Merge pull request #543 from NethServer/nathelper

Refactor NAT helpers

#544

config/nat_helpers.conf

@@ -0,0 +1,4 @@
+CONFIG_PACKAGE_kmod-nf-nathelper=y
+CONFIG_PACKAGE_kmod-asn1-decoder=y
+CONFIG_PACKAGE_kmod-lib-textsearch=y
+CONFIG_PACKAGE_kmod-nf-nathelper-extra=y

docs/design/nat_helpers.md

@@ -6,16 +6,20 @@ parent: Design
 
 # NAT helpers
 
-As default the image does not contain many NAT helpers.
-To install extra helpers like SIP ALG use:
+The image contains already all commonly used NAT helpers,
+but helpers are not loaded by default on a new installation.
+
+Please note that after migration, all NAT helpers are loaded
+by default to preserve NethServer 7 behavior.
+
+The `kmod-nf-nathelper` package provides the following helpers:
+`opkg files kmod-nf-nathelper | grep -e '\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1`
 ```
-opkg update
-opkg install kmod-nf-nathelper-extra
+nf_nat_ftp
+nf_conntrack_ftp
 ```
 
-Modules listed inside inside `/etc/modules.d/nf-nathelper-extra` are automatically loaded.
-
-The `kmod-nf-nathelper-extra` provides the following helpers: 
+The `kmod-nf-nathelper-extra` package provides the following helpers:
 `opkg files kmod-nf-nathelper-extra | grep -e '\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1`
 ```
 nf_conntrack_pptp
@@ -35,11 +39,19 @@ nf_conntrack_h323
 nf_nat_irc
 ```
 
-## SIP helper (SIP ALG)
+## Enable FTP helper
+
+To enable only the FTP helper:
+```
+echo -ne "nf_conntrack_ftp\nnf_nat_ftp\n" > /etc/modules.d/ns-nathelpers
+load-kernel-modules
+```
+
+## Enable SIP helper (SIP ALG)
 
 To enable only SIP helper with default configuration and load it at boot, use:
 ```
-echo nf_nat_sip > /etc/modules.d/nf-nat-sip
+echo nf_nat_sip > /etc/modules.d/ns-nathelpers
 reboot
 ```
 The `nf_nat_sip` module will automatically load the `nf_conntrack_sip` module.
@@ -64,7 +76,13 @@ From [kernel source](https://github.com/torvalds/linux/blob/v5.10/net/netfilter/
 
 Enable SIP helper with non-default parameters:
 ```
-echo nf_conntrack_sip sip_external_media=1 sip_direct_media=1 > /etc/modules.d/nf-nat-sip
-echo nf_nat_sip >> /etc/modules.d/nf-nat-sip
-reboot
+echo nf_conntrack_sip sip_external_media=1 > /etc/modules.d/ns-nathelpers
+echo nf_nat_sip >> /etc/modules.d/ns-nathelpers
+load-kernel-modules
 ```
+
+When setting non-default parameters, it's recommended to reboot the system to ensure the correct module parameters are applied.
+
+## Disable an helper
+
+To disable an helper, remove it from the `/etc/modules.d/ns-nathelpers` file and reboot.

packages/ns-api/Makefile

@@ -148,7 +148,9 @@ define Package/ns-api/install
 	$(INSTALL_DATA) ./files/ns.scan.json $(1)/usr/share/rpcd/acl.d/
 	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
 	$(INSTALL_CONF) files/msmtp.keep $(1)/lib/upgrade/keep.d/msmtp
+	$(INSTALL_CONF) files/nat-helpers.keep $(1)/lib/upgrade/keep.d/nat-helpers
 	$(LN) /usr/bin/msmtp $(1)/usr/sbin/sendmail
+	$(INSTALL_BIN) ./files/load-kernel-modules $(1)/usr/sbin/load-kernel-modules
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/config $(1)/etc/config/ns-api
 	$(INSTALL_CONF) ./files/templates $(1)/etc/config/

