Use HELPERS to enable/disable helper association.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-01-22 21:48:39 +01:00 · 2012-08-03 19:26:02 -07:00 · 2012-08-03 19:26:02 -07:00 · 093985dd93
commit 093985dd93
parent 72307df6d2
4 changed files with 26 additions and 0 deletions
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@ -710,6 +710,16 @@ sub compiler {
    #
    setup_proxy_arp;

+    my $setting = supplied $config{HELPERS} ? 0 : 1;
+
+    emit( "#\n# Set automatic helper association on kernel 3.5.0 and later\n#" ,
+	  'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' ,
+	  '    progress_message "Setting up Automatic Helper Association"',
+	  "    echo $setting > /proc/sys/net/netfilter/nf_conntrack_helper",
+	  'fi',
+	  ''
+	);
+
    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -62,6 +62,7 @@ our @EXPORT = qw(

 		 have_capability
 		 require_capability
+		 kernel_version
                );

 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@ -3643,6 +3644,13 @@ sub require_capability( $$$ ) {
    fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability;
 }

+#
+# Return Kernel Version
+#
+sub kernel_version() {
+    $capabilities{KERNELVERSION}
+}
+
 #
 # Set default config path
 #
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@ -737,6 +737,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              <para>tftp</para>
            </listitem>
          </itemizedlist>
+
+          <para>When HELPERS is specified on a system running Kernel 3.5.0 or
+          later, automatic association of helpers to connections is disabled.
+          </para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@ -646,6 +646,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              <para>tftp</para>
            </listitem>
          </itemizedlist>
+
+          <para>When HELPERS is specified on a system running Kernel 3.5.0 or
+          later, automatic association of helpers to connections is disabled.
+          </para>
        </listitem>
      </varlistentry>