summaryrefslogtreecommitdiff
path: root/docs/configuration/system/conntrack.rst
blob: 1401e02e1d173aeb043c8ffe66b8facde7ee9735 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224

#########
Conntrack
#########

VyOS can be configured to track connections using the connection
tracking subsystem. Connection tracking becomes operational once either
stateful firewall or NAT is configured.

*********
Configure
*********

.. cfgcmd:: set system conntrack table-size <1-50000000>
    :defaultvalue:

    The connection tracking table contains one entry for each connection being
    tracked by the system.

.. cfgcmd:: set system conntrack expect-table-size <1-50000000>
    :defaultvalue:

    The connection tracking expect table contains one entry for each expected
    connection related to an existing connection. These are generally used by
    “connection tracking helper” modules such as FTP.
    The default size of the expect table is 2048 entries.

.. cfgcmd:: set system conntrack hash-size <1-50000000>
    :defaultvalue:

    Set the size of the hash table. The connection tracking hash table makes
    searching the connection tracking table faster. The hash table uses
    “buckets” to record entries in the connection tracking table.

.. cfgcmd:: set system conntrack modules ftp
.. cfgcmd:: set system conntrack modules h323
.. cfgcmd:: set system conntrack modules nfs
.. cfgcmd:: set system conntrack modules pptp
.. cfgcmd:: set system conntrack modules sip
.. cfgcmd:: set system conntrack modules sqlnet
.. cfgcmd:: set system conntrack modules tftp

    Configure the connection tracking protocol helper modules.
    All modules are enable by default.

    | Use `delete system conntrack modules` to deactive all modules.
    | Or, for example ftp, `delete system conntrack modules ftp`.

.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836>
    :defaultvalue:

    Set the maximum number of TCP half-open connections.

.. cfgcmd:: set system conntrack tcp loose <enable | disable>
    :defaultvalue:

    Policy to track previously established connections.

.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647>
    :defaultvalue:

    Set the number of TCP maximum retransmit attempts.

Contrack Timeouts
=================

VyOS supports setting timeouts for connections according to the
connection type. You can set timeout values for generic connections, for ICMP
connections, UDP connections, or for TCP connections in a number of different
states.

.. cfgcmd:: set system conntrack timeout icmp <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout other <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp close <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp close-wait <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp established <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp fin-wait <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp last-ack <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp syn-recv <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp syn-sent <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp time-wait <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout udp other <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout udp stream <1-21474836>
    :defaultvalue:

    Set the timeout in seconds for a protocol or state.

You can also define custom timeout values to apply to a specific subset of
connections, based on a packet and flow selector. To do this, you need to
create a rule defining the packet and flow selector.

.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   description <test>

    Set a rule description.

.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   destination address <ip-address>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   source address <ip-address>

    Set a destination and/or source address. Accepted input for ipv4:

    .. code-block:: none

        set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address
        Possible completions:
           <x.x.x.x>            IPv4 address to match
           <x.x.x.x/x>          IPv4 prefix to match
           <x.x.x.x>-<x.x.x.x>  IPv4 address range to match
           !<x.x.x.x>           Match everything except the specified address
           !<x.x.x.x/x>         Match everything except the specified prefix
           !<x.x.x.x>-<x.x.x.x> Match everything except the specified range

        set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address
        Possible completions:
           <h:h:h:h:h:h:h:h>    IP address to match
           <h:h:h:h:h:h:h:h/x>  Subnet to match
           <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
                                IP range to match
           !<h:h:h:h:h:h:h:h>   Match everything except the specified address
           !<h:h:h:h:h:h:h:h/x> Match everything except the specified prefix
           !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
                                Match everything except the specified range

.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   destination port <value>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   source port <value>

    Set a destination and/or source port. Accepted input:

    .. code-block:: none

        <port name>    Named port (any name in /etc/services, e.g., http)
        <1-65535>      Numbered port
        <start>-<end>  Numbered port range (e.g., 1001-1005)
    
    Multiple destination ports can be specified as a comma-separated list.
    The whole list can also be "negated" using '!'. For example:
    `!22,telnet,http,123,1001-1005``

.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   protocol tcp close <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   protocol tcp close-wait <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   protocol tcp established <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   protocol tcp fin-wait <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   protocol tcp last-ack <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   protocol tcp syn-recv <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   protocol tcp syn-sent <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   protocol tcp time-wait <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   protocol udp replied <1-21474836>
.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
   protocol udp unreplied <1-21474836>

    Set the timeout in seconds for a protocol or state in a custom rule.

Conntrack ignore rules
======================

    Customized ignore rules, based on a packet and flow selector.

.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
   description <text>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
   destination address <ip-address>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
   destination port <port>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
   inbound-interface <interface>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
   protocol <protocol>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
   source address <ip-address>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
   source port <port>
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
   tcp flags [not] <text>

   Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``,
   ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for
   inverted selection use ``not``, as shown in the example.

Conntrack log
=============

.. cfgcmd:: set system conntrack log icmp destroy
.. cfgcmd:: set system conntrack log icmp new
.. cfgcmd:: set system conntrack log icmp update
.. cfgcmd:: set system conntrack log other destroy
.. cfgcmd:: set system conntrack log other new
.. cfgcmd:: set system conntrack log other update
.. cfgcmd:: set system conntrack log tcp destroy
.. cfgcmd:: set system conntrack log tcp new
.. cfgcmd:: set system conntrack log tcp update close-wait
.. cfgcmd:: set system conntrack log tcp update established
.. cfgcmd:: set system conntrack log tcp update fin-wait
.. cfgcmd:: set system conntrack log tcp update last-ack
.. cfgcmd:: set system conntrack log tcp update syn-received
.. cfgcmd:: set system conntrack log tcp update time-wait
.. cfgcmd:: set system conntrack log udp destroy
.. cfgcmd:: set system conntrack log udp new
.. cfgcmd:: set system conntrack log udp update

    Log the connection tracking events per protocol.