summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2023-09-24 14:38:12 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2023-09-24 16:44:32 +0200
commit81dee963a9ca3224ddbd54767a36efae5851a001 (patch)
treedd959ad5a29ff75a94e7b1e8d1738ad4a66847d1
parent734392fdff1276110d81c2315e6a4a29a1316f7d (diff)
downloadvyos-1x-81dee963a9ca3224ddbd54767a36efae5851a001.tar.gz
vyos-1x-81dee963a9ca3224ddbd54767a36efae5851a001.zip
firewall: T5614: Add support for matching on conntrack helper
-rw-r--r--interface-definitions/include/firewall/common-rule-inet.xml.i1
-rw-r--r--interface-definitions/include/firewall/conntrack-helper.xml.i42
-rw-r--r--python/vyos/firewall.py14
-rwxr-xr-xsmoketest/scripts/cli/test_firewall.py6
4 files changed, 62 insertions, 1 deletions
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
index e51dd0056..3dbfbb65c 100644
--- a/interface-definitions/include/firewall/common-rule-inet.xml.i
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -4,6 +4,7 @@
#include <include/firewall/dscp.xml.i>
#include <include/firewall/packet-options.xml.i>
#include <include/firewall/connection-mark.xml.i>
+#include <include/firewall/conntrack-helper.xml.i>
#include <include/firewall/nft-queue.xml.i>
<leafNode name="disable">
<properties>
diff --git a/interface-definitions/include/firewall/conntrack-helper.xml.i b/interface-definitions/include/firewall/conntrack-helper.xml.i
new file mode 100644
index 000000000..ee17f2c61
--- /dev/null
+++ b/interface-definitions/include/firewall/conntrack-helper.xml.i
@@ -0,0 +1,42 @@
+<!-- include start from firewall/conntrack-helper.xml.i -->
+<leafNode name="conntrack-helper">
+ <properties>
+ <help>Match related traffic from conntrack helpers</help>
+ <completionHelp>
+ <list>ftp h323 pptp nfs sip tftp sqlnet</list>
+ </completionHelp>
+ <valueHelp>
+ <format>ftp</format>
+ <description>Related traffic from FTP helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>h323</format>
+ <description>Related traffic from H.323 helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>pptp</format>
+ <description>Related traffic from PPTP helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>nfs</format>
+ <description>Related traffic from NFS helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sip</format>
+ <description>Related traffic from SIP helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tftp</format>
+ <description>Related traffic from TFTP helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sqlnet</format>
+ <description>Related traffic from SQLNet helper</description>
+ </valueHelp>
+ <constraint>
+ <regex>(ftp|h323|pptp|nfs|sip|tftp|sqlnet)</regex>
+ </constraint>
+ <multi/>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 3ca7a25b9..7e43b815a 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -102,6 +102,20 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
if states:
output.append(f'ct state {{{states}}}')
+ if 'conntrack_helper' in rule_conf:
+ helper_map = {'h323': ['RAS', 'Q.931'], 'nfs': ['rpc'], 'sqlnet': ['tns']}
+ helper_out = []
+
+ for helper in rule_conf['conntrack_helper']:
+ if helper in helper_map:
+ helper_out.extend(helper_map[helper])
+ else:
+ helper_out.append(helper)
+
+ if helper_out:
+ helper_str = ','.join(f'"{s}"' for s in helper_out)
+ output.append(f'ct helper {{{helper_str}}}')
+
if 'connection_status' in rule_conf and rule_conf['connection_status']:
status = rule_conf['connection_status']
if status['nat'] == 'destination':
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 676be5305..4a577562d 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -503,12 +503,15 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'state', 'invalid', 'enable'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'accept'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'state', 'new', 'enable'])
-
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'action', 'accept'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'new', 'enable'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'established', 'enable'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'state', 'related', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'conntrack-helper', 'ftp'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'conntrack-helper', 'pptp'])
self.cli_commit()
@@ -517,6 +520,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
['ct state invalid', 'reject'],
['ct state new', 'ct status dnat', 'accept'],
['ct state { established, new }', 'ct status snat', 'accept'],
+ ['ct state related', 'ct helper { "ftp", "pptp" }', 'accept'],
['drop', f'comment "{name} default-action drop"']
]