diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 5ac506ec2..ef2beb7af 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -2020,6 +2020,16 @@ determine_capabilities() {
GEOIP_MATCH=
RPFILTER_MATCH=
NFACCT_MATCH=
+ AMANDA_HELPER=
+ FTP_HELPER=
+ IRC_HELPER=
+ NETBIOS_NS_HELPER=
+ H323_HELPERS=
+ PPTP_HELPER=
+ SANE_HELPER=
+ SIP_HELPER=
+ SNMP_HELPER=
+ TFTP_HELPER=
chain=fooX$$
@@ -2173,15 +2183,30 @@ determine_capabilities() {
qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
fi
- qt $g_tool -t raw -L -n && RAW_TABLE=Yes
+ qt $g_tool -t raw -L -n && RAW_TABLE=Yes
qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes
if [ -n "$RAW_TABLE" ]; then
- qt $g_tool -t raw -N $chain
- qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes
- qt $g_tool -t raw -N $chain
qt $g_tool -t raw -F $chain
qt $g_tool -t raw -X $chain
+ qt $g_tool -t raw -N $chain
+
+ if qt $g_tool -t raw -A $chain -j CT --notrack; then
+ CT_TARGET=Yes
+ qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
+ qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
+ qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPERS=Yes
+ qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
+ qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
+ qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
+ qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
+ qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
+ qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
+ qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
+ fi
+
+ qt $g_tool -t raw -F $chain
+ qt $g_tool -t raw -X $chain
fi
if qt mywhich ipset; then
@@ -2360,6 +2385,16 @@ report_capabilities() {
report_capability "Geo IP match" $GEOIP_MATCH
report_capability "RPFilter match" $RPFILTER_MATCH
report_capability "NFAcct match" $NFACCT_MATCH
+ report_capability "Amanda Helper" $AMANDA_HELPER
+ report_capability "FTP Helper" $FTP_HELPER
+ report_capability "IRC Helper" $IRC_HELPER
+ report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
+ report_capability "H323 Helpers" H323_HELPERS
+ report_capability "PPTP Helper" $PPTP_HELPER
+ report_capability "SANE Helper" $SANE_HELPER
+ report_capability "SIP Helper" $SIP_HELPER
+ report_capability "SNMP Helper" $SNMP_HELPER
+ report_capability "TFTP Helper" $TFTP_HELPER
if [ $g_family -eq 4 ]; then
report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@@ -2453,6 +2488,15 @@ report_capabilities1() {
report_capability1 GEOIP_MATCH
report_capability1 RPFILTER_MATCH
report_capability1 NFACCT_MATCH
+ report_capability1 AMANDA_HELPER
+ report_capability1 FTP_HELPER
+ report_capability1 IRC_HELPER
+ report_capability1 NETBIOS_NS_HELPER
+ report_capability1 H323_HELPERS
+ report_capability1 PPTP_HELPER
+ report_capability1 SANE_HELPER
+ report_capability1 SNMP_HELPER
+ report_capability1 TFTP_HELPER
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 67eb43c73..709801f2b 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -28,7 +28,7 @@ package Shorewall::Chains;
require Exporter;
use Scalar::Util 'reftype';
-use Digest::SHA1 qw(sha1);
+use Digest::SHA qw(sha1);
use File::Basename;
use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::Zones;
@@ -331,7 +331,19 @@ our $rawpost_table;
our $nat_table;
our $mangle_table;
our $filter_table;
-our %helpers;
+our %helpers = ( amanda => UDP,
+ ftp => TCP,
+ irc => TCP,
+ 'netbios-ns' => UDP,
+ pptp => TCP,
+ 'Q.931' => TCP,
+ RAS => UDP,
+ sane => TCP,
+ sip => UDP,
+ snmp => UDP,
+ tftp => UDP,
+ );
