From ec958eb3a97366f90a31bc8925be976a012b0fd5 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 31 May 2021 23:01:10 +0200
Subject: conntrack: T3579: add module disable options

Some application layer gateway (ALG) modules can be disabled during runtime
if requireq.
---
 .../include/conntrack-module-disable.xml.i         |  8 +++
 interface-definitions/system-conntrack.xml.in      | 63 ++++++++++++++++++++++
 src/conf_mode/conntrack.py                         | 57 ++++++++++++++++++++
 3 files changed, 128 insertions(+)
 create mode 100644 interface-definitions/include/conntrack-module-disable.xml.i

diff --git a/interface-definitions/include/conntrack-module-disable.xml.i b/interface-definitions/include/conntrack-module-disable.xml.i
new file mode 100644
index 000000000..f891225e0
--- /dev/null
+++ b/interface-definitions/include/conntrack-module-disable.xml.i
@@ -0,0 +1,8 @@
+<!-- include start from conntrack-module-disable.xml.i -->
+<leafNode name="disable">
+  <properties>
+    <help>Disable connection tracking helper</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in
index 07a2c401d..fa73df3db 100644
--- a/interface-definitions/system-conntrack.xml.in
+++ b/interface-definitions/system-conntrack.xml.in
@@ -35,6 +35,69 @@
             </properties>
             <defaultValue>32768</defaultValue>
           </leafNode>
+          <node name="modules">
+            <properties>
+              <help>Connection tracking modules settings</help>
+            </properties>
+            <children>
+              <node name="ftp">
+                <properties>
+                  <help>FTP connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+              <node name="h323">
+                <properties>
+                  <help>H.323 connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+              <node name="nfs">
+                <properties>
+                  <help>NFS connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+              <node name="pptp">
+                <properties>
+                  <help>PPTP connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+              <node name="sip">
+                <properties>
+                  <help>SIP connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+              <node name="sqlnet">
+                <properties>
+                  <help>SQLnet connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+              <node name="tftp">
+                <properties>
+                  <help>TFTP connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+            </children>
+          </node>
           <leafNode name="table-size">
             <properties>
               <help>Size of connection tracking table</help>
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index e834231cf..4e6e39c0f 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -14,6 +14,8 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import os
+
 from sys import exit
 
 from vyos.config import Config
@@ -21,6 +23,7 @@ from vyos.configdict import dict_merge
 from vyos.util import cmd
 from vyos.util import run
 from vyos.util import process_named_running
+from vyos.util import dict_search
 from vyos.template import render
 from vyos.xml import defaults
 from vyos import ConfigError
@@ -30,6 +33,35 @@ airbag.enable()
 conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf'
 sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf'
 
+# Every ALG (Application Layer Gateway) consists of either a Kernel Object
+# also called a Kernel Module/Driver or some rules present in iptables
+module_map = {
+    'ftp' : {
+        'ko' : ['nf_nat_ftp', 'nf_conntrack_ftp'],
+    },
+    'h323' : {
+        'ko' : ['nf_nat_h323', 'nf_conntrack_h323'],
+    },
+    'nfs' : {
+        'iptables' : ['VYATTA_CT_HELPER --table raw --proto tcp --dport 111 --jump CT --helper rpc',
+                      'VYATTA_CT_HELPER --table raw --proto udp --dport 111 --jump CT --helper rpc'],
+    },
+    'pptp' : {
+        'ko' : ['nf_nat_pptp', 'nf_conntrack_pptp'],
+     },
+    'sip' : {
+        'ko' : ['nf_nat_sip', 'nf_conntrack_sip'],
+     },
+    'sqlnet' : {
+        'iptables' : ['VYATTA_CT_HELPER --table raw --proto tcp --dport 1521 --jump CT --helper tns',
+                      'VYATTA_CT_HELPER --table raw --proto tcp --dport 1525 --jump CT --helper tns',
+                      'VYATTA_CT_HELPER --table raw --proto tcp --dport 1536 --jump CT --helper tns'],
+    },
+    'tftp' : {
+        'ko' : ['nf_nat_tftp', 'nf_conntrack_tftp'],
+     },
+}
+
 def resync_conntrackd():
     tmp = run('/usr/libexec/vyos/conf_mode/conntrack_sync.py')
     if tmp > 0:
@@ -62,6 +94,31 @@ def generate(conntrack):
     return None
 
 def apply(conntrack):
+    # Depending on the enable/disable state of the ALG (Application Layer Gateway)
+    # modules we need to either insmod or rmmod the helpers.
+    for module, module_config in module_map.items():
+        if dict_search(f'modules.{module}.disable', conntrack) != None:
+            if 'ko' in module_config:
+                for mod in module_config['ko']:
+                    # Only remove the module if it's loaded
+                    if os.path.exists(f'/sys/module/{mod}'):
+                        cmd(f'rmmod {mod}')
+            if 'iptables' in module_config:
+                for rule in module_config['iptables']:
+                    print(f'iptables --delete {rule}')
+                    cmd(f'iptables --delete {rule}')
+        else:
+            if 'ko' in module_config:
+                for mod in module_config['ko']:
+                    cmd(f'modprobe {mod}')
+            if 'iptables' in module_config:
+                for rule in module_config['iptables']:
+                    # Only install iptables rule if it does not exist
+                    tmp = run(f'iptables --check {rule}')
+                    if tmp > 0:
+                        cmd(f'iptables --insert {rule}')
+
+
     if process_named_running('conntrackd'):
         # Reload conntrack-sync daemon to fetch new sysctl values
         resync_conntrackd()
-- 
cgit v1.2.3