diff options
author | Christian Breunig <christian@breunig.cc> | 2024-03-16 12:32:44 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-03-16 12:32:44 +0100 |
commit | 5daebff4a5cc570f22c75e002ded8564b8e22e33 (patch) | |
tree | c20d1d171157154d535611c3a281d5df9dbbfa78 | |
parent | aea9bfb803c8943d289e939c9ec8185ffcc0985d (diff) | |
parent | 3e1e2a3e7b6f5d969819bffda2858a91132d595e (diff) | |
download | vyos-1x-5daebff4a5cc570f22c75e002ded8564b8e22e33.tar.gz vyos-1x-5daebff4a5cc570f22c75e002ded8564b8e22e33.zip |
Merge pull request #3112 from Ingramz/add-rtsp-2
conntrack: T4022: add RTSP conntrack helper
-rw-r--r-- | data/templates/conntrack/nftables-helpers.j2 | 6 | ||||
-rw-r--r-- | debian/control | 3 | ||||
-rw-r--r-- | interface-definitions/include/firewall/conntrack-helper.xml.i | 6 | ||||
-rw-r--r-- | interface-definitions/system_conntrack.xml.in | 6 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_system_conntrack.py | 8 | ||||
-rwxr-xr-x | src/conf_mode/system_conntrack.py | 7 |
6 files changed, 32 insertions, 4 deletions
diff --git a/data/templates/conntrack/nftables-helpers.j2 b/data/templates/conntrack/nftables-helpers.j2 index 433931162..63a0cc855 100644 --- a/data/templates/conntrack/nftables-helpers.j2 +++ b/data/templates/conntrack/nftables-helpers.j2 @@ -31,6 +31,12 @@ } {% endif %} +{% if modules.rtsp is vyos_defined and ipv4 %} + ct helper rtsp_tcp { + type "rtsp" protocol tcp; + } +{% endif %} + {% if modules.sip is vyos_defined %} ct helper sip_tcp { type "sip" protocol tcp; diff --git a/debian/control b/debian/control index dddc4e14c..c5a60f660 100644 --- a/debian/control +++ b/debian/control @@ -256,6 +256,9 @@ Depends: # For "nat64" jool, # End "nat64" +# For "system conntrack modules rtsp" + nat-rtsp, +# End "system conntrack modules rtsp" # For "system ntp" chrony, # End "system ntp" diff --git a/interface-definitions/include/firewall/conntrack-helper.xml.i b/interface-definitions/include/firewall/conntrack-helper.xml.i index ee17f2c61..3ca1a0353 100644 --- a/interface-definitions/include/firewall/conntrack-helper.xml.i +++ b/interface-definitions/include/firewall/conntrack-helper.xml.i @@ -22,6 +22,10 @@ <description>Related traffic from NFS helper</description> </valueHelp> <valueHelp> + <format>rtsp</format> + <description>Related traffic from RTSP helper</description> + </valueHelp> + <valueHelp> <format>sip</format> <description>Related traffic from SIP helper</description> </valueHelp> @@ -34,7 +38,7 @@ <description>Related traffic from SQLNet helper</description> </valueHelp> <constraint> - <regex>(ftp|h323|pptp|nfs|sip|tftp|sqlnet)</regex> + <regex>(ftp|h323|pptp|nfs|rtsp|sip|tftp|sqlnet)</regex> </constraint> <multi/> </properties> diff --git a/interface-definitions/system_conntrack.xml.in b/interface-definitions/system_conntrack.xml.in index a348097cc..219c6e28e 100644 --- a/interface-definitions/system_conntrack.xml.in +++ b/interface-definitions/system_conntrack.xml.in @@ -289,6 +289,12 @@ <valueless/> </properties> </leafNode> + <leafNode name="rtsp"> + <properties> + <help>RTSP connection tracking</help> + <valueless/> + </properties> + </leafNode> <leafNode name="sip"> <properties> <help>SIP connection tracking</help> diff --git a/smoketest/scripts/cli/test_system_conntrack.py b/smoketest/scripts/cli/test_system_conntrack.py index f00626b3d..2d76da145 100755 --- a/smoketest/scripts/cli/test_system_conntrack.py +++ b/smoketest/scripts/cli/test_system_conntrack.py @@ -174,12 +174,16 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase): 'pptp': { 'driver': ['nf_nat_pptp', 'nf_conntrack_pptp'], 'nftables': ['ct helper set "pptp_tcp"'] - }, + }, + 'rtsp': { + 'driver': ['nf_nat_rtsp', 'nf_conntrack_rtsp'], + 'nftables': ['ct helper set "rtsp_tcp"'] + }, 'sip': { 'driver': ['nf_nat_sip', 'nf_conntrack_sip'], 'nftables': ['ct helper set "sip_tcp"', 'ct helper set "sip_udp"'] - }, + }, 'sqlnet': { 'nftables': ['ct helper set "tns_tcp"'] }, diff --git a/src/conf_mode/system_conntrack.py b/src/conf_mode/system_conntrack.py index 2a55daed4..a1472aaaa 100755 --- a/src/conf_mode/system_conntrack.py +++ b/src/conf_mode/system_conntrack.py @@ -58,6 +58,11 @@ module_map = { 'nftables': ['tcp dport {1723} ct helper set "pptp_tcp" return'], 'ipv4': True }, + 'rtsp': { + 'ko': ['nf_nat_rtsp', 'nf_conntrack_rtsp'], + 'nftables': ['tcp dport {554} ct helper set "rtsp_tcp" return'], + 'ipv4': True + }, 'sip': { 'ko': ['nf_nat_sip', 'nf_conntrack_sip'], 'nftables': ['tcp dport {5060,5061} ct helper set "sip_tcp" return', @@ -195,7 +200,7 @@ def generate(conntrack): def apply(conntrack): # Depending on the enable/disable state of the ALG (Application Layer Gateway) # modules we need to either insmod or rmmod the helpers. - + add_modules = [] rm_modules = [] |