+
my $comment;
my @comments;
my $export;
@@ -654,19 +666,6 @@ sub initialize( $$$ ) {
%ipset_exists = ();
- %helpers = ( amanda => UDP,
- ftp => TCP,
- irc => TCP,
- 'netbios-ns' => UDP,
- pptp => TCP,
- 'Q.931' => TCP,
- RAS => UDP,
- sane => TCP,
- sip => UDP,
- snmp => UDP,
- tftp => UDP,
- );
-
%isocodes = ();
%nfobjects = ();
@@ -4341,6 +4340,8 @@ sub validate_helper( $;$ ) {
# Recognized helper
#
if ( supplied $proto ) {
+ require_capability $helpers_map{$helper}, "Helper $helper", 's';
+
my $protonum = -1;
fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 654083b42..68fe47b8a 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -144,6 +144,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
%config_files
%shorewallrc
+ %helpers_map
+
@auditoptions
F_IPV4
@@ -314,6 +316,17 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
GEOIP_MATCH => 'GeoIP Match' ,
RPFILTER_MATCH => 'RPFilter Match',
NFACCT_MATCH => 'NFAcct Match',
+ AMANDA_HELPER => 'Amanda Helper',
+ FTP_HELPER => 'FTP Helper',
+ H323_HELPERS => 'H323 Helpers',
+ IRC_HELPER => 'IRC Helper',
+ NETBIOS_NS_HELPER =>
+ 'Amanda Helper',
+ PPTP_HELPER => 'PPTP Helper',
+ SANE_HELPER => 'Amanda Helper',
+ SIP_HELPER => 'SIP Helper',
+ SNMP_HELPER => 'SNMP Helper',
+ TFTP_HELPER => 'TFTP Helper',
#
# Constants
#
@@ -322,6 +335,19 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
KERNELVERSION => 'Kernel Version',
);
+our %helpers_map = ( amanda => 'AMANDA_HELPER',
+ ftp => 'FTP_HELPER',
+ irc => 'IRC_HELPER',
+ 'netbios-ns' => 'NETBIOS_NS_HELPER',
+ pptp => 'PPTP_HELPER',
+ 'Q.931' => 'H323_HELPERS',
+ RAS => 'H323_HELPERS',
+ sane => 'SANE_HELPER',
+ sip => 'SIP_HELPER',
+ snmp => 'SNMP_HELPER',
+ tftp => 'TFTP_HELPER',
+ );
+
our %config_files = ( #accounting => 1,
actions => 1,
blacklist => 1,
@@ -773,6 +799,17 @@ sub initialize( $;$ ) {
GEOIP_MATCH => undef,
RPFILTER_MATCH => undef,
NFACCT_MATCH => undef,
+ AMANDA_HELPER => undef,
+ FTP_HELPER => undef,
+ H323_HELPERS => undef,
+ IRC_HELPER => undef,
+ NETBIOS_NS_HELPER => undef,
+ PPTP_HELPER => undef,
+ SANE_HELPER => undef,
+ SIP_HELPER => undef,
+ SNMP_HELPER => undef,
+ TFTP_HELPER => undef,
+
CAPVERSION => undef,
LOG_OPTIONS => 1,
KERNELVERSION => undef,
@@ -949,6 +986,12 @@ sub cleanup() {
qt1( "$iptables -X $sillyname1" );
qt1( "$iptables -t mangle -F $sillyname" );
qt1( "$iptables -t mangle -X $sillyname" );
+ qt1( "$iptables -t nat -F $sillyname" );
+ qt1( "$iptables -t nat -X $sillyname" );
+ qt1( "$iptables -t raw -F $sillyname" );
+ qt1( "$iptables -t raw -X $sillyname" );
+ qt1( "$iptables -t rawpost -F $sillyname" );
+ qt1( "$iptables -t rawpost -X $sillyname" );
$sillyname = '';
}
}
@@ -3200,17 +3243,56 @@ sub Ct_Target() {
if ( have_capability 'RAW_TABLE' ) {
qt1( "$iptables -t raw -N $sillyname" );
$ct_target = qt1( "$iptables -t raw -A $sillyname -j CT --notrack" );
- qt1( "$iptables -t raw -F $sillyname" );
- qt1( "$iptables -t raw -X $sillyname" );
}
$ct_target;
}
+sub Amanda_Helper() {
+ have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 10080 -j CT --helper amanda" );
+}
+
+sub FTP_Helper() {
+ have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 21 -j CT --helper ftp" );
+}
+
+sub H323_Helpers() {
+ have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 1719 -j CT --helper RAS" );
+}
+
+sub IRC_Helper() {
+ have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 6667 -j CT --helper irc" );
+}
+
+sub Netbios_ns_Helper() {
+ have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 137 -j CT --helper netbios-ns" );
