From 30e0a9401a49c21318403cdc9e6c3689f757ebbf Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Wed, 1 Feb 2012 16:21:28 -0800 Subject: Initial commit for per-flow timeout CLI (cherry picked from commit f7fc0b920516ecf03a7dcf3e73f39513d8fcfc1c) --- .../system/conntrack/timeout/custom/node.def | 1 + .../system/conntrack/timeout/custom/rule/node.def | 9 +++++++++ .../custom/rule/node.tag/description/node.def | 3 +++ .../rule/node.tag/destination/address/node.def | 10 ++++++++++ .../destination/group/address-group/node.def | 9 +++++++++ .../destination/group/network-group/node.def | 8 ++++++++ .../rule/node.tag/destination/group/node.def | 1 + .../node.tag/destination/group/port-group/node.def | 8 ++++++++ .../custom/rule/node.tag/destination/node.def | 1 + .../custom/rule/node.tag/destination/port/node.def | 10 ++++++++++ .../timeout/custom/rule/node.tag/protocol/node.def | 22 ++++++++++++++++++++++ .../custom/rule/node.tag/source/address/node.def | 8 ++++++++ .../node.tag/source/group/address-group/node.def | 8 ++++++++ .../node.tag/source/group/network-group/node.def | 8 ++++++++ .../custom/rule/node.tag/source/group/node.def | 1 + .../rule/node.tag/source/group/port-group/node.def | 8 ++++++++ .../rule/node.tag/source/mac-address/node.def | 3 +++ .../timeout/custom/rule/node.tag/source/node.def | 1 + .../custom/rule/node.tag/source/port/node.def | 8 ++++++++ 19 files changed, 127 insertions(+) create mode 100644 templates-cfg/system/conntrack/timeout/custom/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/description/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/address/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/address-group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/network-group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/port-group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/port/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/address/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/address-group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/network-group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/port-group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/mac-address/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/port/node.def (limited to 'templates-cfg') diff --git a/templates-cfg/system/conntrack/timeout/custom/node.def b/templates-cfg/system/conntrack/timeout/custom/node.def new file mode 100644 index 0000000..c8e5841 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/node.def @@ -0,0 +1 @@ +help: Define custom timeouts per flow diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.def new file mode 100644 index 0000000..c31dfbd --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.def @@ -0,0 +1,9 @@ +tag: + +type: u32 + +help: Rule number (1-9999) + +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "firewall rule number must be between 1 and 9999" + +val_help: u32:1-9999; Rule number diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/description/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/description/node.def new file mode 100644 index 0000000..90bf88b --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Rule description diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/address/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/address/node.def new file mode 100644 index 0000000..83d7514 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/address/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Destination IP address, subnet, or range + +val_help: ipv4; IP address to match +val_help: ipv4net; Subnet to match +val_help: ipv4range; IP range to match +val_help: !ipv4; Match everything except the specified address +val_help: !ipv4net; Match everything except the specified subnet +val_help: !ipv4range; Match everything except the specified range diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/address-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/address-group/node.def new file mode 100644 index 0000000..07e791c --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/address-group/node.def @@ -0,0 +1,9 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" + +allowed: cli-shell-api listActiveNodes firewall group address-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/network-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/network-group/node.def new file mode 100644 index 0000000..bf018a0 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listActiveNodes firewall group network-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/node.def new file mode 100644 index 0000000..bb11dae --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/node.def @@ -0,0 +1 @@ +help: Destination group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/port-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/port-group/node.def new file mode 100644 index 0000000..865d2c5 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listActiveNodes firewall group port-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/node.def new file mode 100644 index 0000000..dc227b7 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/node.def @@ -0,0 +1 @@ +help: Destination parameters diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/port/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/port/node.def new file mode 100644 index 0000000..2b2d8c7 