrack/timeout/udp/stream/node.def b/templates-cfg/system/conntrack/timeout/udp/stream/node.def
new file mode 100644
index 0000000..d86e683
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/udp/stream/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: UDP stream timeout in seconds
+
+default: 180
+
+val_help: u32:1-21474836; UDP stream timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout_stream=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout_stream=180