From 4c2e2d79f28734c97a0e374ca217e24ff954fe96 Mon Sep 17 00:00:00 2001 From: Gaurav Date: Thu, 16 Feb 2012 15:03:55 -0800 Subject: Adding rule and address setup/parsing libraries (cherry picked from commit 2f59f3ef67d70981ff0501868d5ea206eb9359ae) --- lib/Vyatta/Conntrack/AddressFilterCT.pm | 204 +++++++++++++++ lib/Vyatta/Conntrack/RuleCT.pm | 431 ++++++++++++++++++++++++++++++++ 2 files changed, 635 insertions(+) create mode 100644 lib/Vyatta/Conntrack/AddressFilterCT.pm create mode 100644 lib/Vyatta/Conntrack/RuleCT.pm (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/AddressFilterCT.pm b/lib/Vyatta/Conntrack/AddressFilterCT.pm new file mode 100644 index 0000000..c7dac8d --- /dev/null +++ b/lib/Vyatta/Conntrack/AddressFilterCT.pm @@ -0,0 +1,204 @@ +# Author: Vyatta +# Date: 2007 +# Description: IP tables address filter +# +# Gaurav Sinha: Re-using AddressFilter.pm from vyatta-cfg-firewall package. +# + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2006-2009 Vyatta, Inc. +# All Rights Reserved. +# **** End License **** + +package Vyatta::Conntrack::AddressFilterCT; + +require Vyatta::Config; +require Vyatta::IpTables::IpSet; +use Vyatta::Misc qw(getPortRuleString); +use Vyatta::TypeChecker; + +use strict; +use warnings; + +my %_protocolswithports = ( + tcp_udp => 1, + # 'tcp_udp' is to be allowed for nat and firewall rules only. + # features should have syntax checks for allowing or forbiding + # the use of 'tcp_udp' as protocol. to allow tcp_udp see syntax check + # in protocol/node.def for NAT rules and to forbid tcp_udp see syntax + # check in protocol/node.def for load-balancing rules + # when allowed : tcp_udp creates 2 iptable rules - one for tcp, other for udp + tcp => 1, + udp => 1, + 6 => 1, + 17 => 1, +); + +my %fields = ( + _srcdst => undef, + _range_start => undef, + _range_stop => undef, + _network => undef, + _address => undef, + _port => undef, + _protocol => undef, + _port_group => undef, +); + +sub new { + my $that = shift; + my $class = ref ($that) || $that; + my $self = { + %fields, + }; + + bless $self, $class; + return $self; +} + +sub setup_base { + my ($self, $level, $func) = @_; + my $config = new Vyatta::Config; + + $config->setLevel("$level"); + + # setup needed parent nodes + $self->{_srcdst} = $config->returnParent(".."); +# $self->{_protocol} = $config->$func(".. protocol"); + + # setup address filter nodes + $self->{_address} = $config->$func("address"); + $self->{_network} = undef; + $self->{_range_start} = undef; + $self->{_range_stop} = undef; + if (defined($self->{_address})) { + if ($self->{_address} =~ /\//) { + $self->{_network} = $self->{_address}; + $self->{_address} = undef; + } elsif ($self->{_address} =~ /^([^-]+)-([^-]+)$/) { + $self->{_range_start} = $1; + $self->{_range_stop} = $2; + $self->{_address} = undef; + } + } + $self->{_port} = $config->$func("port"); + + return 0; +} + +sub setup { + my ($self, $level) = @_; + + $self->setup_base($level, 'returnValue'); + return 0; +} + +sub setupOrig { + my ($self, $level) = @_; + + $self->setup_base($level, 'returnOrigValue'); + return 0; +} + +sub print { + my ($self) = @_; + + print "srcdst: $self->{_srcdst}\n" if defined $self->{_srcdst}; + print "range start: $self->{_range_start}\n" if defined $self->{_range_start}; + print "range stop: $self->{_range_stop}\n" if defined $self->{_range_stop}; + print "network: $self->{_network}\n" if defined $self->{_network}; + print "address: $self->{_address}\n" if defined $self->{_address}; + print "port: $self->{_port}\n" if defined $self->{_port}; + print "protocol: $self->{_protocol}\n" if defined $self->{_protocol}; + + return 0; +} + +sub rule { + my ($self) = @_; + my $rule = ""; + my $can_use_port = 1; + + my $addr_checker; + my $prefix_checker; + my $pure_addr_checker; + my $ip_term; + my $prefix_term; + + $addr_checker = 'ipv4_negate'; + $prefix_checker = 'ipv4net_negate'; + $pure_addr_checker = 'ipv4'; + $ip_term = "IPv4"; + $prefix_term = "subnet"; + + if (!defined($self->{_protocol}) + || !defined($_protocolswithports{$self->{_protocol}})) { + $can_use_port = 0; + } + + # set the address filter parameters + if (defined($self->{_network})) { + my $str = $self->{_network}; + return (undef, "\"$str\" is not a valid $ip_term $prefix_term") + if (!Vyatta::TypeChecker::validateType($prefix_checker, $str, 1)); + my $negate = ''; + if ($str =~ /^\!(.*)$/) { + $str = $1; + $negate = '! '; + } + $rule .= "$negate --$self->{_srcdst} $str "; + } elsif (defined($self->{_address})) { + my $str = $self->{_address}; + return (undef, "\"$str\" is not a valid $ip_term address") + if (!Vyatta::TypeChecker::validateType($addr_checker, $str, 1)); + my $negate = ''; + if ($str =~ /^\!(.*)$/) { + $str = $1; + $negate = '! '; + } + $rule .= "$negate --$self->{_srcdst} $str "; + } elsif ((defined $self->{_range_start}) && (defined $self->{_range_stop})) { + my $start = $self->{_range_start}; + my $stop = $self->{_range_stop}; + return (undef, "\"$start-$stop\" is not a valid IP range") + if (!Vyatta::TypeChecker::validateType($addr_checker, $start, 1) + || !Vyatta::TypeChecker::validateType($pure_addr_checker, $stop, 1)); + my $negate = ''; + if ($self->{_range_start} =~ /^!(.*)$/) { + $start = $1; + $negate = '! '; + } + if ("$self->{_srcdst}" eq "source") { + $rule .= ("-m iprange $negate --src-range $start-$self->{_range_stop} "); + } + elsif ("$self->{_srcdst}" eq "destination") { + $rule .= ("-m iprange $negate --dst-range $start-$self->{_range_stop} "); + } + } + + my ($port_str, $port_err) + = getPortRuleString($self->{_port}, $can_use_port, + ($self->{_srcdst} eq "source") ? "s" : "d", + $self->{_protocol}); + return (undef, $port_err) if (!defined($port_str)); + $rule .= $port_str; + + return ($rule, undef); +} +1; + +# Local Variables: +# mode: perl +# indent-tabs-mode: nil +# perl-indent-level: 2 +# End: diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm new file mode 100644 index 0000000..9329603 --- /dev/null +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -0,0 +1,431 @@ +package Vyatta::Conntrack::RuleCT; + +use strict; +use Vyatta::Config; +require Vyatta::Conntrack::AddressFilterCT; + +my $src = new Vyatta::Conntrack::AddressFilterCT; +my $dst = new Vyatta::Conntrack::AddressFilterCT; + +my %fields = ( + _rule_number => undef, + _protocol => undef, + _state => { + _established => undef, + _new => undef, + _related => undef, + _invalid => undef, + }, +); + +my %dummy_rule = ( + _rule_number => 10000, + _protocol => "all", + _state => { + _established => undef, + _new => undef, + _related => undef, + _invalid => undef, + }, +); + +my $DEBUG = 'false'; + +sub new { + my $that = shift; + my $class = ref ($that) || $that; + my $self = { + %fields, + }; + + bless $self, $class; + return $self; +} + +sub setupDummy { + my ($self, $level) = @_; + + %{$self} = %dummy_rule; + $src = new Vyatta::Conntrack::AddressFilterCT; + $dst = new Vyatta::Conntrack::AddressFilterCT; + + # set the default policy + my $config = new Vyatta::Config; + $config->setLevel("$level"); +} + +sub setup_base { + my ($self, $level, $val_func, $exists_func, $addr_setup) = @_; + my $config = new Vyatta::Config; + + $config->setLevel("$level"); + + $self->{_rule_number} = $config->returnParent(".."); + $self->{_protocol} = $config->$val_func("protocol"); + $self->{_state}->{_established} = $config->$val_func("state established"); + $self->{_state}->{_new} = $config->$val_func("state new"); + $self->{_state}->{_related} = $config->$val_func("state related"); + $self->{_state}->{_invalid} = $config->$val_func("state invalid"); + + $src->$addr_setup("$level source"); + $dst->$addr_setup("$level destination"); + + return 0; +} + +sub setup { + my ($self, $level) = @_; + + $self->setup_base($level, 'returnValue', 'exists', 'setup'); + return 0; +} + +sub setupOrig { + my ($self, $level) = @_; + $self->setup_base($level, 'returnOrigValue', 'existsOrig', 'setupOrig'); + return 0; +} + +sub print { + my ( $self ) = @_; + + print "rulenum: $self->{_rule_number}\n" if defined $self->{_rule_number}; + print "protocol: $self->{_protocol}\n" if defined $self->{_protocol}; + print "state: $self->{_state}\n" if defined $self->{_state}; + $src->print(); + $dst->print(); + +} + +sub rule { + my ( $self ) = @_; + my ($rule, $srcrule, $dstrule, $err_str); + my $tcp_and_udp = 0; + + # set CLI rule num as comment + my @level_nodes = split (' ', $self->{_comment}); + $rule .= "-m comment --comment \"$level_nodes[2]-$level_nodes[4]\" "; + + # set the protocol + if (defined($self->{_protocol})) { + my $str = $self->{_protocol}; + my $negate = ''; + if ($str =~ /^\!(.*)$/) { + $str = $1; + $negate = '! '; + } + if ($str eq 'tcp_udp') { + $tcp_and_udp = 1; + $rule .= " $negate -p tcp "; # we'll add the '-p udp' to 2nd rule later + } else { + $rule .= " $negate -p $str "; + } + } + + my $state_str = uc (get_state_str($self)); + if ($state_str ne "") { + $rule .= "-m state --state $state_str "; + } + + # set tcp flags if applicable + my $tcp_flags = undef; + if (defined $self->{_tcp_flags}) { + if (($self->{_protocol} eq "tcp") || ($self->{_protocol} eq "6")) { + $tcp_flags = get_tcp_flags_string($self->{_tcp_flags}); + } else { + return ("TCP flags can only be set if protocol is set to TCP", ); + } + } + if (defined($tcp_flags)) { + $rule .