summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/Vyatta/Conntrack/RuleCT.pm2
-rw-r--r--scripts/vyatta-conntrack-timeouts.pl38
2 files changed, 27 insertions, 13 deletions
diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm
index 319edb4..b472e51 100644
--- a/lib/Vyatta/Conntrack/RuleCT.pm
+++ b/lib/Vyatta/Conntrack/RuleCT.pm
@@ -121,7 +121,7 @@ sub setup_base {
$self->{_protocol} = "tcp";
$self->{_tcp}->{_close} = $config->$val_func("protocol tcp close");
$self->{_tcp}->{_close_wait} = $config->$val_func("protocol tcp close-wait");
- $self->{_tcp}->{_time_wait} = $config->$val_func("protocol tcp time_wait");
+ $self->{_tcp}->{_time_wait} = $config->$val_func("protocol tcp time-wait");
$self->{_tcp}->{_syn_recv} = $config->$val_func("protocol tcp syn-recv");
$self->{_tcp}->{_syn_sent} = $config->$val_func("protocol tcp syn-sent");
$self->{_tcp}->{_last_ack} = $config->$val_func("protocol tcp last-ack");
diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl
index 525a438..bf36410 100644
--- a/scripts/vyatta-conntrack-timeouts.pl
+++ b/scripts/vyatta-conntrack-timeouts.pl
@@ -67,8 +67,8 @@ sub remove_timeout_policy {
my ($rule_string, $timeout_policy) = @_;
my @tokens = split (' ', $timeout_policy);
# First remove the iptables rules before removing policy.
- my $iptables_cmd1 = "iptables -D PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]";
- my $iptables_cmd2 = "iptables -D OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]";
+ my $iptables_cmd1 = "iptables -D CT_TIMEOUT -t raw $rule_string -j CT --timeout $tokens[0]";
+ my $iptables_cmd2 = "iptables -D CT_TIMEOUT -t raw $rule_string -j RETURN";
my $nfct_timeout_cmd = "$nfct timeout delete $timeout_policy";
run_cmd($iptables_cmd2);
if ($? >> 8) {
@@ -87,12 +87,19 @@ sub remove_timeout_policy {
# nfct-timeout create policy1 tcp established 1200 close-wait 100 fin-wait 10
# iptables -I PREROUTING -t raw -s 1.1.1.1 -d 2.2.2.2 -j CT --timeout policy1
+#
+# we have a chain setup, i.e. CT_TIMEOUT chain. Insert rule with timeout policy
+# in the chain followed by another rule with matching 5 tuple to allow return
+# from the point CT target matched. CT is non terminating and we want to keep
+# behavior consistent with firewall, NAT etc.
sub apply_timeout_policy {
- my ($rule_string, $timeout_policy, $rule) = @_;
+ my ($rule_string, $timeout_policy, $rule, $num_rules) = @_;
my $nfct_timeout_cmd = "$nfct timeout add $timeout_policy";
my @tokens = split (' ', $timeout_policy);
- my $iptables_cmd1 = "iptables -I PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]";
- my $iptables_cmd2 = "iptables -I OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]";
+ # insert at num_rules + 1 as there are so many rules already.
+ my $iptables_cmd1 = "iptables -I CT_TIMEOUT $num_rules -t raw $rule_string -j CT --timeout $tokens[0]";
+ $num_rules +=1;
+ my $iptables_cmd2 = "iptables -I CT_TIMEOUT $num_rules -t raw $rule_string -j RETURN";
run_cmd($nfct_timeout_cmd);
if ($? >> 8) {
print "$CTERROR failed to run $nfct_timeout_cmd\n";
@@ -115,14 +122,14 @@ sub apply_timeout_policy {
}
sub handle_rule_creation {
- my ($rule) = @_;
+ my ($rule, $num_rules) = @_;
my $node = new Vyatta::Conntrack::RuleCT;
my ($rule_string, $timeout_policy);
do_protocol_check($rule);
$node->setup("system conntrack timeout custom rule $rule");
$rule_string = $node->rule();
$timeout_policy = $node->get_policy_command("add"); #nfct-timeout command string
- apply_timeout_policy($rule_string, $timeout_policy, $rule);
+ apply_timeout_policy($rule_string, $timeout_policy, $rule, $num_rules);
}
# we mandate only one protocol configuration per rule
@@ -137,10 +144,10 @@ sub do_protocol_check {
}
sub handle_rule_modification {
- my ($rule) = @_;
+ my ($rule, $num_rules) = @_;
do_protocol_check($rule);
handle_rule_deletion($rule);
- handle_rule_creation($rule);
+ handle_rule_creation($rule, $num_rules);
}
sub handle_rule_deletion {
@@ -153,6 +160,8 @@ sub handle_rule_deletion {
remove_timeout_policy($rule_string, $timeout_policy);
}
+sub numerically { $a <=> $b; }
+
sub update_config {
my $config = new Vyatta::Config;
my %rules = (); #hash of timeout config rules
@@ -160,12 +169,17 @@ sub update_config {
$config->setLevel("system conntrack timeout custom rule");
%rules = $config->listNodeStatus();
- foreach my $rule (sort keys %rules) {
+
+ my $iptablesrule = 1;
+ foreach my $rule (sort numerically keys %rules) {
if ("$rules{$rule}" eq 'static') {
+ $iptablesrule+=2;
} elsif ("$rules{$rule}" eq 'added') {
- handle_rule_creation($rule);
+ handle_rule_creation($rule, $iptablesrule);
+ $iptablesrule+=2;
} elsif ("$rules{$rule}" eq 'changed') {
- handle_rule_modification($rule);
+ handle_rule_modification($rule, $iptablesrule);
+ $iptablesrule+=2;
} elsif ("$rules{$rule}" eq 'deleted') {
handle_rule_deletion($rule);
}