+}
+
+sub PPTP_Helper() {
+ have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 1729 -j CT --helper pptp" );
+}
+
+sub SANE_Helper() {
+ have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 6566 -j CT --helper sane" );
+}
+
+sub SIP_Helper() {
+ have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 5060 -j CT --helper sip" );
+}
+
+sub SNMP_Helper() {
+ have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 161 -j CT --helper snmp" );
+}
+
+sub TFTP_Helper() {
+ have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 69 -j CT --helper tftp" );
+}
+
sub Statistic_Match() {
qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
}
+
sub Imq_Target() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
}
@@ -3245,6 +3327,7 @@ sub GeoIP_Match() {
our %detect_capability =
( ACCOUNT_TARGET =>\&Account_Target,
+ AMANDA_HELPER => \&Amanda_Helper,
AUDIT_TARGET => \&Audit_Target,
ADDRTYPE => \&Addrtype,
BASIC_FILTER => \&Basic_Filter,
@@ -3261,9 +3344,11 @@ our %detect_capability =
ENHANCED_REJECT => \&Enhanced_Reject,
EXMARK => \&Exmark,
FLOW_FILTER => \&Flow_Filter,
+ FTP_HELPER => \&FTP_Helper,
FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
GEOIP_MATCH => \&GeoIP_Match,
GOTO_TARGET => \&Goto_Target,
+ H323_HELPERS => \&H323_Helpers,
HASHLIMIT_MATCH => \&Hashlimit_Match,
HEADER_MATCH => \&Header_Match,
HELPER_MATCH => \&Helper_Match,
@@ -3272,6 +3357,7 @@ our %detect_capability =
IPP2P_MATCH => \&Ipp2p_Match,
IPRANGE_MATCH => \&IPRange_Match,
IPSET_MATCH => \&IPSet_Match,
+ IRC_HELPER => \&IRC_Helper,
OLD_IPSET_MATCH => \&Old_IPSet_Match,
IPSET_V5 => \&IPSET_V5,
IPTABLES_S => \&Iptables_S,
@@ -3287,6 +3373,7 @@ our %detect_capability =
MARK_ANYWHERE => \&Mark_Anywhere,
MULTIPORT => \&Multiport,
NAT_ENABLED => \&Nat_Enabled,
+ NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
NFACCT_MATCH => \&NFAcct_Match,
NFQUEUE_TARGET => \&Nfqueue_Target,
@@ -3299,13 +3386,18 @@ our %detect_capability =
PHYSDEV_BRIDGE => \&Physdev_Bridge,
PHYSDEV_MATCH => \&Physdev_Match,
POLICY_MATCH => \&Policy_Match,
+ PPTP_HELPER => \&PPTP_Helper,
RAW_TABLE => \&Raw_Table,
RAWPOST_TABLE => \&Rawpost_Table,
REALM_MATCH => \&Realm_Match,
RECENT_MATCH => \&Recent_Match,
RPFILTER_MATCH => \&RPFilter_Match,
+ SANE_HELPER => \&SANE_Helper,
+ SIP_HELPER => \&SIP_Helper,
+ SNMP_HELPER => \&SNMP_Helper,
STATISTIC_MATCH => \&Statistic_Match,
TCPMSS_MATCH => \&Tcpmss_Match,
+ TFTP_HELPER => \&TFTP_Helper,
TIME_MATCH => \&Time_Match,
TPROXY_TARGET => \&Tproxy_Target,
USEPKTTYPE => \&Usepkttype,
@@ -3445,6 +3537,12 @@ sub determine_capabilities() {
$capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' );
$capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' );
$capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' );
+
+ if ( $capabilities{CT_TARGET} ) {
+ for ( values %helpers_map ) {
+ $capabilities{$_} = detect_capability $_;
+ }
+ }
qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" );
@@ -3461,6 +3559,11 @@ sub determine_capabilities() {
qt1( "$iptables -t nat -X $sillyname" );
}
+ if ( $capabilities{RAW_ENABLED} ) {
+ qt1( "$iptables -t raw -F $sillyname" );
+ qt1( "$iptables -t raw -X $sillyname" );
+ }
+
$sillyname = $sillyname1 = undef;
}
}
@@ -3743,7 +3846,9 @@ sub read_capabilities() {
next;
}
- $capabilities{$var} = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val;
+ $val = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val;
+
+ $capabilities{$var} = $val ne '';