= " -m tcp --tcp-flags $tcp_flags "; + } + + # set the icmp code and type if applicable + if (($self->{_protocol} eq "icmp") || ($self->{_protocol} eq "1")) { + if (defined $self->{_icmp_name}) { + if (defined($self->{_icmp_type}) || defined($self->{_icmp_code})){ + return ("Cannot use ICMP type/code with ICMP type-name", ); + } + $rule .= "--icmp-type $self->{_icmp_name} "; + } elsif (defined $self->{_icmp_type}) { + $rule .= "--icmp-type $self->{_icmp_type}"; + if (defined $self->{_icmp_code}) { + $rule .= "/$self->{_icmp_code}"; + } + $rule .= " "; + } elsif (defined $self->{_icmp_code}) { + return ("ICMP code can only be defined if ICMP type is defined", ); + } + } elsif (defined($self->{_icmp_type}) || defined($self->{_icmp_code}) + || defined($self->{_icmp_name})) { + return ("ICMP type/code or type-name can only be defined if protocol is ICMP", ); + } + + # Setup ICMPv6 rule if configured + # ICMPv6 parameters are only valid if the rule is matching on the + # ICMPv6 protocol ID. + # + if (($self->{_protocol} eq "icmpv6") || + ($self->{_protocol} eq "ipv6-icmp") || + ($self->{_protocol} eq "58")) { + if (defined($self->{_icmpv6_type})) { + $rule .= "-m icmpv6 --icmpv6-type $self->{_icmpv6_type}"; + } + } + + # add the source and destination rules + ($srcrule, $err_str) = $src->rule(); + return ($err_str, ) if (!defined($srcrule)); + ($dstrule, $err_str) = $dst->rule(); + return ($err_str, ) if (!defined($dstrule)); + if ((grep /multiport/, $srcrule) ^ (grep /multiport/, $dstrule)) { + if ((grep /sport/, $srcrule) && (grep /dport/, $dstrule)) { + return ('Cannot specify multiple ports when both ' + . 'source and destination ports are specified', ); + } + } + $rule .= " $srcrule $dstrule "; + + return ('Cannot specify both "match-frag" and "match-non-frag"', ) + if (defined($self->{_frag}) && defined($self->{_non_frag})); + if (defined($self->{_frag})) { + $rule .= ' -f '; + } elsif (defined($self->{_non_frag})) { + $rule .= ' ! -f '; + } + + # note: "out" is not valid in the INPUT chain. + return ('Cannot specify both "match-ipsec" and "match-none"', ) + if (defined($self->{_ipsec}) && defined($self->{_non_ipsec})); + if (defined($self->{_ipsec})) { + $rule .= ' -m policy --pol ipsec --dir in '; + } elsif (defined($self->{_non_ipsec})) { + $rule .= ' -m policy --pol none --dir in '; + } + + my $p2p = undef; + if (defined($self->{_p2p}->{_all})) { + $p2p = '--apple --bit --dc --edk --gnu --kazaa '; + } else { + my @apps = qw(apple bit dc edk gnu kazaa); + foreach (@apps) { + if (defined($self->{_p2p}->{"_$_"})) { + $p2p .= "--$_ "; + } + } + } + if (defined($p2p)) { + $rule .= " -m ipp2p $p2p "; + } + + my $time = undef; + if (defined($self->{_time}->{_utc})) { + $time .= " --utc "; + } + if (defined($self->{_time}->{_startdate})) { + my $check_date = validate_date($self->{_time}->{_startdate}, "startdate"); + if (!($check_date eq "")) { + return ($check_date, ); + } + $time .= " --datestart $self->{_time}->{_startdate} "; + } + if (defined($self->{_time}->{_stopdate})) { + my $check_date = validate_date($self->{_time}->{_stopdate}, "stopdate"); + if (!($check_date eq "")) { + return ($check_date, ); + } + $time .= " --datestop $self->{_time}->{_stopdate} "; + } + if (defined($self->{_time}->{_starttime})) { + return ("Invalid starttime $self->{_time}->{_starttime}. +Time should use 24 hour notation hh:mm:ss and lie in between 00:00:00 and 23:59:59", ) + if (!validate_timevalues($self->{_time}->{_starttime}, "time")); + $time .= " --timestart $self->{_time}->{_starttime} "; + } + if (defined($self->{_time}->{_stoptime})) { + return ("Invalid stoptime $self->{_time}->{_stoptime}. +Time should use 24 hour notation hh:mm:ss and lie in between 00:00:00 and 23:59:59", ) + if (!validate_timevalues($self->{_time}->{_stoptime}, "time")); + $time .= " --timestop $self->{_time}->{_stoptime} "; + } + if (defined($self->{_time}->{_monthdays})) { + my $negate = " "; + if ($self->{_time}->{_monthdays} =~ m/^!/) { + $negate = "! "; + $self->{_time}->{_monthdays} = substr $self->{_time}->{_monthdays}, 1; + } + return ("Invalid monthdays value $self->{_time}->{_monthdays}. +Monthdays should have values between 1 and 31 with multiple days separated by commas +eg. 2,12,21 For negation, add ! in front eg. !2,12,21", ) + if (!validate_timevalues($self->{_time}->{_monthdays}, "monthdays")); + $time .= " $negate --monthdays $self->{_time}->{_monthdays} "; + } + if (defined($self->{_time}->{_weekdays})) { + my $negate = " "; + if ($self->{_time}->{_weekdays} =~ m/^!/) { + $negate = "! "; + $self->{_time}->{_weekdays} = substr $self->{_time}->{_weekdays}, 1; + } + return ("Invalid weekdays value $self->{_time}->{_weekdays}. +Weekdays should be specified using the first three characters of the day with the +first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mon,Thu,Sat", ) + if (!validate_timevalues($self->{_time}->{_weekdays}, "weekdays")); + $time .= " $negate --weekdays $self->{_time}->{_weekdays} "; + } + if (defined($time)) { + $rule .= " -m time $time "; + } + + my $limit = undef; + if (defined $self->{_limit}->{_rate}) { + my $rate_integer = $self->{_limit}->{_rate}; + $rate_integer =~ s/\/(second|minute|hour|day)//; + if ($rate_integer < 1) { + return ("integer value in rate cannot be less than 1", ); + } + $limit = "--limit $self->{_limit}->{_rate} --limit-burst $self->{_limit}->{_burst}"; + } + $rule .= " -m limit $limit " if defined $limit; + + # recent match condition SHOULD BE DONE IN THE LAST so + # all options in $rule are copied to $recent_rule below + my $recent_rule = undef; + if (defined($self->{_recent_time}) || defined($self->{_recent_cnt})) { + my $recent_rule1 = undef; + my $recent_rule2 = undef; + $recent_rule1 .= ' -m recent --update '; + $recent_rule2 .= ' -m recent --set '; + if (defined($self->{_recent_time})) { + $recent_rule1 .= " --seconds $self->{_recent_time} "; + } + if (defined($self->{_recent_cnt})) { + $recent_rule1 .= " --hitcount $self->{_recent_cnt} "; + } + + $recent_rule = $rule; + + if ($rule =~ m/\-m\s+set\s+\-\-match\-set/) { + # firewall group being used in this rule. iptables complains if recent + # match condition is placed after group match conditions [see bug 5744] + # so instead of appending recent match place it before group match + my @split_rules = (); + + @split_rules = split(/(\-m\s+set\s+\-\-match\-set)/, $rule, 2); + $rule = $split_rules[0] . $recent_rule1 . + $split_rules[1] . $split_rules[2]; + + @split_rules = split(/(\-m\s+set\s+\-\-match\-set)/, $recent_rule, 2); + $recent_rule = $split_rules[0] . $recent_rule2 . + $split_rules[1] . $split_rules[2]; + } else { + # append recent match conditions to the two rules needed for recent match + $rule .= $recent_rule1; + $recent_rule .= $recent_rule2; + } + } + + my $chain = $self->{_name}; + my $rule_num = $self->{_rule_number}; + my $rule2 = undef; + # set the jump target. Depends on action and log + if ("$self->{_log}" eq "enable") { + $rule2 = $rule; + my $log_prefix = get_log_prefix($chain, $rule_num, $self->{_action}); + $rule2 .= "-j LOG --log-prefix \"$log_prefix\" "; + } + if ("$self->{_action}" eq "drop") { + $rule .= "-j DROP "; + } elsif ("$self->{_action}" eq "accept") { + $rule .= "-j RETURN "; + } elsif ("$self->{_action}" eq "reject") { + $rule .= "-j REJECT "; + } elsif ("$self->{_action}" eq 'inspect') { + my $target = ipt_get_queue_target('SNORT'); + return ('Undefined target for inspect', ) if ! defined $target; + $rule .= "-j $target "; + } elsif ("$self->{_action}" eq 'modify') { + # mangle actions + my $count = 0; + if (defined($self->{_mod_mark})) { + # MARK + $rule .= "-j MARK --set-mark $self->{_mod_mark} "; + $count++; + } + if (defined($self->{_mod_dscp})) { + # DSCP + $rule .= "-j DSCP --set-dscp $self->{_mod_dscp} "; + $count++; + } + if (defined($self->{_mod_tcpmss})) { + # TCP-MSS + # check for SYN flag + if (!defined $self->{_tcp_flags} || + !(($self->{_tcp_flags} =~ m/SYN/) && !($self->{_tcp_flags} =~ m/!SYN/))) { + return ('need to set TCP SYN flag to modify TCP MSS', ); + } + + if ($self->{_mod_tcpmss} =~ m/\d/) { + $rule .= "-j TCPMSS --set-mss $self->{_mod_tcpmss} "; + } else { + $rule .= "-j TCPMSS --clamp-mss-to-pmtu "; + } + $count++; + } + + # others + + if ($count == 0) { + return ('Action "modify" requires more specific configuration under ' + . 'the "modify" node', ); + } elsif ($count > 1) { + return ('Cannot define more than one modification under ' + . 