summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am2
-rw-r--r--lib/Vyatta/Conntrack/RuleIgnore.pm119
-rw-r--r--scripts/vyatta-conntrack-ignore.pl137
3 files changed, 258 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
index 26b6b1f..62642b0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -17,6 +17,7 @@ checkparamsonreboot_SCRIPTS += scripts/check-params-on-reboot.d/conntrack-hash-s
share_perl5_DATA = lib/Vyatta/Conntrack/Config.pm
share_perl5_DATA += lib/Vyatta/Conntrack/ConntrackUtil.pm
share_perl5_DATA += lib/Vyatta/Conntrack/RuleCT.pm
+share_perl5_DATA += lib/Vyatta/Conntrack/RuleIgnore.pm
sbin_SCRIPTS = scripts/vyatta-update-conntrack-log.pl
bin_sudo_usersdir = $(bindir)/sudo-users
@@ -24,6 +25,7 @@ bin_sudo_users_SCRIPTS = scripts/vyatta-show-conntrack.pl
bin_sudo_users_SCRIPTS += scripts/vyatta-delete-conntrack.pl
bin_sudo_users_SCRIPTS += scripts/vyatta-conntrack-timeouts.pl
bin_sudo_users_SCRIPTS += scripts/vyatta-cthelper.pl
+bin_sudo_users_SCRIPTS += scripts/vyatta-conntrack-ignore.pl
curver_DATA = cfg-version/conntrack@1
diff --git a/lib/Vyatta/Conntrack/RuleIgnore.pm b/lib/Vyatta/Conntrack/RuleIgnore.pm
new file mode 100644
index 0000000..fd10e09
--- /dev/null
+++ b/lib/Vyatta/Conntrack/RuleIgnore.pm
@@ -0,0 +1,119 @@
+#
+# The timeouts are implemented using nfct-timeout policies that are
+# later applied to the corresponding iptables rules. The rules and
+# policies are distinguished based on the rule number.
+
+package Vyatta::Conntrack::RuleIgnore;
+
+use strict;
+use Vyatta::Config;
+require Vyatta::IpTables::AddressFilter;
+
+my $src = new Vyatta::IpTables::AddressFilter;
+my $dst = new Vyatta::IpTables::AddressFilter;
+my %fields = (
+ _rule_number => undef,
+ _protocol => undef,
+ _comment => undef,
+);
+
+my %dummy_rule = (
+ _rule_number => 10000,
+ _protocol => undef,
+ _comment => undef,
+);
+
+my $DEBUG = 'false';
+
+sub rule {
+ my ( $self ) = @_;
+ my ($rule, $srcrule, $dstrule, $err_str);
+ my $tcp_and_udp = 0;
+ # set CLI rule num as comment
+ my @level_nodes = split (' ', $self->{_comment});
+ print "level nodes is @level_nodes\n";
+ $rule .= "-m comment --comment \"$level_nodes[2]-$level_nodes[5]\" ";
+ ($srcrule, $err_str) = $src->rule();
+ if (defined($err_str)) {
+ Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str");
+ exit 1;
+ }
+ ($dstrule, $err_str) = $dst->rule();
+ if (defined($err_str)) {
+ Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str");
+ exit 1;
+ }
+ if (defined($self->{_protocol})) {
+ $rule .= " -p $self->{_protocol}";
+ }
+ $rule .= " $srcrule $dstrule ";
+ print "rule is $rule\n";
+ return $rule;
+}
+
+sub new {
+ my $that = shift;
+ my $class = ref ($that) || $that;
+ my $self = {
+ %fields,
+ };
+
+ bless $self, $class;
+ return $self;
+}
+
+sub setup_base {
+ my ($self, $level, $val_func, $exists_func, $addr_setup) = @_;
+ my $config = new Vyatta::Config;
+
+ $config->setLevel("$level");
+ $self->{_comment} = $level;
+ $self->{_rule_number} = $config->returnParent("..");
+
+ $src->$addr_setup("$level source");
+ $src->{_protocol} = $self->{_protocol};#needed to use address filter
+ if (($src->{_protocol}) and (($src->{_protocol} ne 'tcp') or ($src->{_protocol} ne 'udp')) and (defined($src->{_port})) ) {
+ die "Error: Cannot specify port with protocol $src->{_protocol}\n";
+ }
+ $dst->$addr_setup("$level destination");
+ $dst->{_protocol} = $self->{_protocol};#needed to use address filter
+ if (($dst->{_protocol}) and (($dst->{_protocol} ne 'tcp') or ($dst->{_protocol} ne 'udp')) and (defined($dst->{_port})) ) {
+ die "Error: Cannot specify port with protocol $dst->{_protocol}\n";
+ }
+
+ return 0;
+}
+
+sub setup {
+ my ($self, $level) = @_;
+
+ $self->setup_base($level, 'returnValue', 'exists', 'setup');
+ return 0;
+}
+
+sub setupOrig {
+ my ($self, $level) = @_;
+ $self->setup_base($level, 'returnOrigValue', 'existsOrig', 'setupOrig');
+ return 0;
+}
+
+sub print {
+ my ( $self ) = @_;
+
+ print "rulenum: $self->{_rule_number}\n" if defined $self->{_rule_number};
+ print "protocol: $self->{_protocol}\n" if defined $self->{_protocol};
+ print "inbound interface: $self->{_interface}\n" if defined $self->{_interface};
+ $src->print();
+ $dst->print();
+}
+
+
+
+
+1;
+
+# Local Variables:
+# mode: perl
+# indent-tabs-mode: nil
+# perl-indent-level: 2
+# End:
diff --git a/scripts/vyatta-conntrack-ignore.pl b/scripts/vyatta-conntrack-ignore.pl
new file mode 100644
index 0000000..ed5b23a
--- /dev/null
+++ b/scripts/vyatta-conntrack-ignore.pl
@@ -0,0 +1,137 @@
+#!/usr/bin/perl
+
+use lib "/opt/vyatta/share/perl5";
+use warnings;
+use strict;
+
+use Vyatta::Config;
+use Vyatta::Conntrack::RuleCT;
+use Vyatta::Conntrack::RuleIgnore;
+use Vyatta::IpTables::AddressFilter;
+use Vyatta::Conntrack::ConntrackUtil;
+use Getopt::Long;
+use Vyatta::Zone;
+use Sys::Syslog qw(:standard :macros);
+
+#for future use when v6 timeouts need to be set
+my %cmd_hash = ( 'ipv4' => 'iptables',
+ 'ipv6' => 'ip6tables');
+# Enable printing debug output to stdout.
