diff options
| author | kumvijaya <kumvijaya@gmail.com> | 2024-05-21 16:41:14 +0530 |
|---|---|---|
| committer | kumvijaya <kumvijaya@gmail.com> | 2024-05-21 16:41:14 +0530 |
| commit | cc86483fdf7a6bd988f485c06402fd07368dd26e (patch) | |
| tree | 9d892a9715106cc67bf1e57b15b999aa7e564057 /data/templates/conntrack | |
| parent | 704ca2322d0bebcb923f5136f0f69fb23651a484 (diff) | |
| download | vyos-workflow-test-temp-cc86483fdf7a6bd988f485c06402fd07368dd26e.tar.gz vyos-workflow-test-temp-cc86483fdf7a6bd988f485c06402fd07368dd26e.zip | |
T6357: create test repository to validate setup
Diffstat (limited to 'data/templates/conntrack')
| -rw-r--r-- | data/templates/conntrack/nftables-ct.j2 | 176 | ||||
| -rw-r--r-- | data/templates/conntrack/nftables-helpers.j2 | 76 | ||||
| -rw-r--r-- | data/templates/conntrack/sysctl.conf.j2 | 27 | ||||
| -rw-r--r-- | data/templates/conntrack/vyos_nf_conntrack.conf.j2 | 2 |
4 files changed, 281 insertions, 0 deletions
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2 new file mode 100644 index 0000000..c753e6b --- /dev/null +++ b/data/templates/conntrack/nftables-ct.j2 @@ -0,0 +1,176 @@ +#!/usr/sbin/nft -f + +{% import 'conntrack/nftables-helpers.j2' as helper_tmpl %} +{% import 'firewall/nftables-defines.j2' as group_tmpl %} + +{% if first_install is not vyos_defined %} +delete table ip vyos_conntrack +{% endif %} +table ip vyos_conntrack { + chain VYOS_CT_IGNORE { +{% if ignore.ipv4.rule is vyos_defined %} +{% for rule, rule_config in ignore.ipv4.rule.items() %} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} + {{ rule_config | conntrack_rule(rule, 'ignore', ipv6=False) }} +{% endfor %} +{% endif %} + return + } + chain VYOS_CT_TIMEOUT { +{% if timeout.custom.ipv4.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv4.rule.items() %} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} + {{ rule_config | conntrack_rule(rule, 'timeout', ipv6=False) }} +{% endfor %} +{% endif %} + return + } + +{% if timeout.custom.ipv4.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv4.rule.items() %} + ct timeout ct-timeout-{{ rule }} { + l3proto ip; +{% for protocol, protocol_config in rule_config.protocol.items() %} + protocol {{ protocol }}; + policy = { {{ protocol_config | conntrack_ct_policy() }} } +{% endfor %} + } +{% endfor %} +{% endif %} + + chain PREROUTING { + type filter hook prerouting priority -300; policy accept; + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump FW_CONNTRACK + counter jump NAT_CONNTRACK + counter jump WLB_CONNTRACK + notrack + } + +{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + chain PREROUTING_HELPER { + type filter hook prerouting priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + + chain OUTPUT { + type filter hook output priority -300; policy accept; + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump FW_CONNTRACK + counter jump NAT_CONNTRACK +{% if wlb_local_action %} + counter jump WLB_CONNTRACK +{% endif %} + notrack + } + +{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + chain OUTPUT_HELPER { + type filter hook output priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + +{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }} + + chain FW_CONNTRACK { + {{ ipv4_firewall_action }} + } + + chain NAT_CONNTRACK { + {{ ipv4_nat_action }} + } + + chain WLB_CONNTRACK { + {{ wlb_action }} + } + +{% if firewall.group is vyos_defined %} +{{ group_tmpl.groups(firewall.group, False, True) }} +{% endif %} +} + +{% if first_install is not vyos_defined %} +delete table ip6 vyos_conntrack +{% endif %} +table ip6 vyos_conntrack { + chain VYOS_CT_IGNORE { +{% if ignore.ipv6.rule is vyos_defined %} +{% for rule, rule_config in ignore.ipv6.rule.items() %} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} + {{ rule_config | conntrack_rule(rule, 'ignore', ipv6=True) }} +{% endfor %} +{% endif %} + return + } + chain VYOS_CT_TIMEOUT { +{% if timeout.custom.ipv6.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv6.rule.items() %} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} + {{ rule_config | conntrack_rule(rule, 'timeout', ipv6=True) }} +{% endfor %} +{% endif %} + return + } + +{% if timeout.custom.ipv6.