'the "modify" node', ); + } + } else { + return ("\"action\" must be defined", ); + } + if (defined($rule2)) { + my $tmp = $rule2; + $rule2 = $rule; + $rule = $tmp; + } elsif (defined($recent_rule)) { + $rule2 = $recent_rule; + $recent_rule = undef; + } + + return (undef, undef) if defined $self->{_disable}; + + my ($udp_rule, $udp_rule2, $udp_recent_rule) = (undef, undef, undef); + if ($tcp_and_udp == 1) { + # create udp rules + $udp_rule = $rule; + $udp_rule2 = $rule2 if defined $rule2; + $udp_recent_rule = $recent_rule if defined $recent_rule; + foreach my $each_udprule ($udp_rule, $udp_rule2, $udp_recent_rule) { + $each_udprule =~ s/ \-p tcp / -p udp / if defined $each_udprule; + } + } + + if ($DEBUG eq 'true') { + # print all potential iptables rules that could be formed for + # a single CLI rule. see get_num_ipt_rules to see exact count + print "rule :\n$rule\n" if defined $rule; + print "rule2 :\n$rule2\n" if defined $rule2; + print "recent rule :\n$recent_rule\n" if defined $recent_rule; + print "udp rule :\n$udp_rule\n" if defined $udp_rule; + print "udp rule2 :\n$udp_rule2\n" if defined $udp_rule2; + print "udp recent rule :\n$udp_recent_rule\n" if defined $udp_recent_rule; + } + + return (undef, $rule, $rule2, $recent_rule, $udp_rule, $udp_rule2, $udp_recent_rule); +} + + + +1; + +# Local Variables: +# mode: perl +# indent-tabs-mode: nil +# perl-indent-level: 2 +# End: -- cgit v1.2.3 From eda48ea36f8b5602dd68ee8ce99a95f9e00878d2 Mon Sep 17 00:00:00 2001 From: Gaurav Date: Tue, 21 Feb 2012 11:38:46 -0800 Subject: Removing newly added file AddressFilterCT.pm. (cherry picked from commit 0ccdf73e1f7211aed9df214a65f8e953dbfdef42) --- lib/Vyatta/Conntrack/RuleCT.pm | 35 ++++++++++++++++++----------------- scripts/vyatta-conntrack-timeouts.pl | 10 +++++++++- 2 files changed, 27 insertions(+), 18 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index 9329603..3a0377b 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -9,23 +9,29 @@ my $dst = new Vyatta::Conntrack::AddressFilterCT; my %fields = ( _rule_number => undef, - _protocol => undef, - _state => { - _established => undef, - _new => undef, - _related => undef, - _invalid => undef, + _protocol => { + _tcp => { + _close => undef, + _close_wait => undef, + _syn_sent => undef, + }, + _udp => undef, + _other => undef, + _icmp => undef , }, ); my %dummy_rule = ( _rule_number => 10000, - _protocol => "all", - _state => { - _established => undef, - _new => undef, - _related => undef, - _invalid => undef, + _protocol => { + _tcp => { + _close => undef, + _close_wait => undef, + _syn_sent => undef, + }, + _udp => undef, + _other => undef, + _icmp => undef , }, ); @@ -62,11 +68,6 @@ sub setup_base { $self->{_rule_number} = $config->returnParent(".."); $self->{_protocol} = $config->$val_func("protocol"); - $self->{_state}->{_established} = $config->$val_func("state established"); - $self->{_state}->{_new} = $config->$val_func("state new"); - $self->{_state}->{_related} = $config->$val_func("state related"); - $self->{_state}->{_invalid} = $config->$val_func("state invalid"); - $src->$addr_setup("$level source"); $dst->$addr_setup("$level destination"); diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index 7de1a02..8ab322d 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -39,7 +39,15 @@ sub update_config { $node->setup("system conntrack timeout custom rule $rule"); $node->print(); } elsif ("$rules{$rule}" eq 'changed') { - } elsif ("$rules{$rule}" eq 'deleted'){ + } elsif ("$rules{$rule}" eq 'deleted') { +# my $node = new Vyatta::Conntrack::RuleCT; +# $node->setupOrig("system conntrack timeout custom rule $rule"); +# my $ipt_rules = $node->get_num_ipt_rules(); +# for (1 .. $ipt_rules) { +# print "deleting 1\n"; +# run_cmd("$iptables_cmd -t $table --delete $name $iptablesrule"); +# die "$iptables_cmd error: $! - $rule" if ($? >> 8); +# } } } } -- cgit v1.2.3 From 15bb1ba78ade472e8dea5d1f4dd8f8a15af78a3c Mon Sep 17 00:00:00 2001 From: Gaurav Date: Tue, 21 Feb 2012 11:43:17 -0800 Subject: removing AddressFilterCT.pm (cherry picked from commit 796fc0e8654683733a473f46d3029032bc648f05) --- lib/Vyatta/Conntrack/AddressFilterCT.pm | 204 -------------------------------- 1 file changed, 204 deletions(-) delete mode 100644 lib/Vyatta/Conntrack/AddressFilterCT.pm (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/AddressFilterCT.pm b/lib/Vyatta/Conntrack/AddressFilterCT.pm deleted file mode 100644 index c7dac8d..0000000 --- a/lib/Vyatta/Conntrack/AddressFilterCT.pm +++ /dev/null @@ -1,204 +0,0 @@ -# Author: Vyatta -# Date: 2007 -# Description: IP tables address filter -# -# Gaurav Sinha: Re-using AddressFilter.pm from vyatta-cfg-firewall package. -# - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2006-2009 Vyatta, Inc. -# All Rights Reserved. -# **** End License **** - -package Vyatta::Conntrack::AddressFilterCT; - -require Vyatta::Config; -require Vyatta::IpTables::IpSet; -use Vyatta::Misc qw(getPortRuleString); -use Vyatta::TypeChecker; - -use strict; -use warnings; - -my %_protocolswithports = ( - tcp_udp => 1, - # 'tcp_udp' is to be allowed for nat and firewall rules only. - # features should have syntax checks for allowing or forbiding - # the use of 'tcp_udp' as protocol. to allow tcp_udp see syntax check - # in protocol/node.def for NAT rules and to forbid tcp_udp see syntax - # check in protocol/node.def for load-balancing rules - # when allowed : tcp_udp creates 2 iptable rules - one for tcp, other for udp - tcp => 1, - udp => 1, - 6 => 1, - 17 => 1, -); - -my %fields = ( - _srcdst => undef, - _range_start => undef, - _range_stop => undef, - _network => undef, - _address => undef, - _port => undef, - _protocol => undef, - _port_group => undef, -); - -sub new { - my $that = shift; - my $class = ref ($that) || $that; - my $self = { - %fields, - }; - - bless $self, $class; - return $self; -} - -sub setup_base { - my ($self, $level, $func) = @_; - my $config = new Vyatta::Config; - - $config->setLevel("$level"); - - # setup needed parent nodes - $self->{_srcdst} = $config->returnParent(".."); -# $self->{_protocol} = $config->$func(".. protocol"); - - # setup address filter nodes - $self->{_address} = $config->$func("address"); - $self->{_network} = undef; - $self->{_range_start} = undef; - $self->{_range_stop} = undef; - if (defined($self->{_address})) { - if ($self->{_address} =~ /\//) { - $self->{_network} = $self->{_address}; - $self->{_address} = undef; - } elsif ($self->{_address} =~ /^([^-]+)-([^-]+)$/) { - $self->{_range_start} = $1; - $self->{_range_stop} = $2; - $self->{_address} = undef; - } - } - $self->{_port} = $config->$func("port"); - - return 0; -} - -sub setup { - my ($self, $level) = @_; - - $self->setup_base($level, 'returnValue'); - return 0; -} - -sub setupOrig { - my ($self, $level) = @_; - - $self->setup_base($level, 'returnOrigValue'); - return 0; -} - -sub print { - my ($self) = @_; - - print "srcdst: $self->{_srcdst}\n" if defined $self->{_srcdst}; - print "range start: $self->{_range_start}\n" if defined $self->{_range_start}; - print "range stop: $self->{_range_stop}\n" if defined $self->{_range_stop}; - print "network: $self->{_network}\n" if defined $self->{_network}; - print "address: $self->{_address}\n" if defined $self->{_address}; - print "port: $self->{_port}\n" if defined $self->{_port}; - print "protocol: $self->{_protocol}\n" if defined $self->{_protocol}; - - return 0; -} - -sub rule { - my ($self) = @_; - my $rule = ""; - my $can_use_port = 1; - - my $addr_checker; - my $prefix_checker; - my $pure_addr_checker; - my $ip_term; - my $prefix_term; - - $addr_checker = 'ipv4_negate'; - $prefix_checker = 'ipv4net_negate'; - $pure_addr_checker = 'ipv4'; - $ip_term = "IPv4"; - $prefix_term = "subnet"; - - if (!defined($self->{_protocol}) - || !defined($_protocolswithports{$self->{_protocol}})) { - $can_use_port = 0; - } - - # set the address filter parameters - if (defined($self->{_network})) { - my $str = $self->{_network}; - return (undef, "\"$str\" is not a valid $ip_term $prefix_term") - if (!Vyatta::TypeChecker::validateType($prefix_checker, $str, 1)); - my $negate = ''; - if ($str =~ /^\!(.*)$/) { - $str = $1; - $negate = '! '; - } - $rule .= "$negate --$self->{_srcdst} $str "; - } elsif (defined($self->{_address})) { - my $str = $self->{_address}; - return (undef, "\"$str\" is not a valid $ip_term address") - if (!Vyatta::TypeChecker::validateType($addr_checker, $str, 1)); - my $negate = ''; - if ($str =~ /^\!(.*)$/) { - $str = $1; - $negate = '! '; - } - $rule .= "$negate --$self->{_srcdst} $str "; - } elsif ((defined $self->{_range_start}) && (defined $self->{_range_stop})) { - my $start = $self->{_range_start}; - my $stop = $self->{_range_stop}; - return (undef, "\"$start-$stop\" is not a valid IP range") - if (!Vyatta::TypeChecker::validateType($addr_checker, $start, 1) - || !Vyatta::TypeChecker::validateType($pure_addr_checker, $stop, 1)); - my $negate = ''; - if ($self->{_range_start} =~ /^!(.*)$/) { - $start = $1; - $negate = '! '; - } - if ("$self->{_srcdst}" eq "source") { - $rule .= ("-m iprange $negate --src-range $start-$self->{_range_stop} "); - } - elsif ("$self->{_srcdst}" eq "destination") { - $rule .= ("-m iprange $negate --dst-range $start-$self->{_range_stop} "); - } - } - - my ($port_str, $port_err) - = getPortRuleString($self->{_port}, $can_use_port, - ($self->{_srcdst} eq "source") ? "s" : "d", - $self->{_protocol}); - return (undef, $port_err) if (!defined($port_str)); - $rule .