extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 07:33:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Detect which matches are available.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-02 15:38:23 -07:00
parent 223ed5b3a3
commit 21770a89d6
6 changed files with 322 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
Shorewall-core/lib.cli
View File

@ -2020,6 +2020,16 @@ determine_capabilities() {
GEOIP_MATCH= GEOIP_MATCH=
RPFILTER_MATCH= RPFILTER_MATCH=
NFACCT_MATCH= NFACCT_MATCH=
AMANDA_HELPER=
FTP_HELPER=
IRC_HELPER=
NETBIOS_NS_HELPER=
H323_HELPERS=
PPTP_HELPER=
SANE_HELPER=
SIP_HELPER=
SNMP_HELPER=
TFTP_HELPER=
chain=fooX$$ chain=fooX$$
@ -2173,15 +2183,30 @@ determine_capabilities() {
qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
fi fi
qt $g_tool -t raw -L -n && RAW_TABLE=Yes qt $g_tool -t raw -L -n && RAW_TABLE=Yes
qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes
if [ -n "$RAW_TABLE" ]; then if [ -n "$RAW_TABLE" ]; then
qt $g_tool -t raw -N $chain
qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes
qt $g_tool -t raw -N $chain
qt $g_tool -t raw -F $chain qt $g_tool -t raw -F $chain
qt $g_tool -t raw -X $chain qt $g_tool -t raw -X $chain
qt $g_tool -t raw -N $chain
if qt $g_tool -t raw -A $chain -j CT --notrack; then
CT_TARGET=Yes
qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPERS=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
fi
qt $g_tool -t raw -F $chain
qt $g_tool -t raw -X $chain
fi fi
if qt mywhich ipset; then if qt mywhich ipset; then
@ -2360,6 +2385,16 @@ report_capabilities() {
report_capability "Geo IP match" $GEOIP_MATCH report_capability "Geo IP match" $GEOIP_MATCH
report_capability "RPFilter match" $RPFILTER_MATCH report_capability "RPFilter match" $RPFILTER_MATCH
report_capability "NFAcct match" $NFACCT_MATCH report_capability "NFAcct match" $NFACCT_MATCH
report_capability "Amanda Helper" $AMANDA_HELPER
report_capability "FTP Helper" $FTP_HELPER
report_capability "IRC Helper" $IRC_HELPER
report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
report_capability "H323 Helpers" H323_HELPERS
report_capability "PPTP Helper" $PPTP_HELPER
report_capability "SANE Helper" $SANE_HELPER
report_capability "SIP Helper" $SIP_HELPER
report_capability "SNMP Helper" $SNMP_HELPER
report_capability "TFTP Helper" $TFTP_HELPER
if [ $g_family -eq 4 ]; then if [ $g_family -eq 4 ]; then
report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@ -2453,6 +2488,15 @@ report_capabilities1() {
report_capability1 GEOIP_MATCH report_capability1 GEOIP_MATCH
report_capability1 RPFILTER_MATCH report_capability1 RPFILTER_MATCH
report_capability1 NFACCT_MATCH report_capability1 NFACCT_MATCH
report_capability1 AMANDA_HELPER
report_capability1 FTP_HELPER
report_capability1 IRC_HELPER
report_capability1 NETBIOS_NS_HELPER
report_capability1 H323_HELPERS
report_capability1 PPTP_HELPER
report_capability1 SANE_HELPER
report_capability1 SNMP_HELPER
report_capability1 TFTP_HELPER
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION

31
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -28,7 +28,7 @@ package Shorewall::Chains;
require Exporter; require Exporter;
use Scalar::Util 'reftype'; use Scalar::Util 'reftype';
use Digest::SHA1 qw(sha1); use Digest::SHA qw(sha1);
use File::Basename; use File::Basename;
use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::Zones; use Shorewall::Zones;
@ -331,7 +331,19 @@ our $rawpost_table;
our $nat_table; our $nat_table;
our $mangle_table; our $mangle_table;
our $filter_table; our $filter_table;
our %helpers; our %helpers = ( amanda => UDP,
ftp => TCP,
irc => TCP,
'netbios-ns' => UDP,
pptp => TCP,
'Q.931' => TCP,
RAS => UDP,
sane => TCP,
sip => UDP,
snmp => UDP,
tftp => UDP,
);
my $comment; my $comment;
my @comments; my @comments;
my $export; my $export;
@ -654,19 +666,6 @@ sub initialize( $$$ ) {
%ipset_exists = (); %ipset_exists = ();
%helpers = ( amanda => UDP,
ftp => TCP,
irc => TCP,
'netbios-ns' => UDP,
pptp => TCP,
'Q.931' => TCP,
RAS => UDP,
sane => TCP,
sip => UDP,
snmp => UDP,
tftp => UDP,
);
%isocodes = (); %isocodes = ();
%nfobjects = (); %nfobjects = ();
@ -4341,6 +4340,8 @@ sub validate_helper( $;$ ) {
# Recognized helper # Recognized helper
# #
if ( supplied $proto ) { if ( supplied $proto ) {
require_capability $helpers_map{$helper}, "Helper $helper", 's';
my $protonum = -1; my $protonum = -1;
fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) ); fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );

