feat: add conntrackd config

Author: gsanchietti

packages/ns-api/files/ns.ha

@@ -15,6 +15,60 @@ import subprocess
 import hashlib
 import time
 from nethsec import firewall
+from jinja2 import Template
+
+conntrack_template = """
+Sync {
+    Mode FTFW {
+        DisableExternalCache Off
+        CommitTimeout 180
+        PurgeTimeout 5
+    }
+
+    UDP {
+        # Dedicated link for connection replication
+        IPv4_address {{ first_ip }}
+        IPv4_Destination_Address {{ second_ip }}
+        Port 3780
+        Interface {{ ha_interface }}
+        SndSocketBuffer 1249280
+        RcvSocketBuffer 1249280
+        Checksum on
+    }
+}
+
+General {
+    HashSize 32768
+    HashLimit 131072
+    LogFile off
+    Syslog on
+    NetlinkOverrunResync 5
+    NetlinkEventsReliable on
+    PollSecs 5
+    EventIterationLimit 200
+    LockFile /var/lock/conntrack.lock
+    UNIX {
+        Path /var/run/conntrackd.ctl
+    }
+    NetlinkBufferSize 2097152
+    NetlinkBufferSizeMaxGrowth 8388608
+    Filter From Userspace {
+        Protocol Accept {
+            TCP
+            UDP
+        }
+        Address Ignore {
+            IPv4_address 127.0.0.1 # loopback
+            IPv4_address 10.0.0.1
+            IPv4_address 10.0.0.2
+            IPv4_address 10.0.0.3
+            IPv4_address 192.168.255.2
+            IPv4_address 192.168.255.52
+            IPv4_address 192.168.255.250
+        }
+    }
+}
+"""
 
 
 def setup(role, lan_interface, ha_interface, virtual_ip, ha_main_ipaddress, ha_secondary_ipaddress, pubkey = "", password = ""):
@@ -107,6 +161,12 @@ def setup(role, lan_interface, ha_interface, virtual_ip, ha_main_ipaddress, ha_s
         for line in result.stdout.splitlines():
             if 'ssh-rsa' in line:
                 ret['pubkey'] = line
+
+        # Setup conntrackd configuration
+        conntrack_template = Template(conntrack_template)
+        conntrack_conf = conntrack_template.render(first_ip=ha_main_ipaddress, second_ip=ha_secondary_ipaddress, ha_interface=ha_interface)
+        with open('/etc/conntrackd/conntrackd.conf', 'w') as file:
+            file.write(conntrack_conf)
     else:
         u.set('keepalived', 'ha_receiver', 'track_script')
         u.set('keepalived', 'ha_receiver', 'name', 'receiver')
@@ -147,7 +207,16 @@ def setup(role, lan_interface, ha_interface, virtual_ip, ha_main_ipaddress, ha_s
         # Change permissions of the rsync directory
         os.chmod(rsync_dir, 0o2775)
 
+        # Setup conntrackd configuration
+        conntrack_template = Template(conntrack_template)
+        conntrack_conf = conntrack_template.render(first_ip=ha_secondary_ipaddress, second_ip=ha_main_ipaddress, ha_interface=ha_interface)
+        with open('/etc/conntrackd/conntrackd.conf', 'w') as file:
+            file.write(conntrack_conf)
+
     u.save('keepalived')
+    # enable and start conntrackd
+    subprocess.run(['/etc/init.d/conntrackd', 'enable'], capture_output=True)
+    subprocess.run(['/etc/init.d/conntrackd', 'restart'], capture_output=True)
 
     return ret
 

packages/ns-ha/Makefile

@@ -38,10 +38,13 @@ define Package/ns-ha/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/keepalived
 	$(INSTALL_DIR) $(1)/lib/functions/keepalived
+	$(INSTALL_DIR) $(1)/usr/libexec
 	$(INSTALL_BIN) ./files/keepalived-config $(1)/usr/sbin
 	$(INSTALL_DATA) ./files/600-openvpn $(1)/etc/hotplug.d/keepalived
 	$(INSTALL_DATA) ./files/900-ns-plug $(1)/etc/hotplug.d/keepalived
+	$(INSTALL_DATA) ./files/100-conntrackd $(1)/etc/hotplug.d/keepalived
 	$(INSTALL_DATA) ./files/ns.sh $(1)/lib/functions/keepalived
+	$(INSTALL_BIN) ./files/conntrackd.sh /usr/libexec/conntrackd.sh
 endef
 