= $port_str; - - return ($rule, undef); -} -1; - -# Local Variables: -# mode: perl -# indent-tabs-mode: nil -# perl-indent-level: 2 -# End: -- cgit v1.2.3 From 0f242d1a1fa363b19229b886622ef9ca3a4f50b5 Mon Sep 17 00:00:00 2001 From: Gaurav Date: Tue, 21 Feb 2012 13:46:20 -0800 Subject: modified to use AddressFilter from IpTables (cherry picked from commit 1392750b600cec991e24e7ab0cc211c621e4430a) --- Makefile.am | 1 - lib/Vyatta/Conntrack/RuleCT.pm | 10 +++++----- scripts/vyatta-conntrack-timeouts.pl | 2 +- 3 files changed, 6 insertions(+), 7 deletions(-) (limited to 'lib') diff --git a/Makefile.am b/Makefile.am index 0080498..39a08b2 100644 --- a/Makefile.am +++ b/Makefile.am @@ -17,7 +17,6 @@ checkparamsonreboot_SCRIPTS += scripts/check-params-on-reboot.d/conntrack-hash-s share_perl5_DATA = lib/Vyatta/Conntrack/Config.pm share_perl5_DATA += lib/Vyatta/Conntrack/ConntrackUtil.pm share_perl5_DATA += lib/Vyatta/Conntrack/RuleCT.pm -share_perl5_DATA += lib/Vyatta/Conntrack/AddressFilterCT.pm sbin_SCRIPTS = scripts/vyatta-update-conntrack-log.pl bin_sudo_usersdir = $(bindir)/sudo-users diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index 3a0377b..e407f42 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -2,10 +2,10 @@ package Vyatta::Conntrack::RuleCT; use strict; use Vyatta::Config; -require Vyatta::Conntrack::AddressFilterCT; +require Vyatta::IpTables::AddressFilter; -my $src = new Vyatta::Conntrack::AddressFilterCT; -my $dst = new Vyatta::Conntrack::AddressFilterCT; +my $src = new Vyatta::IpTables::AddressFilter; +my $dst = new Vyatta::IpTables::AddressFilter; my %fields = ( _rule_number => undef, @@ -52,8 +52,8 @@ sub setupDummy { my ($self, $level) = @_; %{$self} = %dummy_rule; - $src = new Vyatta::Conntrack::AddressFilterCT; - $dst = new Vyatta::Conntrack::AddressFilterCT; + $src = new Vyatta::IpTables::AddressFilter; + $dst = new Vyatta::IpTables::AddressFilter; # set the default policy my $config = new Vyatta::Config; diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index 8ab322d..7395b06 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -6,7 +6,7 @@ use strict; use Vyatta::Config; use Vyatta::Conntrack::RuleCT; -use Vyatta::Conntrack::AddressFilterCT; +use Vyatta::IpTables::AddressFilter; use Getopt::Long; use Vyatta::Zone; use Sys::Syslog qw(:standard :macros); -- cgit v1.2.3 From e02c2bf7724c050e348dba14fa964375ba92a37b Mon Sep 17 00:00:00 2001 From: Gaurav Date: Wed, 22 Feb 2012 10:30:52 -0800 Subject: adding various timers in custom rule template (cherry picked from commit ebae932dd450c23d90d1f9d497e2715af535577f) --- lib/Vyatta/Conntrack/RuleCT.pm | 46 +++++++++++++++++++++++++++++++----- scripts/vyatta-conntrack-timeouts.pl | 12 +++------- 2 files changed, 43 insertions(+), 15 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index e407f42..e53e07f 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -13,12 +13,20 @@ my %fields = ( _tcp => { _close => undef, _close_wait => undef, + _established => undef, + _fin_wait => undef, + _last_ack => undef, _syn_sent => undef, - }, - _udp => undef, + _syn_recv => undef, + _time_wait => undef, + }, + _udp => { + _other => undef, + _stream => undef, + }, _other => undef, _icmp => undef , - }, + }, ); my %dummy_rule = ( @@ -27,9 +35,17 @@ my %dummy_rule = ( _tcp => { _close => undef, _close_wait => undef, + _established => undef, + _fin_wait => undef, + _last_ack => undef, _syn_sent => undef, - }, - _udp => undef, + _syn_recv => undef, + _time_wait => undef, + }, + _udp => { + _other => undef, + _stream => undef, + }, _other => undef, _icmp => undef , }, @@ -67,7 +83,25 @@ sub setup_base { $config->setLevel("$level"); $self->{_rule_number} = $config->returnParent(".."); - $self->{_protocol} = $config->$val_func("protocol"); + if (($config->existsOrig("protocol tcp")) or + ($config->existsOrig("protocol udp")) or + ($config->existsOrig("protocol icmp")) or + ($config->existsOrig("protocol other"))) { + die "Error: Only one protocol per rule\n" + } + if ($config->$exists_func("protocol tcp")) { + $self->{_protocol} = "tcp"; + } elsif ($config->$exists_func("protocol icmp")) { + $self->{_protocol} = "icmp"; + } elsif ($config->$exists_func("protocol udp")) { + $self->{_protocol} = "udp"; + } elsif ($config->$exists_func("protocol other")) { + $self->{_protocol} = "other"; + } + + print "protocol is [\n"; + print $self->{_protocol}; + print "]\n"; $src->$addr_setup("$level source"); $dst->$addr_setup("$level destination"); diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index 7395b06..a079ed1 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -31,7 +31,6 @@ sub update_config { $config->setLevel("system conntrack timeout custom rule"); %rules = $config->listNodeStatus(); - print %rules; foreach my $rule (sort keys %rules) { if ("$rules{$rule}" eq 'static') { } elsif ("$rules{$rule}" eq 'added') { @@ -39,15 +38,10 @@ sub update_config { $node->setup("system conntrack timeout custom rule $rule"); $node->print(); } elsif ("$rules{$rule}" eq 'changed') { + my $node = new Vyatta::Conntrack::RuleCT; + $node->setup("system conntrack timeout custom rule $rule"); + $node->print(); } elsif ("$rules{$rule}" eq 'deleted') { -# my $node = new Vyatta::Conntrack::RuleCT; -# $node->setupOrig("system conntrack timeout custom rule $rule"); -# my $ipt_rules = $node->get_num_ipt_rules(); -# for (1 .. $ipt_rules) { -# print "deleting 1\n"; -# run_cmd("$iptables_cmd -t $table --delete $name $iptablesrule"); -# die "$iptables_cmd error: $! - $rule" if ($? >> 8); -# } } } } -- cgit v1.2.3 From 5572257844e071451dffa5b76bf459b18c27c23a Mon Sep 17 00:00:00 2001 From: Gaurav Date: Wed, 22 Feb 2012 11:52:37 -0800 Subject: changing structure of hashes kept for timeouts (cherry picked from commit 3fd99241f39f7482e35c0d4e4a91342fd8d9d4ad) --- lib/Vyatta/Conntrack/RuleCT.pm | 92 ++++++++++++++++++++---------------- scripts/vyatta-conntrack-timeouts.pl | 3 ++ 2 files changed, 55 insertions(+), 40 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index e53e07f..f1d17f9 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -9,46 +9,44 @@ my $dst = new Vyatta::IpTables::AddressFilter; my %fields = ( _rule_number => undef, - _protocol => { - _tcp => { - _close => undef, - _close_wait => undef, - _established => undef, - _fin_wait => undef, - _last_ack => undef, - _syn_sent => undef, - _syn_recv => undef, - _time_wait => undef, - }, - _udp => { - _other => undef, - _stream => undef, - }, - _other => undef, - _icmp => undef , - }, + _protocol => undef, + _tcp => { + _close => undef, + _close_wait => undef, + _established => undef, + _fin_wait => undef, + _last_ack => undef, + _syn_sent => undef, + _syn_recv => undef, + _time_wait => undef, + }, + _udp => { + _other => undef, + _stream => undef, + }, + _other => undef, + _icmp => undef , ); my %dummy_rule = ( _rule_number => 10000, - _protocol => { - _tcp => { - _close => undef, - _close_wait => undef, - _established => undef, - _fin_wait => undef, - _last_ack => undef, - _syn_sent => undef, - _syn_recv => undef, - _time_wait => undef, - }, - _udp => { - _other => undef, - _stream => undef, - }, - _other => undef, - _icmp => undef , - }, + _protocol => undef, + _tcp => { + _close => undef, + _close_wait => undef, + _established => undef, + _fin_wait => undef, + _last_ack => undef, + _syn_sent => undef, + _syn_recv => undef, + _time_wait => undef, + }, + _udp => { + _other => undef, + _stream => undef, + }, + _other => undef, + _icmp => undef , ); my $DEBUG = 'false'; @@ -91,17 +89,26 @@ sub setup_base { } if ($config->$exists_func("protocol tcp")) { $self->{_protocol} = "tcp"; + $self->{_tcp}->{_close} = $config->$val_func("protocol tcp close"); + $self->{_tcp}->{_close_wait} = $config->$val_func("protocol tcp close-wait"); + $self->{_tcp}->{_time_wait} = $config->$val_func("protocol tcp time_wait"); + $self->{_tcp}->{_syn_recv} = $config->$val_func("protocol tcp syn-recv"); + $self->{_tcp}->{_syn_sent} = $config->$val_func("protocol tcp syn-sent"); + $self->{_tcp}->{_last_ack} = $config->$val_func("protocol tcp last-ack"); + $self->{_tcp}->{_fin_wait} = $config->$val_func("protocol tcp fin-wait"); + $self->{_tcp}->{_established} = $config->$val_func("protocol tcp established"); } elsif ($config->$exists_func("protocol icmp")) { $self->{_protocol} = "icmp"; + $self->{_icmp} = $config->$val_func("protocol icmp"); } elsif ($config->$exists_func("protocol udp")) { $self->{_protocol} = "udp"; + $self->{_udp}->{_other} = $config->$val_func("protocol udp other"); + $self->{_udp}->{_stream} = $config->$val_func("protocol udp stream"); } elsif ($config->$exists_func("protocol other")) { $self->{_protocol} = "other"; + $self->{_other} = $config->$val_func("protocol other"); } - print "protocol is [\n"; - print $self->{_protocol}; - print "]\n"; $src->$addr_setup("$level source"); $dst->$addr_setup("$level destination"); @@ -129,7 +136,12 @@ sub print { print "state: $self->{_state}\n" if defined $self->{_state}; $src->print(); $dst->print(); - + print "$self->{_tcp}->{_close}\n"; + print "$self->{_tcp}->{_close_wait}\n"; + print "$self->{_tcp}->{_established}\n"; + print "$self->{_tcp}->{_fin_wait}\n"; + print "$self->{_tcp}->{_syn_sent}\n"; + print "$self->{_tcp}->{_syn_recv}\n"; } sub rule { diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index a079ed1..9b69f0a 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -34,14 +34,17 @@ sub update_config { foreach my $rule (sort keys %rules) { if ("$rules{$rule}" eq 'static') { } elsif ("$rules{$rule}" eq 