111
Shorewall/Perl/Shorewall/Config.pm
View File

@ -144,6 +144,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
%config_files %config_files
%shorewallrc %shorewallrc
%helpers_map
@auditoptions @auditoptions
F_IPV4 F_IPV4
@ -314,6 +316,17 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
GEOIP_MATCH => 'GeoIP Match' , GEOIP_MATCH => 'GeoIP Match' ,
RPFILTER_MATCH => 'RPFilter Match', RPFILTER_MATCH => 'RPFilter Match',
NFACCT_MATCH => 'NFAcct Match', NFACCT_MATCH => 'NFAcct Match',
AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper',
H323_HELPERS => 'H323 Helpers',
IRC_HELPER => 'IRC Helper',
NETBIOS_NS_HELPER =>
'Amanda Helper',
PPTP_HELPER => 'PPTP Helper',
SANE_HELPER => 'Amanda Helper',
SIP_HELPER => 'SIP Helper',
SNMP_HELPER => 'SNMP Helper',
TFTP_HELPER => 'TFTP Helper',
# #
# Constants # Constants
# #
@ -322,6 +335,19 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
KERNELVERSION => 'Kernel Version', KERNELVERSION => 'Kernel Version',
); );
our %helpers_map = ( amanda => 'AMANDA_HELPER',
ftp => 'FTP_HELPER',
irc => 'IRC_HELPER',
'netbios-ns' => 'NETBIOS_NS_HELPER',
pptp => 'PPTP_HELPER',
'Q.931' => 'H323_HELPERS',
RAS => 'H323_HELPERS',
sane => 'SANE_HELPER',
sip => 'SIP_HELPER',
snmp => 'SNMP_HELPER',
tftp => 'TFTP_HELPER',
);
our %config_files = ( #accounting => 1, our %config_files = ( #accounting => 1,
actions => 1, actions => 1,
blacklist => 1, blacklist => 1,
@ -773,6 +799,17 @@ sub initialize( $;$ ) {
GEOIP_MATCH => undef, GEOIP_MATCH => undef,
RPFILTER_MATCH => undef, RPFILTER_MATCH => undef,
NFACCT_MATCH => undef, NFACCT_MATCH => undef,
AMANDA_HELPER => undef,
FTP_HELPER => undef,
H323_HELPERS => undef,
IRC_HELPER => undef,
NETBIOS_NS_HELPER => undef,
PPTP_HELPER => undef,
SANE_HELPER => undef,
SIP_HELPER => undef,
SNMP_HELPER => undef,
TFTP_HELPER => undef,
CAPVERSION => undef, CAPVERSION => undef,
LOG_OPTIONS => 1, LOG_OPTIONS => 1,
KERNELVERSION => undef, KERNELVERSION => undef,
@ -949,6 +986,12 @@ sub cleanup() {
qt1( "$iptables -X $sillyname1" ); qt1( "$iptables -X $sillyname1" );
qt1( "$iptables -t mangle -F $sillyname" ); qt1( "$iptables -t mangle -F $sillyname" );
qt1( "$iptables -t mangle -X $sillyname" ); qt1( "$iptables -t mangle -X $sillyname" );
qt1( "$iptables -t nat -F $sillyname" );
qt1( "$iptables -t nat -X $sillyname" );
qt1( "$iptables -t raw -F $sillyname" );
qt1( "$iptables -t raw -X $sillyname" );
qt1( "$iptables -t rawpost -F $sillyname" );
qt1( "$iptables -t rawpost -X $sillyname" );
$sillyname = ''; $sillyname = '';
} }
} }
@ -3200,17 +3243,56 @@ sub Ct_Target() {
if ( have_capability 'RAW_TABLE' ) { if ( have_capability 'RAW_TABLE' ) {
qt1( "$iptables -t raw -N $sillyname" ); qt1( "$iptables -t raw -N $sillyname" );
$ct_target = qt1( "$iptables -t raw -A $sillyname -j CT --notrack" ); $ct_target = qt1( "$iptables -t raw -A $sillyname -j CT --notrack" );
qt1( "$iptables -t raw -F $sillyname" );
qt1( "$iptables -t raw -X $sillyname" );
} }
$ct_target; $ct_target;
} }
sub Amanda_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 10080 -j CT --helper amanda" );
}
sub FTP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 21 -j CT --helper ftp" );
}
sub H323_Helpers() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 1719 -j CT --helper RAS" );
}
sub IRC_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 6667 -j CT --helper irc" );
}
sub Netbios_ns_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 137 -j CT --helper netbios-ns" );
}
sub PPTP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 1729 -j CT --helper pptp" );
}
sub SANE_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 6566 -j CT --helper sane" );
}
sub SIP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 5060 -j CT --helper sip" );
}
sub SNMP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 161 -j CT --helper snmp" );
}
sub TFTP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 69 -j CT --helper tftp" );
}
sub Statistic_Match() { sub Statistic_Match() {
qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" ); qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
} }
sub Imq_Target() { sub Imq_Target() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" ); have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
} }
@ -3245,6 +3327,7 @@ sub GeoIP_Match() {
our %detect_capability = our %detect_capability =