 $(eval $(call BuildPackage,ns-ha))

packages/ns-ha/files/100-conntrackd

@@ -0,0 +1,12 @@
+# shellcheck source=/dev/null
+. /lib/functions/keepalived/hotplug.sh
+
+if [ "$ACTION" == "NOTIFY_BACKUP" ]; then
+    /usr/libexec/conntrackd.sh backup
+elif [ "$ACTION" == "NOTIFY_MASTER" ]; then
+    /usr/libexec/conntrackd.sh primary
+elif [ "$ACTION" == "NOTIFY_FAULT" ]; then
+    /usr/libexec/conntrackd.sh fault
+fi
+
+keepalived_hotplug

packages/ns-ha/files/conntrackd.sh

@@ -0,0 +1,126 @@
+#!/bin/sh
+#
+# (C) 2006-2011 by Pablo Neira Ayuso <pablo@netfilter.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Description:
+#
+# This is the script for primary-backup setups for keepalived
+# (http://www.keepalived.org). You may adapt it to make it work with other
+# high-availability managers.
+#
+# Do not forget to include the required modifications to your keepalived.conf
+# file to invoke this script during keepalived's state transitions.
+#
+# Contributions to improve this script are welcome :).
+#
+
+CONNTRACKD_BIN=/usr/sbin/conntrackd
+CONNTRACKD_LOCK=/var/lock/conntrack.lock
+CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf
+
+case "$1" in
+  primary)
+    #
+    # commit the external cache into the kernel table
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c
+    if [ $? -eq 1 ]
+    then
+        logger "ERROR: failed to invoke conntrackd -c"
+    fi
+
+    #
+    # flush the internal and the external caches
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -f"
+    fi
+
+    #
+    # resynchronize my internal cache to the kernel table
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -R"
+    fi
+
+    #
+    # send a bulk update to backups 
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B
+    if [ $? -eq 1 ]
+    then
+        logger "ERROR: failed to invoke conntrackd -B"
+    fi
+    ;;
+  backup)
+    #
+    # is conntrackd running? request some statistics to check it
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s
+    if [ $? -eq 1 ]
+    then
+        #
+	# something's wrong, do we have a lock file?
+	#
+    	if [ -f $CONNTRACKD_LOCK ]
+	then
+	    logger "WARNING: conntrackd was not cleanly stopped."
+	    logger "If you suspect that it has crashed:"
+	    logger "1) Enable coredumps"
+	    logger "2) Try to reproduce the problem"
+	    logger "3) Post the coredump to netfilter-devel@vger.kernel.org"
+	    rm -f $CONNTRACKD_LOCK
+	fi
+	$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d
+	if [ $? -eq 1 ]
+	then
+	    logger "ERROR: cannot launch conntrackd"
+	    exit 1
+	fi
+    fi
+    #
+    # shorten kernel conntrack timers to remove the zombie entries.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -t"
+    fi
+
+    #
+    # request resynchronization with master firewall replica (if any)
+    # Note: this does nothing in the alarm approach.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -n"
+    fi
+    ;;
+  fault)
+    #
+    # shorten kernel conntrack timers to remove the zombie entries.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -t"
+    fi
+    ;;
+  *)
+    logger "ERROR: unknown state transition"
+    echo "Usage: primary-backup.sh {primary|backup|fault}"
+    exit 1
+    ;;
+esac
+
+exit 0