'added') { + print $rules{$rule}; my $node = new Vyatta::Conntrack::RuleCT; $node->setup("system conntrack timeout custom rule $rule"); $node->print(); } elsif ("$rules{$rule}" eq 'changed') { + print $rules{$rule}; my $node = new Vyatta::Conntrack::RuleCT; $node->setup("system conntrack timeout custom rule $rule"); $node->print(); } elsif ("$rules{$rule}" eq 'deleted') { + print $rules{$rule}; } } } -- cgit v1.2.3 From df2d9327d38a65ed281b74934e4b6a20d568079b Mon Sep 17 00:00:00 2001 From: Gaurav Date: Wed, 22 Feb 2012 14:38:42 -0800 Subject: Add function to create nfct-timeout policy (cherry picked from commit d15993bc83942d5841886c0f290430530b009174) --- lib/Vyatta/Conntrack/RuleCT.pm | 51 ++++++++++++++++++++++++++++++------ scripts/vyatta-conntrack-timeouts.pl | 2 ++ 2 files changed, 45 insertions(+), 8 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index f1d17f9..5071087 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -1,3 +1,8 @@ +# +# The timeouts are implemented using nfct-timeout policies that are +# later applied to the corresponding iptables rules. The rules and +# policies are distinguished based on the rule number. + package Vyatta::Conntrack::RuleCT; use strict; @@ -26,6 +31,7 @@ my %fields = ( }, _other => undef, _icmp => undef , + _comment => undef, ); my %dummy_rule = ( @@ -47,6 +53,7 @@ my %dummy_rule = ( }, _other => undef, _icmp => undef , + _comment => undef, ); my $DEBUG = 'false'; @@ -79,14 +86,8 @@ sub setup_base { my $config = new Vyatta::Config; $config->setLevel("$level"); - + $self->{_comment} = $level; $self->{_rule_number} = $config->returnParent(".."); - if (($config->existsOrig("protocol tcp")) or - ($config->existsOrig("protocol udp")) or - ($config->existsOrig("protocol icmp")) or - ($config->existsOrig("protocol other"))) { - die "Error: Only one protocol per rule\n" - } if ($config->$exists_func("protocol tcp")) { $self->{_protocol} = "tcp"; $self->{_tcp}->{_close} = $config->$val_func("protocol tcp close"); @@ -142,6 +143,39 @@ sub print { print "$self->{_tcp}->{_fin_wait}\n"; print "$self->{_tcp}->{_syn_sent}\n"; print "$self->{_tcp}->{_syn_recv}\n"; + print "Comment is: $self->{_comment}\n"; +} + +# return a string that has the nfct-timeout command to create +# a timeout policy. +sub get_policy_command { + my ($self ) = @_; + my $command; + my @level_nodes = split (' ', $self->{_comment}); + $command .= "policy$level_nodes[2]-$level_nodes[5]"; + if ($self->{_protocol} eq 'tcp') { + $command .= " tcp"; + $command .= " close $self->{_tcp}->{_close}"; + $command .= " close-wait $self->{_tcp}->{_close_wait}"; + $command .= " time-wait $self->{_tcp}->{_time_wait}"; + $command .= " syn-recv $self->{_tcp}->{_syn_recv}"; + $command .= " syn-sent $self->{_tcp}->{_syn_sent}"; + $command .= " last-ack $self->{_tcp}->{_last_ack}"; + $command .= " fin-wait $self->{_tcp}->{_fin_wait}"; + $command .= " established $self->{_tcp}->{_established}"; + } elsif ($self->{_protocol} eq 'udp') { + $command .= " udp"; + $command .= " other $self->{_udp}->{_other}"; + $command .= " stream $self->{_udp}->{_stream}"; + } elsif ($self->{_protocol} eq 'icmp') { + $command .= " icmp"; + $command .= " icmp $self->{_icmp}"; + } elsif ($self->{_protocol} eq 'other') { + $command .= " other"; + $command .= " other $self->{_other}"; + } + print "\n $command\n\n"; + return $command; } sub rule { @@ -151,7 +185,8 @@ sub rule { # set CLI rule num as comment my @level_nodes = split (' ', $self->{_comment}); - $rule .= "-m comment --comment \"$level_nodes[2]-$level_nodes[4]\" "; + $rule .= "-m comment --comment \"$level_nodes[2]-$level_nodes[5]\" "; + print "rule is $rule\n"; # set the protocol if (defined($self->{_protocol})) { diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index 9b69f0a..20bdc52 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -38,6 +38,8 @@ sub update_config { my $node = new Vyatta::Conntrack::RuleCT; $node->setup("system conntrack timeout custom rule $rule"); $node->print(); +# $node->rule(); + $node->get_policy_command(); #nfct-tiemout command string } elsif ("$rules{$rule}" eq 'changed') { print $rules{$rule}; my $node = new Vyatta::Conntrack::RuleCT; -- cgit v1.2.3 From 953d1039cbf8fb42ee5140c3a09ba7e6915008da Mon Sep 17 00:00:00 2001 From: Gaurav Date: Thu, 23 Feb 2012 09:57:17 -0800 Subject: Fixing nfct-command string:only modified timer is included in the command (cherry picked from commit 9e17315753bb98c677ec5b11c9e52f6a9f5d80a8) --- lib/Vyatta/Conntrack/RuleCT.pm | 43 ++++++++++++++++------ .../rule/node.tag/protocol/tcp/syn-sent/node.def | 1 - 2 files changed, 31 insertions(+), 13 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index 5071087..594c784 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -143,7 +143,6 @@ sub print { print "$self->{_tcp}->{_fin_wait}\n"; print "$self->{_tcp}->{_syn_sent}\n"; print "$self->{_tcp}->{_syn_recv}\n"; - print "Comment is: $self->{_comment}\n"; } # return a string that has the nfct-timeout command to create @@ -152,21 +151,41 @@ sub get_policy_command { my ($self ) = @_; my $command; my @level_nodes = split (' ', $self->{_comment}); - $command .= "policy$level_nodes[2]-$level_nodes[5]"; + $command .= "policy_$level_nodes[2]_$level_nodes[5]"; if ($self->{_protocol} eq 'tcp') { $command .= " tcp"; - $command .= " close $self->{_tcp}->{_close}"; - $command .= " close-wait $self->{_tcp}->{_close_wait}"; - $command .= " time-wait $self->{_tcp}->{_time_wait}"; - $command .= " syn-recv $self->{_tcp}->{_syn_recv}"; - $command .= " syn-sent $self->{_tcp}->{_syn_sent}"; - $command .= " last-ack $self->{_tcp}->{_last_ack}"; - $command .= " fin-wait $self->{_tcp}->{_fin_wait}"; - $command .= " established $self->{_tcp}->{_established}"; + if ($self->{_tcp}->{_close}) { + $command .= " close $self->{_tcp}->{_close}"; + } + if ($self->{_tcp}->{_close_wait}) { + $command .= " close-wait $self->{_tcp}->{_close_wait}"; + } + if ($self->{_tcp}->{_time_wait}) { + $command .= " time-wait $self->{_tcp}->{_time_wait}"; + } + if ($self->{_tcp}->{_syn_recv}) { + $command .= " syn-recv $self->{_tcp}->{_syn_recv}"; + } + if ($self->{_tcp}->{_syn_sent}) { + $command .= " syn-sent $self->{_tcp}->{_syn_sent}"; + } + if ($self->{_tcp}->{_last_ack}) { + $command .= " last-ack $self->{_tcp}->{_last_ack}"; + } + if ($self->{_tcp}->{_fin_wait}) { + $command .= " fin-wait $self->{_tcp}->{_fin_wait}"; + } + if ($self->{_tcp}->{_established}) { + $command .= " established $self->{_tcp}->{_established}"; + } } elsif ($self->{_protocol} eq 'udp') { $command .= " udp"; - $command .= " other $self->{_udp}->{_other}"; - $command .= " stream $self->{_udp}->{_stream}"; + if ($self->{_udp}->{_other}) { + $command .= " other $self->{_udp}->{_other}"; + } + if ($self->{_udp}->{_stream}) { + $command .= " stream $self->{_udp}->{_stream}"; + } } elsif ($self->{_protocol} eq 'icmp') { $command .= " icmp"; $command .= " icmp $self->{_icmp}"; diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def index 3343bdb..c5edde3 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def @@ -5,4 +5,3 @@ help: TCP SYN-SENT timeout in seconds val_help: u32:1-21474836; TCP SYN-SENT timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -- cgit v1.2.3 From d3296d0d9376a67983871736e74409fabfc20634 Mon Sep 17 00:00:00 2001 From: Gaurav Date: Thu, 23 Feb 2012 12:01:05 -0800 Subject: Error checks for ports with other/icmp, as not allowed (cherry picked from commit 8059ed8d3cfa033dc6b48e79dd66cdcd1ecc5ae9) --- lib/Vyatta/Conntrack/RuleCT.pm | 351 +++-------------------------------- scripts/vyatta-conntrack-timeouts.pl | 5 +- 2 files changed, 28 insertions(+), 328 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index 594c784..421b746 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -58,6 +58,21 @@ my %dummy_rule = ( my $DEBUG = 'false'; +sub rule { + my ( $self ) = @_; + my ($rule, $srcrule, $dstrule, $err_str); + my $tcp_and_udp = 0; + # set CLI rule num as comment + my @level_nodes = split (' ', $self->{_comment}); + $rule .= "-m comment --comment \"$level_nodes[2]-$level_nodes[5]\" "; + ($srcrule, $err_str) = $src->rule(); + return ($err_str, ) if (!defined($srcrule)); + ($dstrule, $err_str) = $dst->rule(); + return ($err_str, ) if (!defined($dstrule)); + $rule .= " $srcrule $dstrule "; + print "rule is $rule\n"; +} + sub new { my $that = shift; my $class = ref ($that) || $that; @@ -110,8 +125,18 @@ sub setup_base { $self->{_other} = $config->$val_func("protocol other"); } + #FIXME: AddressFilter.pm needs a change to accomodate other and + # icmp protocols as it does port checks unconditionally. $src->$addr_setup("$level source"); + $src->{_protocol} = $self->{_protocol};#needed to use address filter + if ( (($src->{_protocol} eq 'icmp') or ($src->{_protocol} eq 'other')) and (defined($src->{_port})) ) { + die "Error: Cannot specify port with protocol $src->{_protocol}\n"; + } $dst->$addr_setup("$level destination"); + $dst->{_protocol} = $self->{_protocol};#needed to use address filter + if ( (($dst->{_protocol} eq 'icmp') or ($dst->{_protocol} eq 'other')) and (defined($dst->{_port})) ) { + die "Error: Cannot specify port with protocol $dst->{_protocol}\n"; + } return 0; } @@ -187,340 +212,14 @@ sub get_policy_command { $command .