Handle disabled helpers in pre-3.5 kernels.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-06 13:10:15 -07:00
parent 56caf3687f
commit 4b4e30d4e1
5 changed files with 154 additions and 38 deletions

View File

@ -2022,14 +2022,19 @@ determine_capabilities() {
NFACCT_MATCH=
AMANDA_HELPER=
FTP_HELPER=
FTP0_HELPER=
IRC_HELPER=
IRC0_HELPER=
NETBIOS_NS_HELPER=
H323_HELPER=
PPTP_HELPER=
SANE_HELPER=
SANE0_HELPER=
SIP_HELPER=
SIP0_HELPER=
SNMP_HELPER=
TFTP_HELPER=
TFTP0_HELPER=
chain=fooX$$
@ -2196,14 +2201,19 @@ determine_capabilities() {
qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp-0 && FTP0_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc-0 && IRC0_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane-0 && SANE0_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip-0 && SIP0_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp-0 && TFTP0_HELPER=Yes
fi
qt $g_tool -t raw -F $chain
@ -2268,6 +2278,7 @@ determine_capabilities() {
if [ -z "$CT_TARGET" ]; then
AMANDA_HELPER=Yes
FTP_HELPER=Yes
FTP_HELPER=Yes
H323_HELPER=Yes
IRC_HELPER=Yes
NS_HELPER=Yes
@ -2408,14 +2419,19 @@ report_capabilities() {
report_capability "NFAcct match" $NFACCT_MATCH
report_capability "Amanda Helper" $AMANDA_HELPER
report_capability "FTP Helper" $FTP_HELPER
report_capability "FTP-0 Helper" $FTP0_HELPER
report_capability "IRC Helper" $IRC_HELPER
report_capability "IRC-0 Helper" $IRC0_HELPER
report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
report_capability "H323 Helper" $H323_HELPER
report_capability "PPTP Helper" $PPTP_HELPER
report_capability "SANE Helper" $SANE_HELPER
report_capability "SANE-0 Helper" $SANE0_HELPER
report_capability "SIP Helper" $SIP_HELPER
report_capability "SIP-0 Helper" $SIP-0_HELPER
report_capability "SNMP Helper" $SNMP_HELPER
report_capability "TFTP Helper" $TFTP_HELPER
report_capability "TFTP-0 Helper" $TFTP0_HELPER
if [ $g_family -eq 4 ]; then
report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@ -2514,13 +2530,19 @@ report_capabilities1() {
report_capability1 NFACCT_MATCH
report_capability1 AMANDA_HELPER
report_capability1 FTP_HELPER
report_capability1 FTP0_HELPER
report_capability1 IRC_HELPER
report_capability1 IRC0_HELPER
report_capability1 NETBIOS_NS_HELPER
report_capability1 H323_HELPER
report_capability1 PPTP_HELPER
report_capability1 SANE_HELPER
report_capability1 SANE0_HELPER
report_capability1 SIP_HELPER
report_capability1 SIP0_HELPER
report_capability1 SNMP_HELPER
report_capability1 TFTP_HELPER
report_capability1 TFTP0_HELPER
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION

View File

@ -4359,7 +4359,7 @@ sub do_helper( $ ) {
validate_helper( $helper );
qq(-m helper --helper "$helper" ) if defined wantarray;
qq(-m helper --helper "$helpers_aliases{$helper}" ) if defined wantarray;
}

