Merge pull request #2199 from sarthurdev/T4309

conntrack: T4309: T4903: Refactor `system conntrack ignore`, add IPv6 support and firewall groups
vyos · Sep 6, 2023 · 50f3e9f · 50f3e9f
2 parents c37f780 + 2c88d01
commit 50f3e9f
Show file tree

Hide file tree

Showing 14 changed files with 534 additions and 110 deletions.
diff --git a/data/config-mode-dependencies.json b/data/config-mode-dependencies.json
@@ -1,5 +1,5 @@
 {
-  "firewall": {"group_resync": ["nat", "policy-route"]},
+  "firewall": {"group_resync": ["conntrack", "nat", "policy-route"]},
   "http_api": {"https": ["https"]},
   "pki": {
            "ethernet": ["interfaces-ethernet"],

diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2
@@ -1,5 +1,7 @@
 #!/usr/sbin/nft -f
 
+{% import 'firewall/nftables-defines.j2' as group_tmpl %}
+
 {% set nft_ct_ignore_name = 'VYOS_CT_IGNORE' %}
 {% set nft_ct_timeout_name = 'VYOS_CT_TIMEOUT' %}
 
@@ -10,29 +12,35 @@ flush chain raw {{ nft_ct_timeout_name }}
 
 table raw {
     chain {{ nft_ct_ignore_name }} {
-{% if ignore.rule is vyos_defined %}
-{%     for rule, rule_config in ignore.rule.items() %}
+{% if ignore.ipv4.rule is vyos_defined %}
+{%     for rule, rule_config in ignore.ipv4.rule.items() %}
+        # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
+       {{ rule_config | conntrack_ignore_rule(rule, ipv6=False) }}
+{%     endfor %}
+{% endif %}
+        return
+    }
+    chain {{ nft_ct_timeout_name }} {
+{% if timeout.custom.rule is vyos_defined %}
+{%     for rule, rule_config in timeout.custom.rule.items() %}
+        # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
+{%     endfor %}
+{% endif %}
+        return
+    }
+
+{{ group_tmpl.groups(firewall_group, False) }}
+}
+
+flush chain ip6 raw {{ nft_ct_ignore_name }}
+flush chain ip6 raw {{ nft_ct_timeout_name }}
+
+table ip6 raw {
+    chain {{ nft_ct_ignore_name }} {
+{% if ignore.ipv6.rule is vyos_defined %}
+{%     for rule, rule_config in ignore.ipv6.rule.items() %}
         # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
-{%         set nft_command = '' %}
-{%         if rule_config.inbound_interface is vyos_defined %}
-{%             set nft_command = nft_command ~ ' iifname ' ~ rule_config.inbound_interface %}
-{%         endif %}
-{%         if rule_config.protocol is vyos_defined %}
-{%             set nft_command = nft_command ~ ' ip protocol ' ~ rule_config.protocol %}
-{%         endif %}
-{%         if rule_config.destination.address is vyos_defined %}
-{%             set nft_command = nft_command ~ ' ip daddr ' ~ rule_config.destination.address %}
-{%         endif %}
-{%         if rule_config.destination.port is vyos_defined %}
-{%             set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' dport { ' ~ rule_config.destination.port ~ ' }' %}
-{%         endif %}
-{%         if rule_config.source.address is vyos_defined %}
-{%             set nft_command = nft_command ~ ' ip saddr ' ~ rule_config.source.address %}
-{%         endif %}
-{%         if rule_config.source.port is vyos_defined %}
-{%             set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' sport { ' ~ rule_config.source.port ~ ' }' %}
-{%         endif %}
-       {{ nft_command }} counter notrack comment ignore-{{ rule }}
+       {{ rule_config | conntrack_ignore_rule(rule, ipv6=True) }}
 {%     endfor %}
 {% endif %}
         return
@@ -45,4 +53,6 @@ table raw {
 {% endif %}
         return
     }
+
+{{ group_tmpl.groups(firewall_group, True) }}
 }
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
@@ -102,18 +102,49 @@ table ip6 raw {
 
     chain PREROUTING {
         type filter hook prerouting priority -300; policy accept;
+        counter jump VYOS_CT_IGNORE
+        counter jump VYOS_CT_TIMEOUT
         counter jump VYOS_CT_PREROUTING_HOOK
         counter jump FW_CONNTRACK
         notrack
     }
 
     chain OUTPUT {
         type filter hook output priority -300; policy accept;
+        counter jump VYOS_CT_IGNORE
+        counter jump VYOS_CT_TIMEOUT
         counter jump VYOS_CT_OUTPUT_HOOK
         counter jump FW_CONNTRACK
         notrack
     }
 
+    ct helper rpc_tcp {
+        type "rpc" protocol tcp;
+    }
+
+    ct helper rpc_udp {
+        type "rpc" protocol udp;
+    }
+
+    ct helper tns_tcp {
+        type "tns" protocol tcp;
+    }
+
+    chain VYOS_CT_HELPER {
+        ct helper set "rpc_tcp" tcp dport {111} return
+        ct helper set "rpc_udp" udp dport {111} return
+        ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
+        return
+    }
+
+    chain VYOS_CT_IGNORE {
+        return
+    }
+
+    chain VYOS_CT_TIMEOUT {
+        return
+    }
+
     chain VYOS_CT_PREROUTING_HOOK {
         return
     }

diff --git a/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i b/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i
@@ -0,0 +1,41 @@
+<!-- include start from firewall/source-destination-group-ipv4.xml.i -->
+<node name="group">
+  <properties>
+    <help>Group</help>
+  </properties>
+  <children>
+    <leafNode name="address-group">
+      <properties>
+        <help>Group of addresses</help>
+        <completionHelp>
+          <path>firewall group address-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="domain-group">
+      <properties>
+        <help>Group of domains</help>
+        <completionHelp>
+          <path>firewall group domain-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="network-group">
+      <properties>
+        <help>Group of networks</help>
+        <completionHelp>
+          <path>firewall group network-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="port-group">
+      <properties>
+        <help>Group of ports</help>
+        <completionHelp>
+          <path>firewall group port-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/version/conntrack-version.xml.i b/interface-definitions/include/version/conntrack-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/conntrack-version.xml.i -->
-<syntaxVersion component='conntrack' version='3'></syntaxVersion>
+<syntaxVersion component='conntrack' version='4'></syntaxVersion>
 <!-- include end -->