From 9329e7c36c674b8733d0102b58275591916294dc Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 16 May 2015 09:08:32 -0700 Subject: [PATCH] Don't require a helper in the CT action. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 1 - Shorewall/Perl/Shorewall/Raw.pm | 15 ++++++++++----- Shorewall/manpages/shorewall-conntrack.xml | 10 ++++++++-- Shorewall6/manpages/shorewall6-conntrack.xml | 6 ++++++ 4 files changed, 24 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index e1ecb5192..56c70f456 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -765,7 +765,6 @@ sub initialize( $$$ ) { RETURN => 1, QUEUE => 1, CLASSIFY => 1, - CT => 1, DNAT => 1, MASQUERADE => 1, NETMAP => 1, diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index 1528bb94a..1e0f4102b 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -148,16 +148,21 @@ sub process_conntrack_rule( $$$$$$$$$$ ) { $disposition = "helper"; - if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) { + if ( $args =~ /^([-\w.]*)\((.+)\)$/ ) { $args = $1; $modifiers = $2; } - fatal_error "Invalid helper' ($args)" if $args =~ /,/; - validate_helper( $args, $proto ); - $action = "CT --helper $helpers_aliases{$args}"; - $exception_rule = do_proto( $proto, '-', '-' ); + if ( supplied $args ) { + fatal_error "Invalid helper' ($args)" if $args =~ /,/; + validate_helper( $args, $proto ); + $action = "CT --helper $helpers_aliases{$args}"; + } else { + $action = "CT "; + } + $exception_rule = do_proto( $proto, '-', '-' ); + for my $mod ( split_list1( $modifiers, 'ctevents' ) ) { fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/; $mod = $1; diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index 90a4c0b57..4a8aaf05e 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -90,7 +90,7 @@ role="bold">NOTRACK|CT:helper:name[(arg=val[,...])|CT:notrack|DROP|LOG|ULOG(ulog-parameters):NFLOG(nflog-parameters)|IPTABLES(target)}[log-level[:log-tag]][:chain-designator] + role="bold">CT:helper:(arg=val[,...])|CT:notrack|DROP|LOG|ULOG(ulog-parameters):NFLOG(nflog-parameters)|IPTABLES(target)}[log-level[:log-tag]][:chain-designator] This column is only present when FORMAT >= 2. Values other @@ -114,7 +114,8 @@ name to this connection. This is more flexible than loading the conntrack helper with preset ports. If a log-level is specified, the packet - will also be logged at that level. + will also be logged at that level. Beginning with Shorewall + 4.6.10, the helper name is optional At this writing, the available helpers are: @@ -242,6 +243,11 @@ expectation events for this connection. + + Beginning with Shorewall 4.6.10, the parenthesized list of + arg=val + pairs may be given without a helper name (e.g., + CT:helper:(ctevents=assured,destroyed)). diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml index 0032564d8..0ea0e413d 100644 --- a/Shorewall6/manpages/shorewall6-conntrack.xml +++ b/Shorewall6/manpages/shorewall6-conntrack.xml @@ -90,6 +90,7 @@ role="bold">NOTRACK|CT:helper:name[(arg=val[,...])|CT:helper:(arg=val[,...])|CT:notrack|DROP|LOG|NFLOG(nflog-parameters)|IP6TABLES(target)}[:log-level[:log-tag]][:chain-designator] @@ -242,6 +243,11 @@ expectation events for this connection. + + Beginning with Shorewall 4.6.10, the parenthesized list of + arg=val + pairs may be given without a helper name (e.g., + CT:helper:(ctevents=assured,destroyed)).