View File

@ -148,6 +148,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
%helpers
%helpers_map
%helpers_enabled
%helpers_aliases
@auditoptions
@ -341,15 +342,20 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
NFACCT_MATCH => 'NFAcct Match',
AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper',
FTP0_HELPER => 'FTP-0 Helper',
H323_HELPER => 'H323 Helpers',
IRC_HELPER => 'IRC Helper',
IRC0_HELPER => 'IRC-0 Helper',
NETBIOS_NS_HELPER =>
'Netbios-ns Helper',
PPTP_HELPER => 'PPTP Helper',
SANE_HELPER => 'Amanda Helper',
SANE_HELPER => 'SANE Helper',
SANE0_HELPER => 'SANE-0 Helper',
SIP_HELPER => 'SIP Helper',
SIP0_HELPER => 'SIP-0 Helper',
SNMP_HELPER => 'SNMP Helper',
TFTP_HELPER => 'TFTP Helper',
TFTP0_HELPER => 'TFTP-0 Helper',
#
# Constants
#
@ -382,21 +388,12 @@ our %helpers = ( amanda => UDP,
tftp => UDP,
);
our %helpers_map = ( amanda => 'AMANDA_HELPER',
ftp => 'FTP_HELPER',
irc => 'IRC_HELPER',
'netbios-ns' => 'NETBIOS_NS_HELPER',
pptp => 'PPTP_HELPER',
'Q.931' => 'H323_HELPER',
RAS => 'H323_HELPER',
sane => 'SANE_HELPER',
sip => 'SIP_HELPER',
snmp => 'SNMP_HELPER',
tftp => 'TFTP_HELPER',
);
our %helpers_map;
our %helpers_names;
our %helpers_aliases;
our %helpers_enabled;
our %config_files = ( #accounting => 1,
@ -852,14 +849,19 @@ sub initialize( $;$ ) {
NFACCT_MATCH => undef,
AMANDA_HELPER => undef,
FTP_HELPER => undef,
FTP0_HELPER => undef,
H323_HELPER => undef,
IRC_HELPER => undef,
IRC0_HELPER => undef,
NETBIOS_NS_HELPER => undef,
PPTP_HELPER => undef,
SANE_HELPER => undef,
SANE0_HELPER => undef,
SIP_HELPER => undef,
SIP0_HELPER => undef,
SNMP_HELPER => undef,
TFTP_HELPER => undef,
TFTP0_HELPER => undef,
CAPVERSION => undef,
LOG_OPTIONS => 1,
@ -903,16 +905,48 @@ sub initialize( $;$ ) {
%helpers_enabled = (
amanda => 1,
ftp => 1,
'ftp-0' => 1,
h323 => 1,
irc => 1,
'irc-0' => 1,
'netbios-ns' => 1,
pptp => 1,
sane => 1,
'sane-0' => 1,
sip => 1,
'sip-0' => 1,
snmp => 1,
tftp => 1,
'tftp-0' => 1,
);
%helpers_map = ( amanda => 'AMANDA_HELPER',
ftp => 'FTP_HELPER',
irc => 'IRC_HELPER',
'netbios-ns' => 'NETBIOS_NS_HELPER',
pptp => 'PPTP_HELPER',
'Q.931' => 'H323_HELPER',
RAS => 'H323_HELPER',
sane => 'SANE_HELPER',
sip => 'SIP_HELPER',
snmp => 'SNMP_HELPER',
tftp => 'TFTP_HELPER',
);
%helpers_aliases = ( amanda => 'amanda',
ftp => 'ftp',
irc => 'irc',
'netbios-ns' => 'netbios-ns',
pptp => 'pptp',
'Q.931' => 'Q.931',
RAS => 'RAS',
sane => 'sane',
sip => 'sip',
snmp => 'snmp',
tftp => 'tftp',
);
process_shorewallrc( $shorewallrc ) if $shorewallrc;
$globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
@ -1819,7 +1853,8 @@ sub evaluate_expression( $$$ ) {
my ( $first, $cap, $rest ) = ( $1, $3, $4);
if ( exists $capdesc{$cap} ) {
$val = have_capability( $cap )
$val = have_capability( $cap );
$val = "'$val'" unless $val =~ /^-?\d+$/;
} elsif ( $cap =~ /^IPV([46])$/ ) {
$val = ( $family == $1 );
} else {
@ -3233,12 +3268,12 @@ sub Helper_Match() {
qt1( "$iptables -A $sillyname -p tcp --dport 21 -m helper --helper ftp" );
}