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/port/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Destination port + +val_help: ; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple destination ports can be specified as a comma-separated list. +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def new file mode 100644 index 0000000..1f235f7 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def @@ -0,0 +1,22 @@ +type: txt + +help: Protocol to match (protocol name in /etc/protocols or protocol number or "all") + +val_help: txt; IP protocol name from /etc/protocols (e.g. "tcp" or "udp") +val_help: u32:0-255; IP protocol number +val_help: tcp_udp; Both TCP and UDP +val_help: all; All IP protocols +val_help: !; All IP protocols except for the specified name or number + +syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'`\" ] \ + && [ \"$VAR(@)\" != 'tcp_udp' ]; then \ + echo invalid protocol \"$VAR(@)\" ; \ + exit 1 ; \ + fi ; " + +# Provide some help for command completion. Doesn't return negated +# values or protocol numbers +allowed: + protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }' | grep -v 'v6'` + protos="all $protos tcp_udp" + echo -n $protos diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/address/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/address/node.def new file mode 100644 index 0000000..72d6a17 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/address/node.def @@ -0,0 +1,8 @@ +type: txt +help: Source IP address, subnet, or range +val_help: ipv4; IP address to match +val_help: ipv4net; Subnet to match +val_help: ipv4range; IP range to match +val_help: !ipv4; Match everything except the specified address +val_help: !ipv4net; Match everything except the specified subnet +val_help: !ipv4range; Match everything except the specified range diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/address-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/address-group/node.def new file mode 100644 index 0000000..97c748d --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/address-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" +allowed: cli-shell-api listActiveNodes firewall group address-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/network-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/network-group/node.def new file mode 100644 index 0000000..bf018a0 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listActiveNodes firewall group network-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/node.def new file mode 100644 index 0000000..7b36071 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/node.def @@ -0,0 +1 @@ +help: Source group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/port-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/port-group/node.def new file mode 100644 index 0000000..865d2c5 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listActiveNodes firewall group port-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/mac-address/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/mac-address/node.def new file mode 100644 index 0000000..ad07881 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/mac-address/node.def @@ -0,0 +1,3 @@ +type: txt +help: Source MAC address +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/node.def new file mode 100644 index 0000000..84cdc1f --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/node.def @@ -0,0 +1 @@ +help: Source parameters diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/port/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/port/node.def new file mode 100644 index 0000000..adfae7a --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/port/node.def @@ -0,0 +1,8 @@ +type: txt +help: Source port +val_help: ; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple source ports can be specified as a comma-separated list. +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' -- cgit v1.2.3 From b5e891c97c391f7a6b20c7676883dd9b1e894ef4 Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Wed, 1 Feb 2012 16:34:36 -0800 Subject: Removed unwanted address-group/network group etc. from CLI (cherry picked from commit 50f07ece2595c05179e8ccffa5dd2b28fc8cfc99) --- .../rule/node.tag/destination/group/address-group/node.def | 9 --------- .../rule/node.tag/destination/group/network-group/node.def | 8 -------- .../timeout/custom/rule/node.tag/destination/group/node.def | 1 - .../custom/rule/node.tag/destination/group/port-group/node.def | 8 -------- .../custom/rule/node.tag/source/group/address-group/node.def | 8 -------- .../custom/rule/node.tag/source/group/network-group/node.def | 8 -------- .../conntrack/timeout/custom/rule/node.tag/source/group/node.def | 1 - .../custom/rule/node.tag/source/group/port-group/node.def | 8 -------- .../timeout/custom/rule/node.tag/source/mac-address/node.def | 3 --- 9 files changed, 54 deletions(-) delete mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/address-group/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/network-group/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/port-group/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/address-group/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/network-group/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/port-group/node.def delete mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/mac-address/node.def (limited to 