diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 514e60ac2..8b13a0b5f 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -2482,7 +2482,8 @@ sub initialize_chain_table($) {
'NFQUEUE!' => STANDARD + NFQ,
'ADD' => STANDARD + SET,
'DEL' => STANDARD + SET,
- 'WHITELIST' => STANDARD
+ 'WHITELIST' => STANDARD,
+ 'HELPER' => STANDARD + HELPER + NATONLY, #Actually RAWONLY
);
for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2528,6 +2529,7 @@ sub initialize_chain_table($) {
'NFQUEUE!' => STANDARD + NFQ,
'ADD' => STANDARD + SET,
'DEL' => STANDARD + SET,
+ 'HELPER' => STANDARD + HELPER + NATONLY, #Actually RAWONLY
);
for my $chain ( qw(OUTPUT PREROUTING) ) {
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 462e4c50a..bc443d3f4 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1465,7 +1465,7 @@ sub process_action( $) {
if ( $format == 1 ) {
($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
- $origdest = $connlimit = $time = $headers = $condition = '-';
+ $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
} else {
($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
= split_line1 'action file', \%rulecolumns, $action_commands;
@@ -1594,7 +1594,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
my $actiontype = $targets{$action} || find_macro( $action );
- fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO + CHAIN );
+ fatal_error( "Invalid Action ($mtarget) in macro", $actiontype ) unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO + CHAIN );
if ( $msource ) {
if ( $msource eq '-' ) {
@@ -1850,6 +1850,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
COUNT => sub { $action = ''; } ,
LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
+
+ HELPER => sub {
+ fatal_error "HELPER requires require that the helper be specified in the HELPER column" if $helper eq '-';
+ fatal_error "HELPER rules may only appear in the NEW section" unless $section eq 'NEW';
+ $action = ''; } ,
);
my $function = $functions{ $bt };
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index 4690f6f2b..078e7fbf0 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -503,6 +503,19 @@
rule, it is passed on to the next rule.
+
+
+ HELPER
+
+
+ Added in Shorewall 4.5.7. This action requires that the
+ HELPER column contains the name of the Netfilter helper to be
+ associated with connections matching this connection. May only
+ be specified in the NEW section and is useful for being able
+ to specify a helper when the applicable policy is ACCEPT. No
+ destination zone should be specified in HELPER rules.
+
+
The target may optionally be
diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml
index e9b9ab108..473614e4b 100644
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -368,6 +368,19 @@
deprecated.
+
+
+ HELPER
+
+
+ Added in Shorewall 4.5.7. This action requires that the
+ HELPER column contains the name of the Netfilter helper to be
+ associated with connections matching this connection. May only
+ be specified in the NEW section and is useful for being able
+ to specify a helper when the applicable policy is ACCEPT. No
+ destination zone should be specified in HELPER rules.
+
+
The ACTION may optionally be