sub have_helper( $ ) {
my $helper = $_[0];
sub have_helper( $$$ ) {
my ( $helper, $proto, $port ) = @_;
if ( $helpers_enabled{$helper} ) {
if ( have_capability 'CT_TARGET' ) {
qt1( "$iptables -t raw -A $sillyname -p udp --dport 10080 -j CT --helper $helper" );
qt1( "$iptables -t raw -A $sillyname -p $proto --dport $port -j CT --helper $helper" );
} else {
have_capability 'HELPER_MATCH';
}
@ -3246,43 +3281,63 @@ sub have_helper( $ ) {
}
sub Amanda_Helper() {
have_helper 'amanda';
have_helper( 'amanda', 'udp', 10080 );
}
sub FTP_Helper() {
have_helper 'ftp';
have_helper( 'ftp', 'tcp', 21 );
}
sub FTP0_Helper() {
have_helper( 'ftp-0', 'tcp', 21 ) and $helpers_aliases{ftp} = 'ftp-0';
}
sub H323_Helpers() {
have_helper 'RAS';
have_helper( 'RAS', 'udp', 1719 );
}
sub IRC_Helper() {
have_helper 'irc';
have_helper( 'irc', 'tcp', 6667 );
}
sub IRC0_Helper() {
have_helper( 'irc-0', 'tcp', 6667 ) and $helpers_aliases{irc} = 'irc-0';
}
sub Netbios_ns_Helper() {
have_helper 'netbios-ns';
have_helper( 'netbios-ns', 'udp', 137 );
}
sub PPTP_Helper() {
have_helper 'pptp';
have_helper( 'pptp', 'tcp', 1729 );
}
sub SANE_Helper() {
have_helper 'sane';
have_helper( 'sane', 'tcp', 6566 );
}
sub SANE0_Helper() {
have_helper( 'sane-0', 'tcp', 6566 ) and $helpers_aliases{sane} = 'sane-0';
}
sub SIP_Helper() {
have_helper 'sip';
have_helper( 'sip', 'udp', 5060 );
}
sub SIP0_Helper() {
have_helper( 'sip-0', 'udp', 5060 ) and $helpers_aliases{sip} = 'sip-0';
}
sub SNMP_Helper() {
have_helper 'snmp';
have_helper( 'snmp', 'udp', 161 );
}
sub TFTP_Helper() {
have_helper 'tftp';
have_helper( 'tftp', 'udp', 69 );
}
sub TFTP0_Helper() {
have_helper( 'tftp-0', 'udp', 69 ) and $helpers_aliases{tftp} = 'tftp-0';
}
sub Connlimit_Match() {
@ -3421,6 +3476,7 @@ our %detect_capability =
EXMARK => \&Exmark,
FLOW_FILTER => \&Flow_Filter,
FTP_HELPER => \&FTP_Helper,
FTP0_HELPER => \&FTP0_Helper,
FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
GEOIP_MATCH => \&GeoIP_Match,
GOTO_TARGET => \&Goto_Target,
@ -3434,6 +3490,7 @@ our %detect_capability =
IPRANGE_MATCH => \&IPRange_Match,
IPSET_MATCH => \&IPSet_Match,
IRC_HELPER => \&IRC_Helper,
IRC0_HELPER => \&IRC0_Helper,
OLD_IPSET_MATCH => \&Old_IPSet_Match,
IPSET_V5 => \&IPSET_V5,
IPTABLES_S => \&Iptables_S,
@ -3469,11 +3526,14 @@ our %detect_capability =
RECENT_MATCH => \&Recent_Match,
RPFILTER_MATCH => \&RPFilter_Match,
SANE_HELPER => \&SANE_Helper,
SANE0_HELPER => \&SANE0_Helper,
SIP_HELPER => \&SIP_Helper,
SIP0_HELPER => \&SIP0_Helper,
SNMP_HELPER => \&SNMP_Helper,
STATISTIC_MATCH => \&Statistic_Match,
TCPMSS_MATCH => \&Tcpmss_Match,
TFTP_HELPER => \&TFTP_Helper,
TFTP0_HELPER => \&TFTP0_Helper,
TIME_MATCH => \&Time_Match,
TPROXY_TARGET => \&Tproxy_Target,
USEPKTTYPE => \&Usepkttype,
@ -3529,6 +3589,17 @@ sub determine_capabilities() {
$globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';
if ( have_capability 'CT_TARGET' ) {
$capabilities{$_} = detect_capability $_ for ( values( %helpers_map ),
'FTP0_HELPER',
'IRC0_HELPER',
'SANE0_HELPER',