'templates-cfg') diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/address-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/address-group/node.def deleted file mode 100644 index 07e791c..0000000 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/address-group/node.def +++ /dev/null @@ -1,9 +0,0 @@ -type: txt -help: Group of addresses - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=address;" - -allowed: cli-shell-api listActiveNodes firewall group address-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/network-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/network-group/node.def deleted file mode 100644 index bf018a0..0000000 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/network-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of networks - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=network;" -allowed: cli-shell-api listActiveNodes firewall group network-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/node.def deleted file mode 100644 index bb11dae..0000000 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Destination group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/port-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/port-group/node.def deleted file mode 100644 index 865d2c5..0000000 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/port-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of ports - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=port;" -allowed: cli-shell-api listActiveNodes firewall group port-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/address-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/address-group/node.def deleted file mode 100644 index 97c748d..0000000 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/address-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of addresses - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=address;" -allowed: cli-shell-api listActiveNodes firewall group address-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/network-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/network-group/node.def deleted file mode 100644 index bf018a0..0000000 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/network-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of networks - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=network;" -allowed: cli-shell-api listActiveNodes firewall group network-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/node.def deleted file mode 100644 index 7b36071..0000000 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Source group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/port-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/port-group/node.def deleted file mode 100644 index 865d2c5..0000000 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/port-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of ports - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=port;" -allowed: cli-shell-api listActiveNodes firewall group port-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/mac-address/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/mac-address/node.def deleted file mode 100644 index ad07881..0000000 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/mac-address/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Source MAC address -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" -- cgit v1.2.3 From fe3908e77451c419c9e4b8351cb72cde9c875312 Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Mon, 6 Feb 2012 17:19:00 -0800 Subject: adding an initial version of conntrack-timeouts script (cherry picked from commit 8235f2a9a3b3e1a5a289c4365d809bb09f941ee4) --- Makefile.am | 1 + templates-cfg/system/conntrack/timeout/custom/node.def | 12 ++++++++++++ templates-cfg/system/conntrack/timeout/custom/rule/node.def | 2 +- 3 files changed, 14 insertions(+), 1 deletion(-) (limited to 'templates-cfg') diff --git a/Makefile.am b/Makefile.am index 46e3603..1e53937 100644 --- a/Makefile.am +++ b/Makefile.am @@ -21,6 +21,7 @@ sbin_SCRIPTS = scripts/vyatta-update-conntrack-log.pl bin_sudo_usersdir = $(bindir)/sudo-users bin_sudo_users_SCRIPTS = scripts/vyatta-show-conntrack.pl bin_sudo_users_SCRIPTS += scripts/vyatta-delete-conntrack.pl +bin_sudo_users_SCRIPTS += scripts/vyatta-conntrack-timeouts.pl curver_DATA = cfg-version/conntrack@1 diff --git a/templates-cfg/system/conntrack/timeout/custom/node.def b/templates-cfg/system/conntrack/timeout/custom/node.def index c8e5841..7967ead 100644 --- a/templates-cfg/system/conntrack/timeout/custom/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/node.def @@ -1 +1,13 @@ help: Define custom timeouts per flow +end: if sudo /opt/vyatta/bin/sudo-users/vyatta-conntrack-timeouts.pl --update 'true'; + then + if [ ${COMMIT_ACTION} = 'DELETE' ] ; + then + sudo /opt/vyatta/bin/sudo-users/vyatta-conntrack-timeouts.pl --delete 'true'; + fi + else + exit 1; + fi + +create: sudo /opt/vyatta/bin/sudo-users/vyatta-conntrack-timeouts.pl --create 'true' + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.def index c31dfbd..077603e 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.def @@ -4,6 +4,6 @@ type: u32 help: Rule number (1-9999) -syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "firewall rule number must be between 1 and 9999" +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "Custom timeout rule number must be between 1 and 9999" val_help: u32:1-9999; Rule