( ACCOUNT_TARGET =>\&Account_Target, ( ACCOUNT_TARGET =>\&Account_Target,
AMANDA_HELPER => \&Amanda_Helper,
AUDIT_TARGET => \&Audit_Target, AUDIT_TARGET => \&Audit_Target,
ADDRTYPE => \&Addrtype, ADDRTYPE => \&Addrtype,
BASIC_FILTER => \&Basic_Filter, BASIC_FILTER => \&Basic_Filter,
@ -3261,9 +3344,11 @@ our %detect_capability =
ENHANCED_REJECT => \&Enhanced_Reject, ENHANCED_REJECT => \&Enhanced_Reject,
EXMARK => \&Exmark, EXMARK => \&Exmark,
FLOW_FILTER => \&Flow_Filter, FLOW_FILTER => \&Flow_Filter,
FTP_HELPER => \&FTP_Helper,
FWMARK_RT_MASK => \&Fwmark_Rt_Mask, FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
GEOIP_MATCH => \&GeoIP_Match, GEOIP_MATCH => \&GeoIP_Match,
GOTO_TARGET => \&Goto_Target, GOTO_TARGET => \&Goto_Target,
H323_HELPERS => \&H323_Helpers,
HASHLIMIT_MATCH => \&Hashlimit_Match, HASHLIMIT_MATCH => \&Hashlimit_Match,
HEADER_MATCH => \&Header_Match, HEADER_MATCH => \&Header_Match,
HELPER_MATCH => \&Helper_Match, HELPER_MATCH => \&Helper_Match,
@ -3272,6 +3357,7 @@ our %detect_capability =
IPP2P_MATCH => \&Ipp2p_Match, IPP2P_MATCH => \&Ipp2p_Match,
IPRANGE_MATCH => \&IPRange_Match, IPRANGE_MATCH => \&IPRange_Match,
IPSET_MATCH => \&IPSet_Match, IPSET_MATCH => \&IPSet_Match,
IRC_HELPER => \&IRC_Helper,
OLD_IPSET_MATCH => \&Old_IPSet_Match, OLD_IPSET_MATCH => \&Old_IPSet_Match,
IPSET_V5 => \&IPSET_V5, IPSET_V5 => \&IPSET_V5,
IPTABLES_S => \&Iptables_S, IPTABLES_S => \&Iptables_S,
@ -3287,6 +3373,7 @@ our %detect_capability =
MARK_ANYWHERE => \&Mark_Anywhere, MARK_ANYWHERE => \&Mark_Anywhere,
MULTIPORT => \&Multiport, MULTIPORT => \&Multiport,
NAT_ENABLED => \&Nat_Enabled, NAT_ENABLED => \&Nat_Enabled,
NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
NEW_CONNTRACK_MATCH => \&New_Conntrack_Match, NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
NFACCT_MATCH => \&NFAcct_Match, NFACCT_MATCH => \&NFAcct_Match,
NFQUEUE_TARGET => \&Nfqueue_Target, NFQUEUE_TARGET => \&Nfqueue_Target,
@ -3299,13 +3386,18 @@ our %detect_capability =
PHYSDEV_BRIDGE => \&Physdev_Bridge, PHYSDEV_BRIDGE => \&Physdev_Bridge,
PHYSDEV_MATCH => \&Physdev_Match, PHYSDEV_MATCH => \&Physdev_Match,
POLICY_MATCH => \&Policy_Match, POLICY_MATCH => \&Policy_Match,
PPTP_HELPER => \&PPTP_Helper,
RAW_TABLE => \&Raw_Table, RAW_TABLE => \&Raw_Table,
RAWPOST_TABLE => \&Rawpost_Table, RAWPOST_TABLE => \&Rawpost_Table,
REALM_MATCH => \&Realm_Match, REALM_MATCH => \&Realm_Match,
RECENT_MATCH => \&Recent_Match, RECENT_MATCH => \&Recent_Match,
RPFILTER_MATCH => \&RPFilter_Match, RPFILTER_MATCH => \&RPFilter_Match,
SANE_HELPER => \&SANE_Helper,
SIP_HELPER => \&SIP_Helper,
SNMP_HELPER => \&SNMP_Helper,
STATISTIC_MATCH => \&Statistic_Match, STATISTIC_MATCH => \&Statistic_Match,
TCPMSS_MATCH => \&Tcpmss_Match, TCPMSS_MATCH => \&Tcpmss_Match,
TFTP_HELPER => \&TFTP_Helper,
TIME_MATCH => \&Time_Match, TIME_MATCH => \&Time_Match,
TPROXY_TARGET => \&Tproxy_Target, TPROXY_TARGET => \&Tproxy_Target,
USEPKTTYPE => \&Usepkttype, USEPKTTYPE => \&Usepkttype,
@ -3445,6 +3537,12 @@ sub determine_capabilities() {
$capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' ); $capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' );
$capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' ); $capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' );
$capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' ); $capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' );
if ( $capabilities{CT_TARGET} ) {
for ( values %helpers_map ) {
$capabilities{$_} = detect_capability $_;
}
}
qt1( "$iptables -F $sillyname" ); qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" ); qt1( "$iptables -X $sillyname" );
@ -3461,6 +3559,11 @@ sub determine_capabilities() {
qt1( "$iptables -t nat -X $sillyname" ); qt1( "$iptables -t nat -X $sillyname" );
} }
if ( $capabilities{RAW_ENABLED} ) {
qt1( "$iptables -t raw -F $sillyname" );
qt1( "$iptables -t raw -X $sillyname" );
}
$sillyname = $sillyname1 = undef; $sillyname = $sillyname1 = undef;
} }
} }
@ -3743,7 +3846,9 @@ sub read_capabilities() {
next; next;
} }
$capabilities{$var} = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val; $val = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val;
$capabilities{$var} = $val ne '';
} else { } else {
fatal_error "Unrecognized capabilities entry"; fatal_error "Unrecognized capabilities entry";
} }

