From 4c09d1cef1ff37ce285fb378af059b69585c1aa3 Mon Sep 17 00:00:00 2001
From: Filippo Carletti <filippo.carletti@gmail.com>
Date: Mon, 20 May 2024 16:20:45 +0200
Subject: [PATCH 1/8] config: add nat helpers

---
 config/nat_helpers.conf | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 config/nat_helpers.conf

diff --git a/config/nat_helpers.conf b/config/nat_helpers.conf
new file mode 100644
index 000000000..0a4c4310f
--- /dev/null
+++ b/config/nat_helpers.conf
@@ -0,0 +1 @@
+CONFIG_PACKAGE_kmod-nf-nathelper=y

From 72f0de8672e8d9331a6d81e3e849fb762167c734 Mon Sep 17 00:00:00 2001
From: Giacomo Sanchietti <giacomo.sanchietti@nethesis.it>
Date: Tue, 21 May 2024 09:01:50 +0200
Subject: [PATCH 2/8] files: add nf-nathelper

Disable ftp NAT helper by default.
---
 files/etc/modules.d/nf-nathelper | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 files/etc/modules.d/nf-nathelper

diff --git a/files/etc/modules.d/nf-nathelper b/files/etc/modules.d/nf-nathelper
new file mode 100644
index 000000000..e69de29bb

From f3e7d129790456a59d83d6a0f7578601d3b310e9 Mon Sep 17 00:00:00 2001
From: Giacomo Sanchietti <giacomo.sanchietti@nethesis.it>
Date: Tue, 21 May 2024 09:07:10 +0200
Subject: [PATCH 3/8] ns-api: add ns-nathelpers to backup

Make sure to save the list of loaded NAT helpers across
upgrades
---
 packages/ns-api/Makefile               | 1 +
 packages/ns-api/files/nat-helpers.keep | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 packages/ns-api/files/nat-helpers.keep

diff --git a/packages/ns-api/Makefile b/packages/ns-api/Makefile
index 234ae6a90..4ec137f8b 100644
--- a/packages/ns-api/Makefile
+++ b/packages/ns-api/Makefile
@@ -148,6 +148,7 @@ define Package/ns-api/install
 	$(INSTALL_DATA) ./files/ns.scan.json $(1)/usr/share/rpcd/acl.d/
 	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
 	$(INSTALL_CONF) files/msmtp.keep $(1)/lib/upgrade/keep.d/msmtp
+	$(INSTALL_CONF) files/nat-helpers.keep $(1)/lib/upgrade/keep.d/nat-helpers
 	$(LN) /usr/bin/msmtp $(1)/usr/sbin/sendmail
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/config $(1)/etc/config/ns-api
diff --git a/packages/ns-api/files/nat-helpers.keep b/packages/ns-api/files/nat-helpers.keep
new file mode 100644
index 000000000..7345ecb9e
--- /dev/null
+++ b/packages/ns-api/files/nat-helpers.keep
@@ -0,0 +1 @@
+/etc/modules.d/ns-nathelpers

From 47cd89e36d426bef1b125e076901c1d7c8dfe412 Mon Sep 17 00:00:00 2001
From: Giacomo Sanchietti <giacomo.sanchietti@nethesis.it>
Date: Tue, 21 May 2024 09:08:50 +0200
Subject: [PATCH 4/8] config: add all nat helpers to image

Preserving packages across upgrades and restores is
not supported on OpenWrt
---
 config/nat_helpers.conf | 3 +++
 config/sipalg.conf      | 3 ---
 2 files changed, 3 insertions(+), 3 deletions(-)
 delete mode 100644 config/sipalg.conf

diff --git a/config/nat_helpers.conf b/config/nat_helpers.conf
index 0a4c4310f..f39e5ea14 100644
--- a/config/nat_helpers.conf
+++ b/config/nat_helpers.conf
@@ -1 +1,4 @@
 CONFIG_PACKAGE_kmod-nf-nathelper=y
+CONFIG_PACKAGE_kmod-asn1-decoder=y
+CONFIG_PACKAGE_kmod-lib-textsearch=y
+CONFIG_PACKAGE_kmod-nf-nathelper-extra=y
diff --git a/config/sipalg.conf b/config/sipalg.conf
deleted file mode 100644
index b187dea55..000000000
--- a/config/sipalg.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-CONFIG_PACKAGE_kmod-asn1-decoder=y
-CONFIG_PACKAGE_kmod-lib-textsearch=y
-CONFIG_PACKAGE_kmod-nf-nathelper-extra=m