'SIP0_HELPER',
'TFTP0_HELPER' );
} else {
$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
}
unless ( $config{ LOAD_HELPERS_ONLY } ) {
#
# Using 'detect_capability()' is a bit less efficient than calling the individual detection
@ -3611,13 +3682,6 @@ sub determine_capabilities() {
$capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' );
$capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' );
$capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' );
$capabilities{HELPER_MATCH} = detect_capability( 'HELPER_MATCH' );
if ( $capabilities{CT_TARGET} ) {
for ( values %helpers_map ) {
$capabilities{$_} = detect_capability $_;
}
}
qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" );
@ -3953,6 +4017,7 @@ sub read_capabilities() {
}
$globals{KLUDGEFREE} = $capabilities{KLUDGEFREE};
}
#
@ -4241,6 +4306,14 @@ sub get_configuration( $$$ ) {
get_capabilities( $export );
report_capabilities unless $config{LOAD_HELPERS_ONLY};
$helpers_aliases{ftp} = 'ftp-0', $capabilities{FTP_HELPER} = 1 if $capabilities{FTP0_HELPER};
$helpers_aliases{irc} = 'irc-0', $capabilities{IRC_HELPER} = 1 if $capabilities{IRC0_HELPER};
$helpers_aliases{sane} = 'sane-0', $capabilities{SANE_HELPER} = 1 if $capabilities{SANE0_HELPER};
$helpers_aliases{sip} = 'sip-0', $capabilities{SIP_HELPER} = 1 if $capabilities{SIP0_HELPER};
$helpers_aliases{tftp} = 'tftp-0', $capabilities{TFTP_HELPER} = 1 if $capabilities{TFTP0_HELPER};
$globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
#
@ -4716,8 +4789,6 @@ sub get_configuration( $$$ ) {
$config{LOCKFILE} = '';
}
report_capabilities unless $config{LOAD_HELPERS_ONLY};
require_capability( 'MULTIPORT' , "Shorewall $globals{VERSION}" , 's' );
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL};
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{PROVIDER_OFFSET} > 0;

View File

@ -84,7 +84,7 @@ sub process_notrack_rule( $$$$$$$ ) {
fatal_error "Invalid helper' ($args)" if $args =~ /,/;
validate_helper( $args, $proto );
$action = "CT --helper $args";
$action = "CT --helper $helpers_aliases{$args}";
$exception_rule = do_proto( $proto, '-', '-' );
for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {

View File

@ -336,6 +336,29 @@
<para>tftp</para>
</listitem>
</itemizedlist>
<para>After disabling one or more helpers using this method, you
must:</para>
<itemizedlist>
<listitem>
<para>Unload the related module(s).</para>
</listitem>
<listitem>
<para>Restart Shorewall (use the -c option (e.g., <command>shorewall
restart -c</command>) if you have AUTOMAKE=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>
(5))..</para>
</listitem>
</itemizedlist>
<para>Note that if you choose to reboot your system to unload the
modules, then if you have CT:helper entries in <ulink
url="manpages/shorewall-conntrack.html">shorewall-conntrack</ulink> (5)
that refer to the module(s) and you have AUTOMAKE=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5), then
Shorewall will fail to start at boot time.</para>
</section>
<section>