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv6.rule.items() %} + ct timeout ct-timeout-{{ rule }} { + l3proto ip; +{% for protocol, protocol_config in rule_config.protocol.items() %} + protocol {{ protocol }}; + policy = { {{ protocol_config | conntrack_ct_policy() }} } +{% endfor %} + } +{% endfor %} +{% endif %} + + chain PREROUTING { + type filter hook prerouting priority -300; policy accept; + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump FW_CONNTRACK + counter jump NAT_CONNTRACK + notrack + } + +{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + chain PREROUTING_HELPER { + type filter hook prerouting priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + + chain OUTPUT { + type filter hook output priority -300; policy accept; + counter jump VYOS_CT_IGNORE + counter jump VYOS_CT_TIMEOUT + counter jump FW_CONNTRACK + counter jump NAT_CONNTRACK + notrack + } + +{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + chain OUTPUT_HELPER { + type filter hook output priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + +{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }} + + chain FW_CONNTRACK { + {{ ipv6_firewall_action }} + } + + chain NAT_CONNTRACK { + {{ ipv6_nat_action }} + } + +{% if firewall.group is vyos_defined %} +{{ group_tmpl.groups(firewall.group, True, True) }} +{% endif %} +} diff --git a/data/templates/conntrack/nftables-helpers.j2 b/data/templates/conntrack/nftables-helpers.j2 new file mode 100644 index 0000000..63a0cc8 --- /dev/null +++ b/data/templates/conntrack/nftables-helpers.j2 @@ -0,0 +1,76 @@ +{% macro conntrack_helpers(module_map, modules, ipv4=True) %} +{% if modules.ftp is vyos_defined %} + ct helper ftp_tcp { + type "ftp" protocol tcp; + } +{% endif %} + +{% if modules.h323 is vyos_defined %} + ct helper ras_udp { + type "RAS" protocol udp; + } + + ct helper q931_tcp { + type "Q.931" protocol tcp; + } +{% endif %} + +{% if modules.pptp is vyos_defined and ipv4 %} + ct helper pptp_tcp { + type "pptp" protocol tcp; + } +{% endif %} + +{% if modules.nfs is vyos_defined %} + ct helper rpc_tcp { + type "rpc" protocol tcp; + } + + ct helper rpc_udp { + type "rpc" protocol udp; + } +{% endif %} + +{% if modules.rtsp is vyos_defined and ipv4 %} + ct helper rtsp_tcp { + type "rtsp" protocol tcp; + } +{% endif %} + +{% if modules.sip is vyos_defined %} + ct helper sip_tcp { + type "sip" protocol tcp; + } + + ct helper sip_udp { + type "sip" protocol udp; + } +{% endif %} + +{% if modules.tftp is vyos_defined %} + ct helper tftp_udp { + type "tftp" protocol udp; + } +{% endif %} + +{% if modules.sqlnet is vyos_defined %} + ct helper tns_tcp { + type "tns" protocol tcp; + } +{% endif %} + + chain VYOS_CT_HELPER { +{% for module, module_conf in module_map.items() %} +{% if modules[module] is vyos_defined %} +{% if 'nftables' in module_conf %} +{% if module_conf.ipv4 is not vyos_defined or module_conf.ipv4 == ipv4 %} +{% for rule in module_conf.nftables %} + {{ rule }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} +{% endfor %} + return + } +{% endmacro %} diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2 new file mode 100644 index 0000000..986f75c --- /dev/null +++ b/data/templates/conntrack/sysctl.conf.j2 @@ -0,0 +1,27 @@ +# Autogenerated by system_conntrack.py +{# all values have defaults - thus no checking required #} + +net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }} +net.netfilter.nf_conntrack_max = {{ table_size }} + +net.ipv4.tcp_max_syn_backlog = {{ tcp.half_open_connections }} + +net.netfilter.nf_conntrack_tcp_loose = {{ '1' if tcp.loose is vyos_defined('enable') else '0' }} +net.netfilter.nf_conntrack_tcp_max_retrans = {{ tcp.max_retrans }} + +net.netfilter.nf_conntrack_icmp_timeout = {{ timeout.icmp }} +net.netfilter.nf_conntrack_generic_timeout = {{ timeout.other }} + +net.netfilter.nf_conntrack_tcp_timeout_close_wait = {{ timeout.tcp.close_wait }} +net.netfilter.nf_conntrack_tcp_timeout_close = {{ timeout.tcp.close }} +net.netfilter.nf_conntrack_tcp_timeout_established = {{ timeout.tcp.established }} +net.netfilter.nf_conntrack_tcp_timeout_fin_wait = {{ timeout.tcp.fin_wait }} +net.netfilter.nf_conntrack_tcp_timeout_last_ack = {{ timeout.tcp.last_ack }} +net.netfilter.nf_conntrack_tcp_timeout_syn_recv = {{ timeout.tcp.syn_recv }} +net.netfilter.nf_conntrack_tcp_timeout_syn_sent = {{ timeout.tcp.syn_sent }} +net.netfilter.nf_conntrack_tcp_timeout_time_wait = {{ timeout.tcp.time_wait }} + +net.netfilter.nf_conntrack_udp_timeout = {{ timeout.udp.other }} +net.netfilter.nf_conntrack_udp_timeout_stream = {{ timeout.udp.stream }} + +net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }} diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2 new file mode 100644 index 0000000..1b12fec --- /dev/null +++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2 @@ -0,0 +1,2 @@ +# Autogenerated by system_conntrack.py +options nf_conntrack hashsize={{ hash_size }} |