} else {
fatal_error "Unrecognized capabilities entry";
}
diff --git a/Shorewall/configfiles/conntrack b/Shorewall/configfiles/conntrack
index 5e4733b5b..34cb07071 100644
--- a/Shorewall/configfiles/conntrack
+++ b/Shorewall/configfiles/conntrack
@@ -9,17 +9,38 @@ FORMAT 2
# PORT(S) PORT(S) GROUP
?IF $AUTOHELPERS && __CT_TARGET
COMMENT AUTOHELPERS
-CT:helper:ftp all - tcp 21
+?IF __AMANDA_HELPER
CT:helper:amanda all - udp 10080
+?ENDIF
+?IF __FTP_HELPER
+CT:helper:ftp all - tcp 21
+?ENDIF
+?IF __H323_HELPERS
COMMENT AUTOHELPERS - H323
CT:helper:RAS all - udp 1719
CT:helper:Q.931 all - tcp 1720
COMMENT AUTOHELPERS
-CT:helper:sip all - udp 5060
-CT:helper:tftp all - udp 69
-CT:helper:sane all - tcp 6566
+?ENDIF
+?IF __IRC_HELPER
CT:helper:irc all - tcp 6667
+?ENDIF
+?IF __NETBIOS_NS_HELPER
CT:helper:netbios-ns all - udp 137
+?ENDIF
+?IF __PPTP_HELPER
CT:helper:pptp all - tcp 1729
+?ENDIF
+?IF __SANE_HELPER
+CT:helper:sane all - tcp 6566
+?ENDIF
+?IF __SIP_HELPER
+CT:helper:sip all - udp 5060
+?ENDIF
+?IF __SNMP_HELPER
+CT:helper:snmp all - udp 161
+?ENDIF
+?IF __TFTP_HELPER
+CT:helper:tftp all - udp 69
+?ENDIF
COMMENT
?ENDIF
diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml
index eb6cdd907..b401e1a5a 100644
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -76,8 +76,104 @@
Attach the helper identified by the
name to this connection. This is more
- flexible than loading the conntrack helper with preset ports.
- May be followed by an option list of
+ flexible than loading the conntrack helper with preset
+ ports.
+
+ At this writing, the available helpers are:
+
+
+
+ amanda
+
+
+ Requires that the amanda netfilter helper is
+ present.
+
+
+
+
+ ftp
+
+
+ Requires that the FTP netfilter helper is
+ present.
+
+
+
+
+ irc
+
+
+ Requires that the IRC netfilter helper is
+ present.
+
+
+
+
+ netbios-ns
+
+
+ Requires that the netbios_ns (sic) helper is
+ present.
+
+
+
+
+ RAS and Q.931
+
+
+ These require that the H323 netfilter helper is
+ present.
+
+
+
+
+ pptp
+
+
+ Requires that the pptp netfilter helper is
+ present.
+
+
+
+
+ sane
+
+
+ Requires that the SANE netfilter helper is
+ present.
+
+
+
+
+ sip
+
+
+ Requires that the SIP netfilter helper is
+ present.
+
+
+
+
+ snmp
+
+
+ Requires that the SNMP netfilter helper is
+ present.
+
+
+
+
+ tftp
+
+
+ Requires that the TFTP netfilter helper is
+ present.
+
+
+
+
+ May be followed by an option list of
arg=val
pairs in parentheses:
diff --git a/Shorewall6/configfiles/conntrack b/Shorewall6/configfiles/conntrack
index cca4209ab..a8a0e315a 100644
--- a/Shorewall6/configfiles/conntrack
+++ b/Shorewall6/configfiles/conntrack
@@ -9,14 +9,38 @@ FORMAT 2
# PORT(S) PORT(S) GROUP
?IF $AUTOHELPERS && __CT_TARGET
COMMENT AUTOHELPERS
-CT:helper:ftp all - tcp 21
+?IF __AMANDA_HELPER
CT:helper:amanda all - udp 10080
+?ENDIF
+?IF __FTP_HELPER
+CT:helper:ftp all - tcp 21
+?ENDIF
+?IF __H323_HELPERS
COMMENT AUTOHELPERS - H323
CT:helper:RAS all - udp 1719
CT:helper:Q.931 all - tcp 1720
COMMENT AUTOHELPERS
-CT:helper:sip all - udp 5060
-CT:helper:tftp all - udp 69
+?ENDIF
+?IF __IRC_HELPER
+CT:helper:irc all - tcp 6667
+?ENDIF
+?IF __NETBIOS_NS_HELPER
+CT:helper:netbios-ns all - udp 137
+?ENDIF
+?IF __PPTP_HELPER
+CT:helper:pptp all - tcp 1729
+?ENDIF
+?IF __SANE_HELPER
CT:helper:sane all - tcp 6566
+?ENDIF
+?IF __SIP_HELPER
+CT:helper:sip all - udp 5060
+?ENDIF
+?IF __SNMP_HELPER
+CT:helper:snmp all - udp 161
+?ENDIF
+?IF __TFTP_HELPER
+CT:helper:tftp all - udp 69
+?ENDIF
COMMENT
?ENDIF