From fd0bcaf120bc4ad5f3e9add93f0fa2c2c60e984f Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Thu, 21 Sep 2023 12:05:20 +0200
Subject: conntrack: T5376: T5598: Fix for kernel conntrack helpers
`nf_conntrack_helper` that auto-assigned helpers is removed from the kernel
---
data/templates/conntrack/nftables-ct.j2 | 51 +---------------
data/templates/conntrack/nftables-helpers.j2 | 70 ++++++++++++++++++++++
data/templates/conntrack/vyos_nf_conntrack.conf.j2 | 3 +-
3 files changed, 74 insertions(+), 50 deletions(-)
create mode 100644 data/templates/conntrack/nftables-helpers.j2
(limited to 'data')
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2
index 895f61a55..1e0fc8065 100644
--- a/data/templates/conntrack/nftables-ct.j2
+++ b/data/templates/conntrack/nftables-ct.j2
@@ -1,5 +1,6 @@
#!/usr/sbin/nft -f
+{% import 'conntrack/nftables-helpers.j2' as helper_tmpl %}
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
{% if first_install is not vyos_defined %}
@@ -52,30 +53,7 @@ table ip vyos_conntrack {
notrack
}
- ct helper rpc_tcp {
- type "rpc" protocol tcp;
- }
-
- ct helper rpc_udp {
- type "rpc" protocol udp;
- }
-
- ct helper tns_tcp {
- type "tns" protocol tcp;
- }
-
- chain VYOS_CT_HELPER {
-{% for module, module_conf in module_map.items() %}
-{% if modules[module] is vyos_defined %}
-{% if 'nftables' in module_conf %}
-{% for rule in module_conf.nftables %}
- {{ rule }}
-{% endfor %}
-{% endif %}
-{% endif %}
-{% endfor %}
- return
- }
+{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }}
chain FW_CONNTRACK {
{{ ipv4_firewall_action }}
@@ -140,30 +118,7 @@ table ip6 vyos_conntrack {
notrack
}
- ct helper rpc_tcp {
- type "rpc" protocol tcp;
- }
-
- ct helper rpc_udp {
- type "rpc" protocol udp;
- }
-
- ct helper tns_tcp {
- type "tns" protocol tcp;
- }
-
- chain VYOS_CT_HELPER {
-{% for module, module_conf in module_map.items() %}
-{% if modules[module] is vyos_defined %}
-{% if 'nftables' in module_conf %}
-{% for rule in module_conf.nftables %}
- {{ rule }}
-{% endfor %}
-{% endif %}
-{% endif %}
-{% endfor %}
- return
- }
+{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }}
chain FW_CONNTRACK {
{{ ipv6_firewall_action }}
diff --git a/data/templates/conntrack/nftables-helpers.j2 b/data/templates/conntrack/nftables-helpers.j2
new file mode 100644
index 000000000..433931162
--- /dev/null
+++ b/data/templates/conntrack/nftables-helpers.j2
@@ -0,0 +1,70 @@
+{% macro conntrack_helpers(module_map, modules, ipv4=True) %}
+{% if modules.ftp is vyos_defined %}
+ ct helper ftp_tcp {
+ type "ftp" protocol tcp;
+ }
+{% endif %}
+
+{% if modules.h323 is vyos_defined %}
+ ct helper ras_udp {
+ type "RAS" protocol udp;
+ }
+
+ ct helper q931_tcp {
+ type "Q.931" protocol tcp;
+ }
+{% endif %}
+
+{% if modules.pptp is vyos_defined and ipv4 %}
+ ct helper pptp_tcp {
+ type "pptp" protocol tcp;
+ }
+{% endif %}
+
+{% if modules.nfs is vyos_defined %}
+ ct helper rpc_tcp {
+ type "rpc" protocol tcp;
+ }
+
+ ct helper rpc_udp {
+ type "rpc" protocol udp;
+ }
+{% endif %}
+
+{% if modules.sip is vyos_defined %}
+ ct helper sip_tcp {
+ type "sip" protocol tcp;
+ }
+
+ ct helper sip_udp {
+ type "sip" protocol udp;
+ }
+{% endif %}
+
+{% if modules.tftp is vyos_defined %}
+ ct helper tftp_udp {
+ type "tftp" protocol udp;
+ }
+{% endif %}
+
+{% if modules.sqlnet is vyos_defined %}
+ ct helper tns_tcp {
+ type "tns" protocol tcp;
+ }
+{% endif %}
+
+ chain VYOS_CT_HELPER {
+{% for module, module_conf in module_map.items() %}
+{% if modules[module] is vyos_defined %}
+{% if 'nftables' in module_conf %}
+{% if module_conf.ipv4 is not vyos_defined or module_conf.ipv4 == ipv4 %}
+{% for rule in module_conf.nftables %}
+ {{ rule }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
+{% endfor %}
+ return
+ }
+{% endmacro %}
diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
index 111459485..197155d96 100644
--- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2
+++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
@@ -1,3 +1,2 @@
# Autogenerated by conntrack.py
-options nf_conntrack hashsize={{ hash_size }} nf_conntrack_helper=1
-
+options nf_conntrack hashsize={{ hash_size }}
--
cgit v1.2.3
From 5acf5acedbf7e0c581653ddf2e7693f148017943 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Sat, 23 Sep 2023 14:04:48 +0200
Subject: conntrack: T5376: Use vyos.configdep to call conntrack-sync
---
data/config-mode-dependencies/vyos-1x.json | 1 +
src/conf_mode/conntrack.py | 13 +++++--------
2 files changed, 6 insertions(+), 8 deletions(-)
(limited to 'data')
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
index a433c2522..72a3d1153 100644
--- a/data/config-mode-dependencies/vyos-1x.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -1,4 +1,5 @@
{
+ "conntrack": {"conntrack_sync": ["conntrack_sync"]},
"firewall": {"conntrack": ["conntrack"], "group_resync": ["conntrack", "nat", "policy-route"]},
"http_api": {"https": ["https"]},
"load_balancing_wan": {"conntrack": ["conntrack"]},
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index 75fd26588..2c5fa335e 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -20,6 +20,7 @@ import re
from sys import exit
from vyos.config import Config
+from vyos.configdep import set_dependents, call_dependents
from vyos.utils.process import process_named_running
from vyos.utils.dict import dict_search
from vyos.utils.dict import dict_search_args
@@ -78,11 +79,6 @@ valid_groups = [
'port_group'
]
-def resync_conntrackd():
- tmp = run('/usr/libexec/vyos/conf_mode/conntrack_sync.py')
- if tmp > 0:
- print('ERROR: error restarting conntrackd!')
-
def get_config(config=None):
if config:
conf = config
@@ -105,6 +101,9 @@ def get_config(config=None):
conntrack['module_map'] = module_map
+ if conf.exists(['service', 'conntrack-sync']):
+ set_dependents('conntrack_sync', conf)
+
return conntrack
def verify(conntrack):
@@ -213,9 +212,7 @@ def apply(conntrack):
module_str = ' '.join(rm_modules)
cmd(f'rmmod {module_str}')
- if process_named_running('conntrackd'):
- # Reload conntrack-sync daemon to fetch new sysctl values
- resync_conntrackd()
+ call_dependents()
# We silently ignore all errors
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1264080
--
cgit v1.2.3