From d93dfa5a8d29afe2c3c7c9649dfaa2c0d568d4b2 Mon Sep 17 00:00:00 2001
From: Giacomo Sanchietti <giacomo.sanchietti@nethesis.it>
Date: Tue, 21 May 2024 09:23:17 +0200
Subject: [PATCH 5/8] docs: document new nat helpers behavior

---
 docs/design/nat_helpers.md | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/docs/design/nat_helpers.md b/docs/design/nat_helpers.md
index 1bd233153..32a45d9f0 100644
--- a/docs/design/nat_helpers.md
+++ b/docs/design/nat_helpers.md
@@ -6,16 +6,20 @@ parent: Design
 
 # NAT helpers
 
-As default the image does not contain many NAT helpers.
-To install extra helpers like SIP ALG use:
+The image contains already all commonly used NAT helpers,
+but helpers are not loaded by default on a new installation.
+
+Please note that after migration, all NAT helpers are loaded
+by default to preserve NethServer 7 behavior.
+
+The `kmod-nf-nathelper` package provides the following helpers:
+`opkg files kmod-nf-nathelper | grep -e '\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1`
 ```
-opkg update
-opkg install kmod-nf-nathelper-extra
+nf_nat_ftp
+nf_conntrack_ftp
 ```
 
-Modules listed inside inside `/etc/modules.d/nf-nathelper-extra` are automatically loaded.
-
-The `kmod-nf-nathelper-extra` provides the following helpers: 
+The `kmod-nf-nathelper-extra` package provides the following helpers:
 `opkg files kmod-nf-nathelper-extra | grep -e '\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1`
 ```
 nf_conntrack_pptp
@@ -35,11 +39,19 @@ nf_conntrack_h323
 nf_nat_irc
 ```
 
+## FTP helper
+
+To enable only the FTP helper:
+```
+echo -ne "nf_conntrack_ftp\nnf_nat_ftp\n" > /etc/modules.d/ns-nathelpers
+reboot
+```
+
 ## SIP helper (SIP ALG)
 
 To enable only SIP helper with default configuration and load it at boot, use:
 ```
-echo nf_nat_sip > /etc/modules.d/nf-nat-sip
+echo nf_nat_sip > /etc/modules.d/ns-nathelpers
 reboot
 ```
 The `nf_nat_sip` module will automatically load the `nf_conntrack_sip` module.
@@ -64,7 +76,7 @@ From [kernel source](https://github.com/torvalds/linux/blob/v5.10/net/netfilter/
 
 Enable SIP helper with non-default parameters:
 ```
-echo nf_conntrack_sip sip_external_media=1 sip_direct_media=1 > /etc/modules.d/nf-nat-sip
-echo nf_nat_sip >> /etc/modules.d/nf-nat-sip
+echo nf_conntrack_sip sip_external_media=1 sip_direct_media=1 > /etc/modules.d/ns-nathelpers
+echo nf_nat_sip >> /etc/modules.d/ns-nathelpers
 reboot
 ```

From 621e61c70a6867b3c4f6cd0cabce811994885cae Mon Sep 17 00:00:00 2001
From: Giacomo Sanchietti <giacomo.sanchietti@nethesis.it>
Date: Tue, 21 May 2024 09:42:22 +0200
Subject: [PATCH 6/8] ns-migration: load all NAT helpers