+my $debug_flag = 0;
+
+# Enable sending debug output to syslog.
+my $syslog_flag = 0;
+my $nfct = "sudo /usr/sbin/nfct";
+my ($create, $delete, $update);
+my $CTERROR = "Conntrack timeout error:";
+GetOptions("create=s" => \$create,
+ "delete=s" => \$delete,
+ "update=s" => \$update,
+);
+
+update_config();
+
+openlog("vyatta-conntrack", "pid", "local0");
+
+sub remove_ignore_policy {
+ my ($rule_string) = @_;
+# my $iptables_cmd1 = "iptables -D VYATTA_CT_TIMEOUT -t raw $rule_string -j CT --timeout $tokens[0]";
+ # my $iptables_cmd2 = "iptables -D VYATTA_CT_TIMEOUT -t raw $rule_string -j RETURN";
+ # run_cmd($iptables_cmd2);
+ # if ($? >> 8) {
+ # print "$CTERROR failed to run $iptables_cmd2\n";
+ #dont exit, try to clean as much.
+ # }
+ # run_cmd($iptables_cmd1);
+ # if ($? >> 8) {
+ # print "$CTERROR failed to run $iptables_cmd1\n";
+ # }
+}
+
+sub apply_ignore_policy {
+ # my ($rule_string, $timeout_policy, $rule, $num_rules) = @_;
+ # insert at num_rules + 1 as there are so many rules already.
+ # my $iptables_cmd1 = "iptables -I VYATTA_CT_TIMEOUT $num_rules -t raw $rule_string -j CT --timeout $tokens[0]";
+ # $num_rules +=1;
+ # my $iptables_cmd2 = "iptables -I VYATTA_CT_TIMEOUT $num_rules -t raw $rule_string -j RETURN";
+ # run_cmd($nfct_timeout_cmd);
+ # if ($? >> 8) {
+ # print "$CTERROR failed to run $nfct_timeout_cmd\n";
+ # exit 1;
+ # }
+ # run_cmd($iptables_cmd1);
+ # if ($? >> 8) {
+ # #cleanup the policy before exit.
+ # run_cmd("nfct timeout delete policy_timeout_$rule");
+ # print "$CTERROR failed to run $iptables_cmd1\n";
+ # exit 1;
+ # }
+}
+
+sub handle_rule_creation {
+ my ($rule, $num_rules) = @_;
+ my $node = new Vyatta::Conntrack::RuleIgnore;
+ my ($rule_string, $timeout_policy);
+
+ print "handle_rule_creation\n";
+ do_interface_check($rule);
+ $node->setup("system conntrack ignore rule $rule");
+ $rule_string = $node->rule();
+ #apply_ignore_policy($rule_string, $rule, $num_rules);
+}
+
+# mandate only one interface configuration per rule
+sub do_interface_check {
+ my ($rule) = @_;
+ my $config = new Vyatta::Config;
+ my $intf_nos = $config->listNodes("system conntrack ignore rule $rule inbound-interface");
+ if (($intf_nos > 1)) {
+ Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: configure at most one inbound interface in rule $rule");
+ exit 1;
+ }
+}
+
+sub handle_rule_modification {
+ my ($rule, $num_rules) = @_;
+ print "handle_rule_modification\n";
+ do_interface_check($rule);
+ handle_rule_deletion($rule);
+ handle_rule_creation($rule, $num_rules);
+}
+
+sub handle_rule_deletion {
+ my ($rule) = @_;
+ my $node = new Vyatta::Conntrack::RuleIgnore;
+ my ($rule_string);
+ print "handle_rule_deletion\n";
+ $node->setupOrig("system conntrack ignore rule $rule");
+ $rule_string = $node->rule();
+ remove_ignore_policy($rule_string);
+}
+
+sub numerically { $a <=> $b; }
+
+sub update_config {
+ my $config = new Vyatta::Config;
+ my %rules = (); #hash of ignore config rules
+ my $iptables_cmd = $cmd_hash{'ipv4'};
+
+ $config->setLevel("system conntrack ignore rule");
+ %rules = $config->listNodeStatus();
+
+ my $iptablesrule = 1;
+ foreach my $rule (sort numerically keys %rules) {
+ if ("$rules{$rule}" eq 'static') {
+ $iptablesrule+=2;
+ } elsif ("$rules{$rule}" eq 'added') {
+ handle_rule_creation($rule, $iptablesrule);
+ $iptablesrule+=2;
+ } elsif ("$rules{$rule}" eq 'changed') {
+ handle_rule_modification($rule, $iptablesrule);
+ $iptablesrule+=2;
+ } elsif ("$rules{$rule}" eq 'deleted') {
+ handle_rule_deletion($rule);
+ }
+ }
+}
+