add tunnable nf_conntrack_tcp_timeout_established value

default nf_conntrack_tcp_timeout_established value is 5 days.

This is really huge, in case of a ddos attack for example

from:
https://dev.openwrt.org/ticket/12976

minimum value should be

"7875 seconds (= tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl = 7200 + 9 * 75 by default) to give the endpoints sufficient time to send keep-alive probes"

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>

diff --git a/example/host.fw b/example/host.fw
index 4d861078d8c6f8b2f6ddb69a668d7cae08a5226b..1bf6d86578ab2dc5a6eeecaeb8190e3393d7fdd3 100644 (file)
--- a/example/host.fw
+++ b/example/host.fw
@@ -15,6 +15,9 @@ policy_out: ACCEPT
 # allow more connections (default is 65536)
 nf_conntrack_max: 196608
 
 # allow more connections (default is 65536)
 nf_conntrack_max: 196608
 

+# reduce conntrack established timeout (default is 432000 - 5days)
+nf_conntrack_tcp_timeout_established: 7875
+

 # Enable firewall when bridges contains IP address.
 # The firewall is not fully functional in that case, so
 # you need to enable that explicitly
 # Enable firewall when bridges contains IP address.
 # The firewall is not fully functional in that case, so
 # you need to enable that explicitly

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 362dfbc5ace4666be8aa308a0bf193f13aafb8e0..f68476fa601150f1f7c448ff41e0f07f79e515e5 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1859,7 +1859,7 @@ sub parse_hostfw_option {
     } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
        $opt = lc($1);
        $value = uc($3);
     } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
        $opt = lc($1);
        $value = uc($3);

-    } elsif ($line =~ m/^(nf_conntrack_max):\s*(\d+)\s*$/i) {
+    } elsif ($line =~ m/^(nf_conntrack_max|nf_conntrack_tcp_timeout_established):\s*(\d+)\s*$/i) {

        $opt = lc($1);
        $value = int($2);
     } else {
        $opt = lc($1);
        $value = int($2);
     } else {


@@ -2764,6 +2764,8 @@ sub apply_ruleset {
 
     update_nf_conntrack_max($hostfw_conf);
 
 
     update_nf_conntrack_max($hostfw_conf);
 

+    update_nf_conntrack_tcp_timeout_established($hostfw_conf);
+

     my ($ipset_create_cmdlist, $ipset_delete_cmdlist, $ipset_changes) =
        get_ipset_cmdlist($ipset_ruleset, undef, $verbose);
 
     my ($ipset_create_cmdlist, $ipset_delete_cmdlist, $ipset_changes) =
        get_ipset_cmdlist($ipset_ruleset, undef, $verbose);
 


@@ -2828,6 +2830,16 @@ sub update_nf_conntrack_max {
     }
 }
 
     }
 }
 

+sub update_nf_conntrack_tcp_timeout_established {
+    my ($hostfw_conf) = @_;
+
+    my $options = $hostfw_conf->{options} || {};
+
+    my $value = defined($options->{nf_conntrack_tcp_timeout_established}) ? $options->{nf_conntrack_tcp_timeout_established} : 432000;
+
+    PVE::ProcFSTools::write_proc_entry("/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established", $value);
+}
+

 sub remove_pvefw_chains {
 
     my ($chash, $hooks) = iptables_get_chains();
 sub remove_pvefw_chains {
 
     my ($chash, $hooks) = iptables_get_chains();