= " stream $self->{_udp}->{_stream}"; } } elsif ($self->{_protocol} eq 'icmp') { - $command .= " icmp"; $command .= " icmp $self->{_icmp}"; } elsif ($self->{_protocol} eq 'other') { - $command .= " other"; $command .= " other $self->{_other}"; } print "\n $command\n\n"; return $command; } -sub rule { - my ( $self ) = @_; - my ($rule, $srcrule, $dstrule, $err_str); - my $tcp_and_udp = 0; - - # set CLI rule num as comment - my @level_nodes = split (' ', $self->{_comment}); - $rule .= "-m comment --comment \"$level_nodes[2]-$level_nodes[5]\" "; - print "rule is $rule\n"; - - # set the protocol - if (defined($self->{_protocol})) { - my $str = $self->{_protocol}; - my $negate = ''; - if ($str =~ /^\!(.*)$/) { - $str = $1; - $negate = '! '; - } - if ($str eq 'tcp_udp') { - $tcp_and_udp = 1; - $rule .= " $negate -p tcp "; # we'll add the '-p udp' to 2nd rule later - } else { - $rule .= " $negate -p $str "; - } - } - - my $state_str = uc (get_state_str($self)); - if ($state_str ne "") { - $rule .= "-m state --state $state_str "; - } - - # set tcp flags if applicable - my $tcp_flags = undef; - if (defined $self->{_tcp_flags}) { - if (($self->{_protocol} eq "tcp") || ($self->{_protocol} eq "6")) { - $tcp_flags = get_tcp_flags_string($self->{_tcp_flags}); - } else { - return ("TCP flags can only be set if protocol is set to TCP", ); - } - } - if (defined($tcp_flags)) { - $rule .= " -m tcp --tcp-flags $tcp_flags "; - } - - # set the icmp code and type if applicable - if (($self->{_protocol} eq "icmp") || ($self->{_protocol} eq "1")) { - if (defined $self->{_icmp_name}) { - if (defined($self->{_icmp_type}) || defined($self->{_icmp_code})){ - return ("Cannot use ICMP type/code with ICMP type-name", ); - } - $rule .= "--icmp-type $self->{_icmp_name} "; - } elsif (defined $self->{_icmp_type}) { - $rule .= "--icmp-type $self->{_icmp_type}"; - if (defined $self->{_icmp_code}) { - $rule .= "/$self->{_icmp_code}"; - } - $rule .= " "; - } elsif (defined $self->{_icmp_code}) { - return ("ICMP code can only be defined if ICMP type is defined", ); - } - } elsif (defined($self->{_icmp_type}) || defined($self->{_icmp_code}) - || defined($self->{_icmp_name})) { - return ("ICMP type/code or type-name can only be defined if protocol is ICMP", ); - } - - # Setup ICMPv6 rule if configured - # ICMPv6 parameters are only valid if the rule is matching on the - # ICMPv6 protocol ID. - # - if (($self->{_protocol} eq "icmpv6") || - ($self->{_protocol} eq "ipv6-icmp") || - ($self->{_protocol} eq "58")) { - if (defined($self->{_icmpv6_type})) { - $rule .= "-m icmpv6 --icmpv6-type $self->{_icmpv6_type}"; - } - } - - # add the source and destination rules - ($srcrule, $err_str) = $src->rule(); - return ($err_str, ) if (!defined($srcrule)); - ($dstrule, $err_str) = $dst->rule(); - return ($err_str, ) if (!defined($dstrule)); - if ((grep /multiport/, $srcrule) ^ (grep /multiport/, $dstrule)) { - if ((grep /sport/, $srcrule) && (grep /dport/, $dstrule)) { - return ('Cannot specify multiple ports when both ' - . 'source and destination ports are specified', ); - } - } - $rule .= " $srcrule $dstrule "; - - return ('Cannot specify both "match-frag" and "match-non-frag"', ) - if (defined($self->{_frag}) && defined($self->{_non_frag})); - if (defined($self->{_frag})) { - $rule .= ' -f '; - } elsif (defined($self->{_non_frag})) { - $rule .= ' ! -f '; - } - - # note: "out" is not valid in the INPUT chain. - return ('Cannot specify both "match-ipsec" and "match-none"', ) - if (defined($self->{_ipsec}) && defined($self->{_non_ipsec})); - if (defined($self->{_ipsec})) { - $rule .= ' -m policy --pol ipsec --dir in '; - } elsif (defined($self->{_non_ipsec})) { - $rule .= ' -m policy --pol none --dir in '; - } - - my $p2p = undef; - if (defined($self->{_p2p}->{_all})) { - $p2p = '--apple --bit --dc --edk --gnu --kazaa '; - } else { - my @apps = qw(apple bit dc edk gnu kazaa); - foreach (@apps) { - if (defined($self->{_p2p}->{"_$_"})) { - $p2p .= "--$_ "; - } - } - } - if (defined($p2p)) { - $rule .= " -m ipp2p $p2p "; - } - - my $time = undef; - if (defined($self->{_time}->{_utc})) { - $time .= " --utc "; - } - if (defined($self->{_time}->{_startdate})) { - my $check_date = validate_date($self->{_time}->{_startdate}, "startdate"); - if (!($check_date eq "")) { - return ($check_date, ); - } - $time .= " --datestart $self->{_time}->{_startdate} "; - } - if (defined($self->{_time}->{_stopdate})) { - my $check_date = validate_date($self->{_time}->{_stopdate}, "stopdate"); - if (!($check_date eq "")) { - return ($check_date, ); - } - $time .= " --datestop $self->{_time}->{_stopdate} "; - } - if (defined($self->{_time}->{_starttime})) { - return ("Invalid starttime $self->{_time}->{_starttime}. -Time should use 24 hour notation hh:mm:ss and lie in between 00:00:00 and 23:59:59", ) - if (!validate_timevalues($self->{_time}->{_starttime}, "time")); - $time .= " --timestart $self->{_time}->{_starttime} "; - } - if (defined($self->{_time}->{_stoptime})) { - return ("Invalid stoptime $self->{_time}->{_stoptime}. -Time should use 24 hour notation hh:mm:ss and lie in between 00:00:00 and 23:59:59", ) - if (!validate_timevalues($self->{_time}->{_stoptime}, "time")); - $time .= " --timestop $self->{_time}->{_stoptime} "; - } - if (defined($self->{_time}->{_monthdays})) { - my $negate = " "; - if ($self->{_time}->{_monthdays} =~ m/^!/) { - $negate = "! "; - $self->{_time}->{_monthdays} = substr $self->{_time}->{_monthdays}, 1; - } - return ("Invalid monthdays value $self->{_time}->{_monthdays}. -Monthdays should have values between 1 and 31 with multiple days separated by commas -eg. 2,12,21 For negation, add ! in front eg. !2,12,21", ) - if (!validate_timevalues($self->{_time}->{_monthdays}, "monthdays")); - $time .= " $negate --monthdays $self->{_time}->{_monthdays} "; - } - if (defined($self->{_time}->{_weekdays})) { - my $negate = " "; - if ($self->{_time}->{_weekdays} =~ m/^!/) { - $negate = "! "; - $self->{_time}->{_weekdays} = substr $self->{_time}->{_weekdays}, 1; - } - return ("Invalid weekdays value $self->{_time}->{_weekdays}. -Weekdays should be specified using the first three characters of the day with the -first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mon,Thu,Sat", ) - if (!validate_timevalues($self->{_time}->{_weekdays}, "weekdays")); - $time .= " $negate --weekdays $self->{_time}->{_weekdays} "; - } - if (defined($time)) { - $rule .= " -m time $time "; - } - - my $limit = undef; - if (defined $self->{_limit}->{_rate}) { - my $rate_integer = $self->{_limit}->{_rate}; - $rate_integer =~ s/\/(second|minute|hour|day)//; - if ($rate_integer < 1) { - return ("integer value in rate cannot be less than 1", ); - } - $limit = "--limit $self->{_limit}->{_rate} --limit-burst $self->{_limit}->{_burst}"; - } - $rule .= " -m limit $limit " if defined $limit; - - # recent match condition SHOULD BE DONE IN THE LAST so - # all options in $rule are copied to $recent_rule below - my $recent_rule = undef; - if (defined($self->{_recent_time}) || defined($self->{_recent_cnt})) { - my $recent_rule1 = undef; - my $recent_rule2 = undef; - $recent_rule1 .= ' -m recent --update '; - $recent_rule2 .= ' -m recent --set '; - if (defined($self->{_recent_time})) { - $recent_rule1 .= " --seconds $self->{_recent_time} "; - } - if (defined($self->{_recent_cnt})) { - $recent_rule1 .= " --hitcount $self->{_recent_cnt} "; - } - - $recent_rule = $rule; - - if ($rule =~ m/\-m\s+set\s+\-\-match\-set/) { - # firewall group being used in this rule. iptables complains if recent - # match condition is placed after group match conditions [see bug 5744] - # so instead of appending recent match place it before group match - my @split_rules = (); - - @split_rules = split(/(\-m\s+set\s+\-\-match\-set)/, $rule, 2); - $rule = $split_rules[0] . $recent_rule1 . - $split_rules[1] . $split_rules[2]; - - @split_rules = split(/(\-m\s+set\s+\-\-match\-set)/, $recent_rule, 2); - $recent_rule = $split_rules[0] . $recent_rule2 . - $split_rules[1] . $split_rules[2]; - } else { - # append recent match conditions to the two rules needed for recent match - $rule .= $recent_rule1; - $recent_rule .= $recent_rule2; - } - } - - my $chain = $self->{_name}; - my $rule_num = $self->{_rule_number}; - my $rule2 = undef; - # set the jump target. Depends on action and log - if ("$self->{_log}" eq "enable") { - $rule2 = $rule; - my $log_prefix = get_log_prefix($chain, $rule_num, $self->{_action}); - $rule2 .= "-j LOG --log-prefix \"$log_prefix\" "; - } - if ("$self->{_action}" eq "drop") { - $rule .= "-j DROP "; - } elsif ("$self->{_action}" eq "accept") { - $rule .= "-j RETURN "; - } elsif ("$self->{_action}" eq "reject") { - $rule .= "-j REJECT "; - } elsif ("$self->{_action}" eq 'inspect') { - my $target = ipt_get_queue_target('SNORT'); - return ('Undefined target for inspect', ) if ! defined $target; - $rule .= "-j $target "; - } elsif ("$self->{_action}" eq 'modify') { - # mangle actions - my $count = 0; - if (defined($self->{_mod_mark})) { - # MARK - $rule .= "-j MARK --set-mark $self->{_mod_mark} "; - $count++; - } - if (defined($self->{_mod_dscp})) { - # DSCP - $rule .