diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-01-09 20:54:39 +0100 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2022-01-10 21:32:29 +0100 |
commit | 05b5d09ca70c5cc868f2108df4bcd3fcf6a7d865 (patch) | |
tree | d692163816bf04a25aff833be2baa82af7b14122 /src | |
parent | 436805a69df324767c3efdf8d72127bef42fd720 (diff) | |
download | vyos-1x-05b5d09ca70c5cc868f2108df4bcd3fcf6a7d865.tar.gz vyos-1x-05b5d09ca70c5cc868f2108df4bcd3fcf6a7d865.zip |
conntrack: T3579: migrate "conntrack ignore" tree to vyos-1x and nftables
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/conntrack.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py index c65ef9540..3cb0dd1e2 100755 --- a/src/conf_mode/conntrack.py +++ b/src/conf_mode/conntrack.py @@ -35,6 +35,7 @@ airbag.enable() conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf' sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf' +nftables_ct_ignore_file = r'/run/nftables-ct-ignore.conf' # Every ALG (Application Layer Gateway) consists of either a Kernel Object # also called a Kernel Module/Driver or some rules present in iptables @@ -86,11 +87,19 @@ def get_config(config=None): return conntrack def verify(conntrack): + if dict_search('ignore.rule', conntrack) != None: + for rule, rule_config in conntrack['ignore']['rule'].items(): + if dict_search('destination.port', rule_config) or \ + dict_search('source.port', rule_config): + if 'protocol' not in rule_config or rule_config['protocol'] not in ['tcp', 'udp']: + raise ConfigError(f'Port requires tcp or udp as protocol in rule {rule}') + return None def generate(conntrack): render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.tmpl', conntrack) render(sysctl_file, 'conntrack/sysctl.conf.tmpl', conntrack) + render(nftables_ct_ignore_file, 'conntrack/nftables-ct-ignore.tmpl', conntrack) return None @@ -127,6 +136,9 @@ def apply(conntrack): if not find_nftables_ct_rule(rule): cmd(f'nft insert rule ip raw VYOS_CT_HELPER {rule}') + # Load new nftables ruleset + cmd(f'nft -f {nftables_ct_ignore_file}') + if process_named_running('conntrackd'): # Reload conntrack-sync daemon to fetch new sysctl values resync_conntrackd() |