number -- cgit v1.2.3 From a78433c8796593aad8e18be6216ea007d08dcaff Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Tue, 14 Feb 2012 15:23:28 -0800 Subject: timeouts script, and new nodes (cherry picked from commit e49e60bca2262760575b2a4b488e6acfe1dc0cb6) --- scripts/vyatta-conntrack-timeouts.pl | 34 ++++++++++++++++++++++ .../custom/rule/node.tag/protocol/icmp/node.def | 10 +++++++ .../timeout/custom/rule/node.tag/protocol/node.def | 22 +------------- .../custom/rule/node.tag/protocol/other/node.def | 10 +++++++ .../rule/node.tag/protocol/tcp/close-wait/node.def | 13 +++++++++ .../rule/node.tag/protocol/tcp/close/node.def | 13 +++++++++ .../node.tag/protocol/tcp/established/node.def | 13 +++++++++ .../rule/node.tag/protocol/tcp/fin-wait/node.def | 13 +++++++++ .../rule/node.tag/protocol/tcp/last-ack/node.def | 13 +++++++++ .../custom/rule/node.tag/protocol/tcp/node.def | 1 + .../rule/node.tag/protocol/tcp/syn-recv/node.def | 13 +++++++++ .../rule/node.tag/protocol/tcp/syn-sent/node.def | 13 +++++++++ .../rule/node.tag/protocol/tcp/time-wait/node.def | 13 +++++++++ .../custom/rule/node.tag/protocol/udp/node.def | 1 + .../rule/node.tag/protocol/udp/other/node.def | 10 +++++++ .../rule/node.tag/protocol/udp/stream/node.def | 10 +++++++ 16 files changed, 181 insertions(+), 21 deletions(-) create mode 100644 scripts/vyatta-conntrack-timeouts.pl create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def (limited to 'templates-cfg') diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl new file mode 100644 index 0000000..7725a3b --- /dev/null +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -0,0 +1,34 @@ +#!/usr/bin/perl + +use lib "/opt/vyatta/share/perl5"; +use warnings; +use strict; + +use Vyatta::Config; +use Vyatta::IpTables::Rule; +use Vyatta::IpTables::AddressFilter; +use Vyatta::IpTables::Mgr; +use Getopt::Long; +use Vyatta::Zone; +use Sys::Syslog qw(:standard :macros); + +my ($create, $delete, $update); + +GetOptions("create=s" => \$create, + "delete=s" => \$delete, + "update=s" => \$update, +); + +if ($create and ($create eq 'true')) { + print "create\n"; + # create a nfct-timeout policy based on protocol specific timers + # check if the rule has protocol configured + # if configured, check what the protocol is and get the appropriate timers. +} + +if ($delete and ($delete eq 'true')) { + print "delete"; +} +if ($update and ($update eq 'true')) { + print "update"; +} diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def new file mode 100644 index 0000000..2997e58 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def @@ -0,0 +1,10 @@ +type: u32 + +help: ICMP timeout in seconds + +default: 30 + +val_help: u32:1-21474836; ICMP timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def index 1f235f7..6fffc43 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def @@ -1,22 +1,2 @@ -type: txt +help: Customize protocol specific timers -help: Protocol to match (protocol name in /etc/protocols or protocol number or "all") - -val_help: txt; IP protocol name from /etc/protocols (e.g. "tcp" or "udp") -val_help: u32:0-255; IP protocol number -val_help: tcp_udp; Both TCP and UDP -val_help: all; All IP protocols -val_help: !; All IP protocols except for the specified name or number - -syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'`\" ] \ - && [ \"$VAR(@)\" != 'tcp_udp' ]; then \ - echo invalid protocol \"$VAR(@)\" ; \ - exit 1 ; \ - fi ; " - -# Provide some help for command completion. Doesn't return negated -# values or protocol numbers -allowed: - protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }' | grep -v 'v6'` - protos="all $protos tcp_udp" - echo -n $protos diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def new file mode 100644 index 0000000..5653056 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def @@ -0,0 +1,10 @@ +type: u32 + +help: Generic connection timeout in seconds + +default: 600 + +val_help: u32:1-21474836; Generic connection timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def new file mode 100644 index 0000000..0491b68 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP CLOSE-WAIT timeout in seconds + +default: 60 + +val_help: u32:1-21474836; TCP CLOSE-WAIT timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=60 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def new file mode 100644 index 0000000..38317d5 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP CLOSE timeout in seconds + +default: 10 + +val_help: u32:1-21474836; TCP CLOSE timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=10 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def new file mode 100644 index 0000000..9e47f1e --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP ESTABLISHED timeout in seconds + +default: 432000 + +val_help: u32:1-21474836; TCP ESTABLISHED timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=432000 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def new file mode 100644 index 0000000..985a6a4 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP FIN-WAIT timeout in seconds + +default: 120 + +val_help: u32:1-21474836; TCP FIN-WAIT timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=120 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def new file mode 100644 index 0000000..3e07fe4 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP LAST-ACK timeout in seconds + +default: 30 + +val_help: u32:1-21474836; TCP