= "-j DSCP --set-dscp $self->{_mod_dscp} "; - $count++; - } - if (defined($self->{_mod_tcpmss})) { - # TCP-MSS - # check for SYN flag - if (!defined $self->{_tcp_flags} || - !(($self->{_tcp_flags} =~ m/SYN/) && !($self->{_tcp_flags} =~ m/!SYN/))) { - return ('need to set TCP SYN flag to modify TCP MSS', ); - } - - if ($self->{_mod_tcpmss} =~ m/\d/) { - $rule .= "-j TCPMSS --set-mss $self->{_mod_tcpmss} "; - } else { - $rule .= "-j TCPMSS --clamp-mss-to-pmtu "; - } - $count++; - } - - # others - - if ($count == 0) { - return ('Action "modify" requires more specific configuration under ' - . 'the "modify" node', ); - } elsif ($count > 1) { - return ('Cannot define more than one modification under ' - . 'the "modify" node', ); - } - } else { - return ("\"action\" must be defined", ); - } - if (defined($rule2)) { - my $tmp = $rule2; - $rule2 = $rule; - $rule = $tmp; - } elsif (defined($recent_rule)) { - $rule2 = $recent_rule; - $recent_rule = undef; - } - - return (undef, undef) if defined $self->{_disable}; - - my ($udp_rule, $udp_rule2, $udp_recent_rule) = (undef, undef, undef); - if ($tcp_and_udp == 1) { - # create udp rules - $udp_rule = $rule; - $udp_rule2 = $rule2 if defined $rule2; - $udp_recent_rule = $recent_rule if defined $recent_rule; - foreach my $each_udprule ($udp_rule, $udp_rule2, $udp_recent_rule) { - $each_udprule =~ s/ \-p tcp / -p udp / if defined $each_udprule; - } - } - - if ($DEBUG eq 'true') { - # print all potential iptables rules that could be formed for - # a single CLI rule. see get_num_ipt_rules to see exact count - print "rule :\n$rule\n" if defined $rule; - print "rule2 :\n$rule2\n" if defined $rule2; - print "recent rule :\n$recent_rule\n" if defined $recent_rule; - print "udp rule :\n$udp_rule\n" if defined $udp_rule; - print "udp rule2 :\n$udp_rule2\n" if defined $udp_rule2; - print "udp recent rule :\n$udp_recent_rule\n" if defined $udp_recent_rule; - } - - return (undef, $rule, $rule2, $recent_rule, $udp_rule, $udp_rule2, $udp_recent_rule); -} - 1; diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index 20bdc52..bf7165e 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -38,8 +38,9 @@ sub update_config { my $node = new Vyatta::Conntrack::RuleCT; $node->setup("system conntrack timeout custom rule $rule"); $node->print(); -# $node->rule(); - $node->get_policy_command(); #nfct-tiemout command string + $node->rule(); + $node->get_policy_command(); #nfct-timeout command string + } elsif ("$rules{$rule}" eq 'changed') { print $rules{$rule}; my $node = new Vyatta::Conntrack::RuleCT; -- cgit v1.2.3 From 516e4988be28dd2441e915fe7d4c6a2efb5bd0c6 Mon Sep 17 00:00:00 2001 From: Gaurav Date: Fri, 24 Feb 2012 11:22:41 -0800 Subject: Adding deletion, error handling etc. (cherry picked from commit 6a59a800acf9a9f6a21677e6187a33647ceb3539) --- lib/Vyatta/Conntrack/RuleCT.pm | 14 ++++++++++---- scripts/vyatta-conntrack-timeouts.pl | 31 +++++++++++++++++++++++-------- 2 files changed, 33 insertions(+), 12 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index 421b746..d2c6409 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -11,7 +11,7 @@ require Vyatta::IpTables::AddressFilter; my $src = new Vyatta::IpTables::AddressFilter; my $dst = new Vyatta::IpTables::AddressFilter; - +my $CTERROR = "Conntrack Timeout Error:"; my %fields = ( _rule_number => undef, _protocol => undef, @@ -66,11 +66,17 @@ sub rule { my @level_nodes = split (' ', $self->{_comment}); $rule .= "-m comment --comment \"$level_nodes[2]-$level_nodes[5]\" "; ($srcrule, $err_str) = $src->rule(); - return ($err_str, ) if (!defined($srcrule)); + if (defined($err_str)) { + Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str"); + exit 1; + } ($dstrule, $err_str) = $dst->rule(); - return ($err_str, ) if (!defined($dstrule)); + if (defined($err_str)) { + Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str"); + exit 1; + } $rule .= " $srcrule $dstrule "; - print "rule is $rule\n"; + return $rule; } sub new { diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index bf7165e..ac9b56d 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -23,6 +23,19 @@ GetOptions("create=s" => \$create, ); update_config(); +sub remove_timeout_policy { + my ($rule_string, $timeout_policy) = @_; + print "removing with $rule_string and $timeout_policy\n"; + # function to apply the policy and then apply the policy to + # the iptables rule. + # Do nothing as of now. +} +sub apply_timeout_policy { + # function to apply the policy and then apply the policy to + # the iptables rule. + # Do nothing as of now. +} + sub update_config { my $config = new Vyatta::Config; @@ -34,20 +47,22 @@ sub update_config { foreach my $rule (sort keys %rules) { if ("$rules{$rule}" eq 'static') { } elsif ("$rules{$rule}" eq 'added') { - print $rules{$rule}; my $node = new Vyatta::Conntrack::RuleCT; + my ($rule_string, $timeout_policy); $node->setup("system conntrack timeout custom rule $rule"); - $node->print(); - $node->rule(); - $node->get_policy_command(); #nfct-timeout command string - + $rule_string = $node->rule(); + $timeout_policy = $node->get_policy_command(); #nfct-timeout command string + apply_timeout_policy($rule_string, $timeout_policy); } elsif ("$rules{$rule}" eq 'changed') { - print $rules{$rule}; my $node = new Vyatta::Conntrack::RuleCT; $node->setup("system conntrack timeout custom rule $rule"); - $node->print(); } elsif ("$rules{$rule}" eq 'deleted') { - print $rules{$rule}; + my $node = new Vyatta::Conntrack::RuleCT; + my ($rule_string, $timeout_policy); + $node->setupOrig("system conntrack timeout custom rule $rule"); + $rule_string = $node->rule(); + $timeout_policy = $node->get_policy_command(); #nfct-timeout command string + remove_timeout_policy($rule_string, $timeout_policy); } } } -- cgit v1.2.3 From 2c01ae23d707c984e2f6587da9218e5e63d55e30 Mon Sep 17 00:00:00 2001 From: Gaurav Date: Fri, 24 Feb 2012 12:07:59 -0800 Subject: adding apply/remove policy function, still dummy (cherry picked from commit bc000f9a538e67545dd7b1edb49385e158067639) --- lib/Vyatta/Conntrack/RuleCT.pm | 1 - scripts/vyatta-conntrack-timeouts.pl | 26 +++++++++++++++++++------- 2 files changed, 19 insertions(+), 8 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index d2c6409..d75c85e 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -222,7 +222,6 @@ sub get_policy_command { } elsif ($self->{_protocol} eq 'other') { $command .= " other $self->{_other}"; } - print "\n $command\n\n"; return $command; } diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index ac9b56d..a98de86 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -23,17 +23,29 @@ GetOptions("create=s" => \$create, ); update_config(); + sub remove_timeout_policy { my ($rule_string, $timeout_policy) = @_; - print "removing with $rule_string and $timeout_policy\n"; - # function to apply the policy and then apply the policy to - # the iptables rule. - # Do nothing as of now. + my @tokens = split (' ', $timeout_policy); + # First remove the iptables rules before removing policy. + my $iptables_cmd1 = "iptables -D PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"; + my $iptables_cmd2 = "iptables -D OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]"; + my $nfct_timeout_cmd = "nfct-timeout remove $timeout_policy"; + print "$iptables_cmd1\n$iptables_cmd2\n"; + print "$nfct_timeout_cmd\n"; } + +# nfct-timeout create policy1 tcp established 1200 close-wait 100 fin-wait 10 +# iptables -I PREROUTING -t raw -s 1.1.1.1 -d 2.2.2.2 -j CT --timeout policy1 sub apply_timeout_policy { - # function to apply the policy and then apply the policy to - # the iptables rule. - # Do nothing as of now. + my ($rule_string, $timeout_policy) = @_; + my $nfct_timeout_cmd = "nfct-timeout create $timeout_policy"; + my @tokens = split (' ', $timeout_policy); + my $iptables_cmd1 = "iptables -I PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"; + my $iptables_cmd2 = "iptables -I OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]"; + + print "$nfct_timeout_cmd\n"; + print "$iptables_cmd1\n$iptables_cmd2\n"; } -- cgit v1.2.3 From 0c077f247ad6fbce6c8cc7a2a664ac682a56ed4c Mon Sep 17 00:00:00 2001 From: Gaurav Date: Fri, 24 Feb 2012 14:17:23 -0800 Subject: add run_cmd function with error checking (cherry picked from commit 10cd7d81497d87aed44287244f112990768cdfe2) --- lib/Vyatta/Conntrack/RuleCT.pm | 1 - scripts/vyatta-conntrack-timeouts.pl | 70 ++++++++++++++++++++++++++++++++---- 2 files changed, 64 insertions(+), 7 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index d75c85e..9953291 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -11,7 +11,6 @@ require Vyatta::IpTables::AddressFilter; my $src = new Vyatta::IpTables::AddressFilter; my $dst = new Vyatta::IpTables::AddressFilter; -my $CTERROR = "Conntrack Timeout Error:"; my %fields = ( _rule_number => undef, _protocol => undef, diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index a98de86..61830ab 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -14,9 +14,14 @@ use Sys::Syslog qw(:standard :macros); #for future use when v6 timeouts need to be set my %cmd_hash = ( 'ipv4' => 'iptables', 'ipv6' => 'ip6tables'); +# Enable printing debug output to