---
 packages/ns-migration/Makefile                |  1 +
 .../ns-migration/files/scripts/nat_helpers    | 24 +++++++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 packages/ns-migration/files/scripts/nat_helpers

diff --git a/packages/ns-migration/Makefile b/packages/ns-migration/Makefile
index 1c85a035e..0bffe7596 100644
--- a/packages/ns-migration/Makefile
+++ b/packages/ns-migration/Makefile
@@ -52,6 +52,7 @@ define Package/ns-migration/install
 	$(INSTALL_BIN) ./files/scripts/openvpn_tunnels $(1)/usr/share/ns-migration/40openvpn_tunnels
 	$(INSTALL_BIN) ./files/scripts/ipsec $(1)/usr/share/ns-migration/40ipsec
 	$(INSTALL_BIN) ./files/scripts/hotspot $(1)/usr/share/ns-migration/40hotspot
+	$(INSTALL_BIN) ./files/scripts/nat_helpers $(1)/usr/share/ns-migration/40nat_helpers
 	$(INSTALL_BIN) ./files/scripts/rules $(1)/usr/share/ns-migration/50rules
 	$(INSTALL_BIN) ./files/scripts/redirects $(1)/usr/share/ns-migration/50redirects
 	$(INSTALL_BIN) ./files/scripts/reverse_proxy $(1)/usr/share/ns-migration/60reverse_proxy
diff --git a/packages/ns-migration/files/scripts/nat_helpers b/packages/ns-migration/files/scripts/nat_helpers
new file mode 100644
index 000000000..c978710f6
--- /dev/null
+++ b/packages/ns-migration/files/scripts/nat_helpers
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+#
+# Copyright (C) 2024 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+
+> /etc/modules.d/ns-nathelpers
+
+# Configure FTP helpers
+for m in $(opkg files kmod-nf-nathelper | grep -e '\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1); do
+    echo $m >> /etc/modules.d/ns-nathelpers
+done
+
+# Configure all extra helpers
+for m in $(opkg files kmod-nf-nathelper-extra | grep -e '\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1); do
+    echo $m >> /etc/modules.d/ns-nathelpers
+done
+
+# Load all helpers
+for m in $(cat /etc/modules.d/ns-nathelpers); do
+    modprobe $m
+done

From 104e54bfa6f453f63989a60dbb40dbf69ef8f99a Mon Sep 17 00:00:00 2001
From: Giacomo Sanchietti <giacomo.sanchietti@nethesis.it>
Date: Tue, 21 May 2024 11:32:34 +0200
Subject: [PATCH 7/8] docs: improve nat helpers reload

---
 docs/design/nat_helpers.md | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/docs/design/nat_helpers.md b/docs/design/nat_helpers.md
index 32a45d9f0..5241601b8 100644
--- a/docs/design/nat_helpers.md
+++ b/docs/design/nat_helpers.md
@@ -39,15 +39,15 @@ nf_conntrack_h323
 nf_nat_irc
 ```
 
-## FTP helper
+## Enable FTP helper
 
 To enable only the FTP helper:
 ```
 echo -ne "nf_conntrack_ftp\nnf_nat_ftp\n" > /etc/modules.d/ns-nathelpers
-reboot
+load-kernel-modules
 ```
 
-## SIP helper (SIP ALG)
+## Enable SIP helper (SIP ALG)
 
 To enable only SIP helper with default configuration and load it at boot, use:
 ```
@@ -76,7 +76,13 @@ From [kernel source](https://github.com/torvalds/linux/blob/v5.10/net/netfilter/
 
 Enable SIP helper with non-default parameters:
 ```
-echo nf_conntrack_sip sip_external_media=1 sip_direct_media=1 > /etc/modules.d/ns-nathelpers
+echo nf_conntrack_sip sip_external_media=1 > /etc/modules.d/ns-nathelpers
 echo nf_nat_sip >> /etc/modules.d/ns-nathelpers
-reboot
+load-kernel-modules
 ```
+
+When setting non-default parameters, it's recommended to reboot the system to ensure the correct module parameters are applied.
+
+## Disable an helper
+
+To disable an helper, remove it from the `/etc/modules.d/ns-nathelpers` file and reboot.