LAST-ACK timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=30 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def new file mode 100644 index 0000000..2b67c51 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def @@ -0,0 +1 @@ +help: TCP connection timeout options \ No newline at end of file diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def new file mode 100644 index 0000000..50c5512 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP SYN-RECEIVED timeout in seconds + +default: 60 + +val_help: u32:1-21474836; TCP SYN-RECEIVED timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=60 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def new file mode 100644 index 0000000..5856ba7 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP SYN-SENT timeout in seconds + +default: 120 + +val_help: u32:1-21474836; TCP SYN-SENT timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=120 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def new file mode 100644 index 0000000..f6bd1c8 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def @@ -0,0 +1,13 @@ +type: u32 + +help: TCP TIME-WAIT timeout in seconds + +default: 120 + +val_help: u32:1-21474836; TCP TIME-WAIT timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + +update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=$VAR(@) + +delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=120 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def new file mode 100644 index 0000000..7ee8fd3 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def @@ -0,0 +1 @@ +help: UDP timeout \ No newline at end of file diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def new file mode 100644 index 0000000..c0c1824 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def @@ -0,0 +1,10 @@ +type: u32 + +help: UDP generic timeout in seconds + +default: 30 + +val_help: u32:1-21474836; UDP generic timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def new file mode 100644 index 0000000..0670477 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def @@ -0,0 +1,10 @@ +type: u32 + +help: UDP stream timeout in seconds + +default: 180 + +val_help: u32:1-21474836; UDP stream timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + -- cgit v1.2.3 From 821ec86eba3cef12188c060f1813aa3989b3b9f7 Mon Sep 17 00:00:00 2001 From: Gaurav Date: Wed, 22 Feb 2012 17:08:47 -0800 Subject: Fixing templates to avoid defaults since these rules override the global defaults (cherry picked from commit d94051fce5433de66860d762fc0a7aa7186564d9) --- .../timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def | 5 ----- .../timeout/custom/rule/node.tag/protocol/tcp/close/node.def | 5 ----- .../timeout/custom/rule/node.tag/protocol/tcp/established/node.def | 5 ----- .../timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def | 5 ----- .../timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def | 5 ----- .../timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def | 5 ----- .../timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def | 5 ----- .../timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def | 5 ----- 8 files changed, 40 deletions(-) (limited to 'templates-cfg') diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def index 0491b68..c8b12d7 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def @@ -2,12 +2,7 @@ type: u32 help: TCP CLOSE-WAIT timeout in seconds -default: 60 - val_help: u32:1-21474836; TCP CLOSE-WAIT timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=60 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def index 38317d5..fc6929f 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def @@ -2,12 +2,7 @@ type: u32 help: TCP CLOSE timeout in seconds -default: 10 - val_help: u32:1-21474836; TCP CLOSE timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=10 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def index 9e47f1e..9acfd15 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def @@ -2,12 +2,7 @@ type: u32 help: TCP ESTABLISHED timeout in seconds -default: 432000 - val_help: u32:1-21474836; TCP ESTABLISHED timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=432000 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def index 985a6a4..f11f16b 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def @@ -2,12 +2,7 @@ type: u32 help: TCP FIN-WAIT timeout in seconds -default: 120 - val_help: u32:1-21474836; TCP FIN-WAIT timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=120 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def index 3e07fe4..1beb31f 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def @@ -2,12 +2,7 @@ type: u32 help: TCP LAST-ACK timeout in seconds -default: 30 - val_help: u32:1-21474836; TCP LAST-ACK timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=30 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def index 50c5512..6d98386 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def @@ -2,12 +2,7 @@ type: u32 help: TCP SYN-RECEIVED timeout in seconds -default: 60 - val_help: u32:1-21474836; TCP SYN-RECEIVED timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=60 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def index 5856ba7..3343bdb 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def @@ -2,12 +2,7 @@ type: u32 help: TCP SYN-SENT timeout in seconds -default: 120 - val_help: u32:1-21474836; TCP SYN-SENT timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=120 diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def index f6bd1c8..1342cc5 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def @@ -2,12 +2,7 @@ type: u32 help: TCP TIME-WAIT timeout in seconds -default: 120 - val_help: u32:1-21474836; TCP TIME-WAIT timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" -update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=$VAR(@) - -delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=120 -- cgit v1.2.3 From 953d1039cbf8fb42ee5140c3a09ba7e6915008da Mon Sep 17 00:00:00 2001 From: Gaurav Date: Thu, 23 Feb 2012 09:57:17 -0800 Subject: Fixing nfct-command string:only modified timer is included in the command (cherry picked from commit 9e17315753bb98c677ec5b11c9e52f6a9f5d80a8) --- lib/Vyatta/Conntrack/RuleCT.pm | 43 ++++++++++++++++------ .../rule/node.tag/protocol/tcp/syn-sent/node.def | 1 - 2 files changed, 31 insertions(+), 13 deletions(-) (limited to 'templates-cfg') diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index 5071087..594c784 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -143,7 +143,6 @@ sub print { print "$self->{_tcp}->{_fin_wait}\n"; print "$self->{_tcp}->{_syn_sent}\n"; print "$self->{_tcp}->{_syn_recv}\n"; - print "Comment is: $self->{_comment}\n"; } # return a string that has the nfct-timeout command to create @@ -152,21 +151,41 @@ sub get_policy_command { my ($self ) = @_; my $command; my @level_nodes = split (' ', $self->{_comment}); - $command .= "policy$level_nodes[2]-$level_nodes[5]"; + $command .= "policy_$level_nodes[2]_$level_nodes[5]"; if ($self->{_protocol} eq 'tcp') { $command .= " tcp"; - $command .= " close $self->{_tcp}->{_close}"; - $command .= " close-wait $self->{_tcp}->{_close_wait}"; - $command .= " time-wait $self->{_tcp}->{_time_wait}"; - $command .= " syn-recv $self->{_tcp}->{_syn_recv}"; - $command .= " syn-sent $self->{_tcp}->{_syn_sent}"; - $command .= " last-ack $self->{_tcp}->{_last_ack}"; - $command .= " fin-wait $self->{_tcp}->{_fin_wait}"; - $command .= " established $self->{_tcp}->{_established}"; + if ($self->{_tcp}->{_close}) { + $command .= " close $self->{_tcp}->{_close}"; + } + if ($self->{_tcp}->{_close_wait}) { + $command .= " close-wait $self->{_tcp}->{_close_wait}"; + } + if ($self->{_tcp}->{_time_wait}) { + $command .= " time-wait $self->{_tcp}->{_time_wait}"; + } + if ($self->{_tcp}->{_syn_recv}) { + $command .= " syn-recv $self->{_tcp}->{_syn_recv}"; + } + if ($self->{_tcp}->{_syn_sent}) { + $command .= " syn-sent $self->{_tcp}->{_syn_sent}"; + } + if ($self->{_tcp}->{_last_ack}) { + $command .= " last-ack $self->{_tcp}->{_last_ack}"; + } + if ($self->{_tcp}->{_fin_wait}) { + $command .= " fin-wait $self->{_tcp}->{_fin_wait}"; + } + if ($self->{_tcp}->{_established}) { + $command .= " established $self->{_tcp}->{_established}"; + } } elsif ($self->{_protocol} eq 'udp') { $command .= " udp"; - $command .= " other $self->{_udp}->{_other}"; - $command .= " stream $self->{_udp}->{_stream}"; + if ($self->{_udp}->{_other}) { + $command .= " other $self->{_udp}->{_other}"; + } + if ($self->{_udp}->{_stream}) { + $command .= " stream $self->{_udp}->{_stream}"; + } } elsif ($self->{_protocol} eq 'icmp') { $command .= " icmp"; $command .= " icmp $self->{_icmp}"; diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def index 3343bdb..c5edde3 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def @@ -5,4 +5,3 @@ help: TCP SYN-SENT timeout in seconds val_help: u32:1-21474836; TCP SYN-SENT timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" - -- cgit v1.2.3 From a3b4d1895d26436a98475dd2588c700d7541eff0 Mon Sep 17 00:00:00 2001 From: Gaurav Date: Thu, 23 Feb 2012 10:12:46 -0800 Subject: Removed default timeouts for override udp/icmp/other, fixed minor bugs (cherry picked from commit 57353c5720699e641d2ab85a0ed8a9eae09520e7) --- .../conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def | 2 -- .../conntrack/timeout/custom/rule/node.tag/protocol/other/node.def | 2 -- .../conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def | 2 -- .../conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def | 2 -- 4 files changed, 8 deletions(-) (limited to 'templates-cfg') diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def index 2997e58..5fd267f 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def @@ -2,8 +2,6 @@ type: u32 help: ICMP timeout in seconds -default: 30 - val_help: u32:1-21474836; ICMP timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def index 5653056..7a7ae98 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def @@ -2,8 +2,6 @@ type: u32 help: Generic connection timeout in seconds -default: 600 - val_help: u32:1-21474836; Generic connection timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def index c0c1824..b71294c 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def @@ -2,8 +2,6 @@ type: u32 help: UDP generic timeout in seconds -default: 30 - val_help: u32:1-21474836; UDP generic timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def index 0670477..31830e1 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def @@ -2,8 +2,6 @@ type: u32 help: UDP stream timeout in seconds -default: 180 - val_help: u32:1-21474836; UDP stream timeout in seconds syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" -- cgit v1.2.3 From 86524b38252bfcc4f143247947adbd280d98a222 Mon Sep 17 00:00:00 2001 From: Gaurav Date: Mon, 27 Feb 2012 11:59:10 -0800 Subject: Updated help strings to avoid confusion with global timeouts (cherry picked from commit a9d6f31725efc5fa28af0b9df00b277054a5f45f) --- .../conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def | 2 +- .../system/conntrack/timeout/custom/rule/node.tag/protocol/node.def | 2 +- .../conntrack/timeout/custom/rule/node.tag/protocol/other/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def | 2 +- .../conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/established/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def | 2 +- .../system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def | 2 +- .../system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def | 2 +- .../conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def | 2 +- .../conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) (limited to 'templates-cfg') diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def index 5fd267f..1adf950 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def @@ -1,6 +1,6 @@ type: u32 -help: ICMP timeout in seconds +help: ICMP timeout for matching flow(s) in seconds val_help: u32:1-21474836; ICMP timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def index 6fffc43..7f26da6 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def @@ -1,2 +1,2 @@ -help: Customize protocol specific timers +help: Customize protocol specific timers, one protocol configuration per rule diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def index 7a7ae98..09c433f 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def @@ -1,6 +1,6 @@ type: u32 -help: Generic connection timeout in seconds +help: Generic connection timeout for matching flow(s) in seconds val_help: u32:1-21474836; Generic connection timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def index c8b12d7..a998533 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP CLOSE-WAIT timeout in seconds +help: TCP CLOSE-WAIT timeout for matching flow(s) in seconds val_help: u32:1-21474836; TCP CLOSE-WAIT timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def index fc6929f..ce41b0f 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP CLOSE timeout in seconds +help: TCP CLOSE timeout for matching flow(s) in seconds val_help: u32:1-21474836; TCP CLOSE timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def index 9acfd15..6ebaae5 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP ESTABLISHED timeout in seconds +help: TCP ESTABLISHED timeout for matching flow(s) in seconds val_help: u32:1-21474836; TCP ESTABLISHED timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def index f11f16b..1b25e89 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP FIN-WAIT timeout in seconds +help: TCP FIN-WAIT timeout for matching flow(s) in seconds val_help: u32:1-21474836; TCP FIN-WAIT timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def index 1beb31f..3d99efe 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP LAST-ACK timeout in seconds +help: TCP LAST-ACK timeout for matching flow(s) in seconds val_help: u32:1-21474836; TCP LAST-ACK timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def index 2b67c51..bd0e39c 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def @@ -1 +1 @@ -help: TCP connection timeout options \ No newline at end of file +help: TCP connection per flow timeout options diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def index 6d98386..070a185 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP SYN-RECEIVED timeout in seconds +help: TCP SYN-RECEIVED timeout for matching flow(s) in seconds val_help: u32:1-21474836; TCP SYN-RECEIVED timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def index c5edde3..87a69e0 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP SYN-SENT timeout in seconds +help: TCP SYN-SENT timeout for matching flow(s) in seconds val_help: u32:1-21474836; TCP SYN-SENT timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def index 1342cc5..ef9ed4f 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP TIME-WAIT timeout in seconds +help: TCP TIME-WAIT timeout for matching flow(s) in seconds val_help: u32:1-21474836; TCP TIME-WAIT timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def index 7ee8fd3..6a1e149 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def @@ -1 +1 @@ -help: UDP timeout \ No newline at end of file +help: UDP per flow timeout configuration options diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def index b71294c..3c3e2ec 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def @@ -1,6 +1,6 @@ type: u32 -help: UDP generic timeout in seconds +help: UDP generic timeout for matching flow(s) in seconds val_help: u32:1-21474836; UDP generic timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def index 31830e1..7bb8619 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def @@ -1,6 +1,6 @@ type: u32 -help: UDP stream timeout in seconds +help: UDP stream timeout for matching flow(s) in seconds val_help: u32:1-21474836; UDP stream timeout in seconds -- cgit v1.2.3 From 0b89edb15676df97868d853aea1128ab6401f17f Mon Sep 17 00:00:00 2001 From: Gaurav Date: Mon, 27 Feb 2012 14:20:01 -0800 Subject: Using connection instead of flow to refer to 5 tuple in help strings (cherry picked from commit 43bf1c43f253f67ff195b0bd831d6903d2ddcefe) --- templates-cfg/system/conntrack/timeout/custom/node.def | 2 +- .../conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def | 2 +- .../conntrack/timeout/custom/rule/node.tag/protocol/other/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def | 2 +- .../conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/established/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def | 2 +- .../system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def | 2 +- .../timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def | 2 +- .../system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def | 2 +- .../conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def | 2 +- .../conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) (limited to 'templates-cfg') diff --git a/templates-cfg/system/conntrack/timeout/custom/node.def b/templates-cfg/system/conntrack/timeout/custom/node.def index 7967ead..94039fe 100644 --- a/templates-cfg/system/conntrack/timeout/custom/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/node.def @@ -1,4 +1,4 @@ -help: Define custom timeouts per flow +help: Define custom timeouts per connection end: if sudo /opt/vyatta/bin/sudo-users/vyatta-conntrack-timeouts.pl --update 'true'; then if [ ${COMMIT_ACTION} = 'DELETE' ] ; diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def index 1adf950..16c9224 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def @@ -1,6 +1,6 @@ type: u32 -help: ICMP timeout for matching flow(s) in seconds +help: ICMP timeout for matching connection(s) in seconds val_help: u32:1-21474836; ICMP timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def index 09c433f..4d50136 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def @@ -1,6 +1,6 @@ type: u32 -help: Generic connection timeout for matching flow(s) in seconds +help: Generic connection timeout for matching connection(s) in seconds val_help: u32:1-21474836; Generic connection timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def index a998533..7b9b089 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP CLOSE-WAIT timeout for matching flow(s) in seconds +help: TCP CLOSE-WAIT timeout for matching connection(s) in seconds val_help: u32:1-21474836; TCP CLOSE-WAIT timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def index ce41b0f..c37bb68 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP CLOSE timeout for matching flow(s) in seconds +help: TCP CLOSE timeout for matching connection(s) in seconds val_help: u32:1-21474836; TCP CLOSE timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def index 6ebaae5..dfc575d 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP ESTABLISHED timeout for matching flow(s) in seconds +help: TCP ESTABLISHED timeout for matching connection(s) in seconds val_help: u32:1-21474836; TCP ESTABLISHED timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def index 1b25e89..4514d6a 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP FIN-WAIT timeout for matching flow(s) in seconds +help: TCP FIN-WAIT timeout for matching connection(s) in seconds val_help: u32:1-21474836; TCP FIN-WAIT timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def index 3d99efe..5c1cc25 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP LAST-ACK timeout for matching flow(s) in seconds +help: TCP LAST-ACK timeout for matching connection(s) in seconds val_help: u32:1-21474836; TCP LAST-ACK timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def index bd0e39c..2d58f9c 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def @@ -1 +1 @@ -help: TCP connection per flow timeout options +help: TCP per connection timeout options diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def index 070a185..a9c5a57 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP SYN-RECEIVED timeout for matching flow(s) in seconds +help: TCP SYN-RECEIVED timeout for matching connection(s) in seconds val_help: u32:1-21474836; TCP SYN-RECEIVED timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def index 87a69e0..af71067 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP SYN-SENT timeout for matching flow(s) in seconds +help: TCP SYN-SENT timeout for matching connection(s) in seconds val_help: u32:1-21474836; TCP SYN-SENT timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def index ef9ed4f..1b85ba1 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def @@ -1,6 +1,6 @@ type: u32 -help: TCP TIME-WAIT timeout for matching flow(s) in seconds +help: TCP TIME-WAIT timeout for matching connection(s) in seconds val_help: u32:1-21474836; TCP TIME-WAIT timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def index 6a1e149..321f684 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def @@ -1 +1 @@ -help: UDP per flow timeout configuration options +help: UDP per connection timeout configuration options diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def index 3c3e2ec..abfdc7e 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def @@ -1,6 +1,6 @@ type: u32 -help: UDP generic timeout for matching flow(s) in seconds +help: UDP generic timeout for matching connection(s) in seconds val_help: u32:1-21474836; UDP generic timeout in seconds diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def index 7bb8619..431c94a 100644 --- a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def @@ -1,6 +1,6 @@ type: u32 -help: UDP stream timeout for matching flow(s) in seconds +help: UDP stream timeout for matching connection(s) in seconds val_help: u32:1-21474836; UDP stream timeout in seconds -- cgit v1.2.3