29
Shorewall/configfiles/conntrack
View File

@ -9,17 +9,38 @@ FORMAT 2
# PORT(S) PORT(S) GROUP # PORT(S) PORT(S) GROUP
?IF $AUTOHELPERS && __CT_TARGET ?IF $AUTOHELPERS && __CT_TARGET
COMMENT AUTOHELPERS COMMENT AUTOHELPERS
CT:helper:ftp all - tcp 21 ?IF __AMANDA_HELPER
CT:helper:amanda all - udp 10080 CT:helper:amanda all - udp 10080
?ENDIF
?IF __FTP_HELPER
CT:helper:ftp all - tcp 21
?ENDIF
?IF __H323_HELPERS
COMMENT AUTOHELPERS - H323 COMMENT AUTOHELPERS - H323
CT:helper:RAS all - udp 1719 CT:helper:RAS all - udp 1719
CT:helper:Q.931 all - tcp 1720 CT:helper:Q.931 all - tcp 1720
COMMENT AUTOHELPERS COMMENT AUTOHELPERS
CT:helper:sip all - udp 5060 ?ENDIF
CT:helper:tftp all - udp 69 ?IF __IRC_HELPER
CT:helper:sane all - tcp 6566
CT:helper:irc all - tcp 6667 CT:helper:irc all - tcp 6667
?ENDIF
?IF __NETBIOS_NS_HELPER
CT:helper:netbios-ns all - udp 137 CT:helper:netbios-ns all - udp 137
?ENDIF
?IF __PPTP_HELPER
CT:helper:pptp all - tcp 1729 CT:helper:pptp all - tcp 1729
?ENDIF
?IF __SANE_HELPER
CT:helper:sane all - tcp 6566
?ENDIF
?IF __SIP_HELPER
CT:helper:sip all - udp 5060
?ENDIF
?IF __SNMP_HELPER
CT:helper:snmp all - udp 161
?ENDIF
?IF __TFTP_HELPER
CT:helper:tftp all - udp 69
?ENDIF
COMMENT COMMENT
?ENDIF ?ENDIF