From e8a171cf89f29adc5dfbba473e62c26df15c0f4e Mon Sep 17 00:00:00 2001
From: Giacomo Sanchietti <giacomo.sanchietti@nethesis.it>
Date: Tue, 21 May 2024 11:32:40 +0200
Subject: [PATCH 8/8] ns-api: add load-kernel-modules

New helper to load all configured kernel modules
and set their parameters.

If the script fails to set a parameter, it exists
with special code 99
---
 packages/ns-api/Makefile                  |  1 +
 packages/ns-api/files/load-kernel-modules | 30 ++++++++++++++++++++++
 packages/ns-api/files/load-modules        | 31 +++++++++++++++++++++++
 3 files changed, 62 insertions(+)
 create mode 100644 packages/ns-api/files/load-kernel-modules
 create mode 100644 packages/ns-api/files/load-modules

diff --git a/packages/ns-api/Makefile b/packages/ns-api/Makefile
index 4ec137f8b..ca48a51ac 100644
--- a/packages/ns-api/Makefile
+++ b/packages/ns-api/Makefile
@@ -150,6 +150,7 @@ define Package/ns-api/install
 	$(INSTALL_CONF) files/msmtp.keep $(1)/lib/upgrade/keep.d/msmtp
 	$(INSTALL_CONF) files/nat-helpers.keep $(1)/lib/upgrade/keep.d/nat-helpers
 	$(LN) /usr/bin/msmtp $(1)/usr/sbin/sendmail
+	$(INSTALL_BIN) ./files/load-kernel-modules $(1)/usr/sbin/load-kernel-modules
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/config $(1)/etc/config/ns-api
 	$(INSTALL_CONF) ./files/templates $(1)/etc/config/
diff --git a/packages/ns-api/files/load-kernel-modules b/packages/ns-api/files/load-kernel-modules
new file mode 100644
index 000000000..bffa70af7
--- /dev/null
+++ b/packages/ns-api/files/load-kernel-modules
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+#
+# Copyright (C) 2024 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+# Load all kernel modules from /etc/modules.d/ns-nathelpers
+# Example:
+# nf_conntrack_sip sip_external_media=1 sip_direct_media=1
+
+exit_code=0
+
+# Load all module
+for line in "$(grep -v '^#' /etc/modules.d/ns-nathelpers)"; do
+    module=$(echo $line | awk '{print $1}')
+    modprobe $module
+    for param in $(echo $line | awk '{for(i=2;i<=NF;++i)print $i}'); do
+        # Set parameter using /sys since modprobe doesn't support parameters
+        key=$(echo $param | cut -d= -f1)
+        value=$(echo $param | cut -d= -f2)
+        echo $value > /sys/module/$module/parameters/$key
+        if [ $? -ne 0 ]; then
+            exit_code=99
+        fi
+    done
+done
+
+# Special exit code 99 means that at least one parameter failed to be set
+exit $exit_code
\ No newline at end of file
diff --git a/packages/ns-api/files/load-modules b/packages/ns-api/files/load-modules
new file mode 100644
index 000000000..f49d371fe
--- /dev/null
+++ b/packages/ns-api/files/load-modules
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+#
+# Copyright (C) 2024 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+# Load all kernel modules from /etc/modules.d/ns-nathelpers
+# Example:
+# nf_conntrack_sip sip_external_media=1 sip_direct_media=1
+
+exit_code=0
+
+# Load all module
+for line in "$(grep -v '^#' /etc/modules.d/ns-nathelpers)"; do
+    module=$(echo $line | awk '{print $1}')
+    modprobe $module
+    exit_code=$?
+    for param in $(echo $line | awk '{for(i=2;i<=NF;++i)print $i}'); do
+        # Set parameter using /sys since modprobe doesn't support parameters
+        key=$(echo $param | cut -d= -f1)
+        value=$(echo $param | cut -d= -f2)
+        echo $value > /sys/module/$module/parameters/$key
+        if [ $? -ne 0 ]; then
+            exit_code=99
+        fi
+    done
+done
+
+# Special exit code 99 means that at least one parameter failed to be set
+exit $exit_code
\ No newline at end of file