packages/ns-api/files/load-kernel-modules

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+#
+# Copyright (C) 2024 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+# Load all kernel modules from /etc/modules.d/ns-nathelpers
+# Example:
+# nf_conntrack_sip sip_external_media=1 sip_direct_media=1
+
+exit_code=0
+
+# Load all module
+for line in "$(grep -v '^#' /etc/modules.d/ns-nathelpers)"; do
+    module=$(echo $line | awk '{print $1}')
+    modprobe $module
+    for param in $(echo $line | awk '{for(i=2;i<=NF;++i)print $i}'); do
+        # Set parameter using /sys since modprobe doesn't support parameters
+        key=$(echo $param | cut -d= -f1)
+        value=$(echo $param | cut -d= -f2)
+        echo $value > /sys/module/$module/parameters/$key
+        if [ $? -ne 0 ]; then
+            exit_code=99
+        fi
+    done
+done
+
+# Special exit code 99 means that at least one parameter failed to be set
+exit $exit_code

packages/ns-api/files/load-modules

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+#
+# Copyright (C) 2024 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+# Load all kernel modules from /etc/modules.d/ns-nathelpers
+# Example:
+# nf_conntrack_sip sip_external_media=1 sip_direct_media=1
+
+exit_code=0
+
+# Load all module
+for line in "$(grep -v '^#' /etc/modules.d/ns-nathelpers)"; do
+    module=$(echo $line | awk '{print $1}')
+    modprobe $module
+    exit_code=$?
+    for param in $(echo $line | awk '{for(i=2;i<=NF;++i)print $i}'); do
+        # Set parameter using /sys since modprobe doesn't support parameters
+        key=$(echo $param | cut -d= -f1)
+        value=$(echo $param | cut -d= -f2)
+        echo $value > /sys/module/$module/parameters/$key
+        if [ $? -ne 0 ]; then
+            exit_code=99
+        fi
+    done
+done
+
+# Special exit code 99 means that at least one parameter failed to be set
+exit $exit_code

packages/ns-api/files/nat-helpers.keep

@@ -0,0 +1 @@
+/etc/modules.d/ns-nathelpers

packages/ns-migration/Makefile

@@ -52,6 +52,7 @@ define Package/ns-migration/install
 	$(INSTALL_BIN) ./files/scripts/openvpn_tunnels $(1)/usr/share/ns-migration/40openvpn_tunnels
 	$(INSTALL_BIN) ./files/scripts/ipsec $(1)/usr/share/ns-migration/40ipsec
 	$(INSTALL_BIN) ./files/scripts/hotspot $(1)/usr/share/ns-migration/40hotspot
+	$(INSTALL_BIN) ./files/scripts/nat_helpers $(1)/usr/share/ns-migration/40nat_helpers
 	$(INSTALL_BIN) ./files/scripts/rules $(1)/usr/share/ns-migration/50rules
 	$(INSTALL_BIN) ./files/scripts/redirects $(1)/usr/share/ns-migration/50redirects
 	$(INSTALL_BIN) ./files/scripts/reverse_proxy $(1)/usr/share/ns-migration/60reverse_proxy

packages/ns-migration/files/scripts/nat_helpers

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+#
+# Copyright (C) 2024 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+
+> /etc/modules.d/ns-nathelpers
+
+# Configure FTP helpers
+for m in $(opkg files kmod-nf-nathelper | grep -e '\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1); do
+    echo $m >> /etc/modules.d/ns-nathelpers
+done
+
+# Configure all extra helpers
+for m in $(opkg files kmod-nf-nathelper-extra | grep -e '\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1); do
+    echo $m >> /etc/modules.d/ns-nathelpers
+done
+
+# Load all helpers
+for m in $(cat /etc/modules.d/ns-nathelpers); do
+    modprobe $m
+done