diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-05-31 23:01:10 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2021-05-31 23:02:48 +0200 |
commit | ec958eb3a97366f90a31bc8925be976a012b0fd5 (patch) | |
tree | 020b51b8fd5f841f27b0adb988b33b28f1b863a4 /src/conf_mode/conntrack.py | |
parent | af6485a0108cda618ff91423f6645dee8126c5d7 (diff) | |
download | vyos-1x-ec958eb3a97366f90a31bc8925be976a012b0fd5.tar.gz vyos-1x-ec958eb3a97366f90a31bc8925be976a012b0fd5.zip |
conntrack: T3579: add module disable options
Some application layer gateway (ALG) modules can be disabled during runtime
if requireq.
Diffstat (limited to 'src/conf_mode/conntrack.py')
-rwxr-xr-x | src/conf_mode/conntrack.py | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py index e834231cf..4e6e39c0f 100755 --- a/src/conf_mode/conntrack.py +++ b/src/conf_mode/conntrack.py @@ -14,6 +14,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import os + from sys import exit from vyos.config import Config @@ -21,6 +23,7 @@ from vyos.configdict import dict_merge from vyos.util import cmd from vyos.util import run from vyos.util import process_named_running +from vyos.util import dict_search from vyos.template import render from vyos.xml import defaults from vyos import ConfigError @@ -30,6 +33,35 @@ airbag.enable() conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf' sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf' +# Every ALG (Application Layer Gateway) consists of either a Kernel Object +# also called a Kernel Module/Driver or some rules present in iptables +module_map = { + 'ftp' : { + 'ko' : ['nf_nat_ftp', 'nf_conntrack_ftp'], + }, + 'h323' : { + 'ko' : ['nf_nat_h323', 'nf_conntrack_h323'], + }, + 'nfs' : { + 'iptables' : ['VYATTA_CT_HELPER --table raw --proto tcp --dport 111 --jump CT --helper rpc', + 'VYATTA_CT_HELPER --table raw --proto udp --dport 111 --jump CT --helper rpc'], + }, + 'pptp' : { + 'ko' : ['nf_nat_pptp', 'nf_conntrack_pptp'], + }, + 'sip' : { + 'ko' : ['nf_nat_sip', 'nf_conntrack_sip'], + }, + 'sqlnet' : { + 'iptables' : ['VYATTA_CT_HELPER --table raw --proto tcp --dport 1521 --jump CT --helper tns', + 'VYATTA_CT_HELPER --table raw --proto tcp --dport 1525 --jump CT --helper tns', + 'VYATTA_CT_HELPER --table raw --proto tcp --dport 1536 --jump CT --helper tns'], + }, + 'tftp' : { + 'ko' : ['nf_nat_tftp', 'nf_conntrack_tftp'], + }, +} + def resync_conntrackd(): tmp = run('/usr/libexec/vyos/conf_mode/conntrack_sync.py') if tmp > 0: @@ -62,6 +94,31 @@ def generate(conntrack): return None def apply(conntrack): + # Depending on the enable/disable state of the ALG (Application Layer Gateway) + # modules we need to either insmod or rmmod the helpers. + for module, module_config in module_map.items(): + if dict_search(f'modules.{module}.disable', conntrack) != None: + if 'ko' in module_config: + for mod in module_config['ko']: + # Only remove the module if it's loaded + if os.path.exists(f'/sys/module/{mod}'): + cmd(f'rmmod {mod}') + if 'iptables' in module_config: + for rule in module_config['iptables']: + print(f'iptables --delete {rule}') + cmd(f'iptables --delete {rule}') + else: + if 'ko' in module_config: + for mod in module_config['ko']: + cmd(f'modprobe {mod}') + if 'iptables' in module_config: + for rule in module_config['iptables']: + # Only install iptables rule if it does not exist + tmp = run(f'iptables --check {rule}') + if tmp > 0: + cmd(f'iptables --insert {rule}') + + if process_named_running('conntrackd'): # Reload conntrack-sync daemon to fetch new sysctl values resync_conntrackd() |