summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-03-16 12:32:44 +0100
committerGitHub <noreply@github.com>2024-03-16 12:32:44 +0100
commit5daebff4a5cc570f22c75e002ded8564b8e22e33 (patch)
treec20d1d171157154d535611c3a281d5df9dbbfa78
parentaea9bfb803c8943d289e939c9ec8185ffcc0985d (diff)
parent3e1e2a3e7b6f5d969819bffda2858a91132d595e (diff)
downloadvyos-1x-5daebff4a5cc570f22c75e002ded8564b8e22e33.tar.gz
vyos-1x-5daebff4a5cc570f22c75e002ded8564b8e22e33.zip
Merge pull request #3112 from Ingramz/add-rtsp-2
conntrack: T4022: add RTSP conntrack helper
-rw-r--r--data/templates/conntrack/nftables-helpers.j26
-rw-r--r--debian/control3
-rw-r--r--interface-definitions/include/firewall/conntrack-helper.xml.i6
-rw-r--r--interface-definitions/system_conntrack.xml.in6
-rwxr-xr-xsmoketest/scripts/cli/test_system_conntrack.py8
-rwxr-xr-xsrc/conf_mode/system_conntrack.py7
6 files changed, 32 insertions, 4 deletions
diff --git a/data/templates/conntrack/nftables-helpers.j2 b/data/templates/conntrack/nftables-helpers.j2
index 433931162..63a0cc855 100644
--- a/data/templates/conntrack/nftables-helpers.j2
+++ b/data/templates/conntrack/nftables-helpers.j2
@@ -31,6 +31,12 @@
}
{% endif %}
+{% if modules.rtsp is vyos_defined and ipv4 %}
+ ct helper rtsp_tcp {
+ type "rtsp" protocol tcp;
+ }
+{% endif %}
+
{% if modules.sip is vyos_defined %}
ct helper sip_tcp {
type "sip" protocol tcp;
diff --git a/debian/control b/debian/control
index dddc4e14c..c5a60f660 100644
--- a/debian/control
+++ b/debian/control
@@ -256,6 +256,9 @@ Depends:
# For "nat64"
jool,
# End "nat64"
+# For "system conntrack modules rtsp"
+ nat-rtsp,
+# End "system conntrack modules rtsp"
# For "system ntp"
chrony,
# End "system ntp"
diff --git a/interface-definitions/include/firewall/conntrack-helper.xml.i b/interface-definitions/include/firewall/conntrack-helper.xml.i
index ee17f2c61..3ca1a0353 100644
--- a/interface-definitions/include/firewall/conntrack-helper.xml.i
+++ b/interface-definitions/include/firewall/conntrack-helper.xml.i
@@ -22,6 +22,10 @@
<description>Related traffic from NFS helper</description>
</valueHelp>
<valueHelp>
+ <format>rtsp</format>
+ <description>Related traffic from RTSP helper</description>
+ </valueHelp>
+ <valueHelp>
<format>sip</format>
<description>Related traffic from SIP helper</description>
</valueHelp>
@@ -34,7 +38,7 @@
<description>Related traffic from SQLNet helper</description>
</valueHelp>
<constraint>
- <regex>(ftp|h323|pptp|nfs|sip|tftp|sqlnet)</regex>
+ <regex>(ftp|h323|pptp|nfs|rtsp|sip|tftp|sqlnet)</regex>
</constraint>
<multi/>
</properties>
diff --git a/interface-definitions/system_conntrack.xml.in b/interface-definitions/system_conntrack.xml.in
index a348097cc..219c6e28e 100644
--- a/interface-definitions/system_conntrack.xml.in
+++ b/interface-definitions/system_conntrack.xml.in
@@ -289,6 +289,12 @@
<valueless/>
</properties>
</leafNode>
+ <leafNode name="rtsp">
+ <properties>
+ <help>RTSP connection tracking</help>
+ <valueless/>
+ </properties>
+ </leafNode>
<leafNode name="sip">
<properties>
<help>SIP connection tracking</help>
diff --git a/smoketest/scripts/cli/test_system_conntrack.py b/smoketest/scripts/cli/test_system_conntrack.py
index f00626b3d..2d76da145 100755
--- a/smoketest/scripts/cli/test_system_conntrack.py
+++ b/smoketest/scripts/cli/test_system_conntrack.py
@@ -174,12 +174,16 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
'pptp': {
'driver': ['nf_nat_pptp', 'nf_conntrack_pptp'],
'nftables': ['ct helper set "pptp_tcp"']
- },
+ },
+ 'rtsp': {
+ 'driver': ['nf_nat_rtsp', 'nf_conntrack_rtsp'],
+ 'nftables': ['ct helper set "rtsp_tcp"']
+ },
'sip': {
'driver': ['nf_nat_sip', 'nf_conntrack_sip'],
'nftables': ['ct helper set "sip_tcp"',
'ct helper set "sip_udp"']
- },
+ },
'sqlnet': {
'nftables': ['ct helper set "tns_tcp"']
},
diff --git a/src/conf_mode/system_conntrack.py b/src/conf_mode/system_conntrack.py
index 2a55daed4..a1472aaaa 100755
--- a/src/conf_mode/system_conntrack.py
+++ b/src/conf_mode/system_conntrack.py
@@ -58,6 +58,11 @@ module_map = {
'nftables': ['tcp dport {1723} ct helper set "pptp_tcp" return'],
'ipv4': True
},
+ 'rtsp': {
+ 'ko': ['nf_nat_rtsp', 'nf_conntrack_rtsp'],
+ 'nftables': ['tcp dport {554} ct helper set "rtsp_tcp" return'],
+ 'ipv4': True
+ },
'sip': {
'ko': ['nf_nat_sip', 'nf_conntrack_sip'],
'nftables': ['tcp dport {5060,5061} ct helper set "sip_tcp" return',
@@ -195,7 +200,7 @@ def generate(conntrack):
def apply(conntrack):
# Depending on the enable/disable state of the ALG (Application Layer Gateway)
# modules we need to either insmod or rmmod the helpers.
-
+
add_modules = []
rm_modules = []