stdout. +my $debug_flag = 0; -my ($create, $delete, $update); +# Enable sending debug output to syslog. +my $syslog_flag = 0; +my ($create, $delete, $update); +my $CTERROR = "Conntrack timeout error:"; GetOptions("create=s" => \$create, "delete=s" => \$delete, "update=s" => \$update, @@ -24,6 +29,40 @@ GetOptions("create=s" => \$create, update_config(); +openlog("vyatta-conntrack", "pid", "local0"); + +sub log_msg { + my $message = shift; + + print "DEBUG: $message\n" if $debug_flag; + syslog(LOG_DEBUG, "%s", $message) if $syslog_flag; +} +# Run command and capture output +# run_cmd("$iptables_cmd -t $table -F $name", 1); +# if command fails, then send output to syslog +sub run_cmd { + my ($cmd_to_run, $redirect) = @_; + + log_msg("Running: $cmd_to_run"); + print "$cmd_to_run\n"; + + if ($redirect) { + open (my $out, '-|', $cmd_to_run . ' 2>&1') + or die "Can't run command \"$cmd_to_run\": $!"; + my @cmd_out = <$out>; + + # if command suceeds to do nothing. + return if (close ($out)); + + foreach my $line (@cmd_out) { + chomp $line; + syslog(LOG_INFO, "%s", $line); + } + } else { + system($cmd_to_run); + } +} + sub remove_timeout_policy { my ($rule_string, $timeout_policy) = @_; my @tokens = split (' ', $timeout_policy); @@ -31,8 +70,18 @@ sub remove_timeout_policy { my $iptables_cmd1 = "iptables -D PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"; my $iptables_cmd2 = "iptables -D OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]"; my $nfct_timeout_cmd = "nfct-timeout remove $timeout_policy"; - print "$iptables_cmd1\n$iptables_cmd2\n"; - print "$nfct_timeout_cmd\n"; + run_cmd($iptables_cmd2); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd2\n"; + } + run_cmd($iptables_cmd1); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd1\n"; + } + run_cmd($nfct_timeout_cmd); + if ($? >> 8) { + print "$CTERROR failed to run $nfct_timeout_cmd\n"; + } } # nfct-timeout create policy1 tcp established 1200 close-wait 100 fin-wait 10 @@ -43,9 +92,18 @@ sub apply_timeout_policy { my @tokens = split (' ', $timeout_policy); my $iptables_cmd1 = "iptables -I PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"; my $iptables_cmd2 = "iptables -I OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]"; - - print "$nfct_timeout_cmd\n"; - print "$iptables_cmd1\n$iptables_cmd2\n"; + run_cmd($nfct_timeout_cmd); + if ($? >> 8) { + print "$CTERROR failed to run $nfct_timeout_cmd\n"; + } + run_cmd($iptables_cmd1); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd1\n"; + } + run_cmd($iptables_cmd2); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd2\n"; + } } -- cgit v1.2.3 From b4c313d953660b8a70ccfda0b260fd81a6089976 Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Fri, 16 Mar 2012 21:03:51 -0700 Subject: use add instead of create, use inet, pre-pend protocol to iptables rule --- lib/Vyatta/Conntrack/RuleCT.pm | 7 ++++++- scripts/vyatta-conntrack-timeouts.pl | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index 9953291..5c59b93 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -74,6 +74,11 @@ sub rule { Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str"); exit 1; } + if ($self->{_protocol} = "tcp") { + $rule .= " -p tcp"; + } elsif ($self->{_protocol} = "udp") { + $rule .= " -p udp"; + } $rule .= " $srcrule $dstrule "; return $rule; } @@ -181,7 +186,7 @@ sub get_policy_command { my ($self ) = @_; my $command; my @level_nodes = split (' ', $self->{_comment}); - $command .= "policy_$level_nodes[2]_$level_nodes[5]"; + $command .= "policy_$level_nodes[2]_$level_nodes[5] inet"; if ($self->{_protocol} eq 'tcp') { $command .= " tcp"; if ($self->{_tcp}->{_close}) { diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index 24aa4ac..7d0295f 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -19,7 +19,7 @@ my $debug_flag = 0; # Enable sending debug output to syslog. my $syslog_flag = 0; -my $nfct = "/opt/vyatta/sbin/nfct"; +my $nfct = "sudo /opt/vyatta/sbin/nfct"; my ($create, $delete, $update); my $CTERROR = "Conntrack timeout error:"; GetOptions("create=s" => \$create, @@ -92,7 +92,7 @@ sub remove_timeout_policy { # iptables -I PREROUTING -t raw -s 1.1.1.1 -d 2.2.2.2 -j CT --timeout policy1 sub apply_timeout_policy { my ($rule_string, $timeout_policy) = @_; - my $nfct_timeout_cmd = "$nfct timeout create $timeout_policy"; + my $nfct_timeout_cmd = "$nfct timeout add $timeout_policy"; my @tokens = split (' ', $timeout_policy); my $iptables_cmd1 = "iptables -I PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"; my $iptables_cmd2 = "iptables -I OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]"; -- cgit v1.2.3 From ec409015bfa33a4e33b7437f3ce7093c2b58d21a Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Fri, 16 Mar 2012 22:02:44 -0700 Subject: fixed generic timeout, udp stream->replied and other->unreplied, fixed bug with protocol string comparision --- lib/Vyatta/Conntrack/RuleCT.pm | 16 +++++++++------- scripts/vyatta-conntrack-timeouts.pl | 2 +- 2 files changed, 10 insertions(+), 8 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index 5c59b93..ee52ce3 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -74,10 +74,14 @@ sub rule { Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str"); exit 1; } - if ($self->{_protocol} = "tcp") { + if ($self->{_protocol} eq "tcp") { $rule .= " -p tcp"; - } elsif ($self->{_protocol} = "udp") { + } elsif ($self->{_protocol} eq "udp") { $rule .= " -p udp"; + } elsif ($self->{_protocol} eq "icmp") { + $rule .= " -p icmp"; + } elsif ($self->{_protocol} eq "other") { + $rule .= " -p 255"; } $rule .= " $srcrule $dstrule "; return $rule; @@ -135,8 +139,6 @@ sub setup_base { $self->{_other} = $config->$val_func("protocol other"); } - #FIXME: AddressFilter.pm needs a change to accomodate other and - # icmp protocols as it does port checks unconditionally. $src->$addr_setup("$level source"); $src->{_protocol} = $self->{_protocol};#needed to use address filter if ( (($src->{_protocol} eq 'icmp') or ($src->{_protocol} eq 'other')) and (defined($src->{_port})) ) { @@ -216,15 +218,15 @@ sub get_policy_command { } elsif ($self->{_protocol} eq 'udp') { $command .= " udp"; if ($self->{_udp}->{_other}) { - $command .= " other $self->{_udp}->{_other}"; + $command .= " unreplied $self->{_udp}->{_other}"; } if ($self->{_udp}->{_stream}) { - $command .= " stream $self->{_udp}->{_stream}"; + $command .= " replied $self->{_udp}->{_stream}"; } } elsif ($self->{_protocol} eq 'icmp') { $command .= " icmp $self->{_icmp}"; } elsif ($self->{_protocol} eq 'other') { - $command .= " other $self->{_other}"; + $command .= " generic timeout $self->{_other}"; } return $command; } diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index 7d0295f..81e5fff 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -69,7 +69,7 @@ sub remove_timeout_policy { # First remove the iptables rules before removing policy. my $iptables_cmd1 = "iptables -D PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"; my $iptables_cmd2 = "iptables -D OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]"; - my $nfct_timeout_cmd = "$nfct timeout remove $timeout_policy"; + my $nfct_timeout_cmd = "$nfct timeout delete $timeout_policy"; run_cmd($iptables_cmd2); if ($? >> 8) { # FIXME: as of now, dont print/handle/exit as these always fail in iptables. -- cgit v1.2.3 From 0f71f18eaec8643d8f78b95bb1657734b3f5b368 Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Sat, 17 Mar 2012 12:42:05 -0700 Subject: delete nfct fixed, use only policy name, modified deletion function --- lib/Vyatta/Conntrack/RuleCT.pm | 8 ++++++-- scripts/vyatta-conntrack-timeouts.pl | 4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index ee52ce3..bab941e 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -185,10 +185,14 @@ sub print { # return a string that has the nfct-timeout command to create # a timeout policy. sub get_policy_command { - my ($self ) = @_; + my ($self, $is_delete) = @_; my $command; my @level_nodes = split (' ', $self->{_comment}); - $command .= "policy_$level_nodes[2]_$level_nodes[5] inet"; + $command .= "policy_$level_nodes[2]_$level_nodes[5] "; + if ($is_delete eq "delete") { + return $command; + } + $command .= " inet"; if ($self->{_protocol} eq 'tcp') { $command .= " tcp"; if ($self->{_tcp}->{_close}) { diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index 81e5fff..8fe2e39 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -127,7 +127,7 @@ sub handle_rule_creation { do_protocol_check($rule); $node->setup("system conntrack timeout custom rule $rule"); $rule_string = $node->rule(); - $timeout_policy = $node->get_policy_command(); #nfct-timeout command string + $timeout_policy = $node->get_policy_command("add"); #nfct-timeout command string apply_timeout_policy($rule_string, $timeout_policy); } @@ -155,7 +155,7 @@ sub handle_rule_deletion { my ($rule_string, $timeout_policy); $node->setupOrig("system conntrack timeout custom rule $rule"); $rule_string = $node->rule(); - $timeout_policy = $node->get_policy_command(); #nfct-timeout command string + $timeout_policy = $node->get_policy_command("delete"); #nfct-timeout command string remove_timeout_policy($rule_string, $timeout_policy); } -- cgit v1.2.3