100
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -76,8 +76,104 @@
<para>Attach the helper identified by the <para>Attach the helper identified by the
<replaceable>name</replaceable> to this connection. This is more <replaceable>name</replaceable> to this connection. This is more
flexible than loading the conntrack helper with preset ports. flexible than loading the conntrack helper with preset
May be followed by an option list of ports.</para>
<para>At this writing, the available helpers are:</para>
<variablelist>
<varlistentry>
<term>amanda</term>
<listitem>
<para>Requires that the amanda netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ftp</term>
<listitem>
<para>Requires that the FTP netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>irc</term>
<listitem>
<para>Requires that the IRC netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>netbios-ns</term>
<listitem>
<para>Requires that the netbios_ns (sic) helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>RAS and Q.931</term>
<listitem>
<para>These require that the H323 netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>pptp</term>
<listitem>
<para>Requires that the pptp netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>sane</term>
<listitem>
<para>Requires that the SANE netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>sip</term>
<listitem>
<para>Requires that the SIP netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>snmp</term>
<listitem>
<para>Requires that the SNMP netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>tftp</term>
<listitem>
<para>Requires that the TFTP netfilter helper is
present.</para>
</listitem>
</varlistentry>
</variablelist>
<para>May be followed by an option list of
<replaceable>arg</replaceable>=<replaceable>val</replaceable> <replaceable>arg</replaceable>=<replaceable>val</replaceable>
pairs in parentheses:</para> pairs in parentheses:</para>

30
Shorewall6/configfiles/conntrack
View File

@ -9,14 +9,38 @@ FORMAT 2
# PORT(S) PORT(S) GROUP # PORT(S) PORT(S) GROUP
?IF $AUTOHELPERS && __CT_TARGET ?IF $AUTOHELPERS && __CT_TARGET
COMMENT AUTOHELPERS COMMENT AUTOHELPERS
CT:helper:ftp all - tcp 21 ?IF __AMANDA_HELPER
CT:helper:amanda all - udp 10080 CT:helper:amanda all - udp 10080
?ENDIF
?IF __FTP_HELPER
CT:helper:ftp all - tcp 21
?ENDIF
?IF __H323_HELPERS
COMMENT AUTOHELPERS - H323 COMMENT AUTOHELPERS - H323
CT:helper:RAS all - udp 1719 CT:helper:RAS all - udp 1719
CT:helper:Q.931 all - tcp 1720 CT:helper:Q.931 all - tcp 1720
COMMENT AUTOHELPERS COMMENT AUTOHELPERS
CT:helper:sip all - udp 5060 ?ENDIF
CT:helper:tftp all - udp 69 ?IF __IRC_HELPER
CT:helper:irc all - tcp 6667
?ENDIF
?IF __NETBIOS_NS_HELPER
CT:helper:netbios-ns all - udp 137
?ENDIF
?IF __PPTP_HELPER
CT:helper:pptp all - tcp 1729
?ENDIF
?IF __SANE_HELPER
CT:helper:sane all - tcp 6566 CT:helper:sane all - tcp 6566
?ENDIF
?IF __SIP_HELPER
CT:helper:sip all - udp 5060
?ENDIF
?IF __SNMP_HELPER
CT:helper:snmp all - udp 161
?ENDIF
?IF __TFTP_HELPER
CT:helper:tftp all - udp 69
?ENDIF
COMMENT COMMENT
?ENDIF ?ENDIF