Don't require a helper for ctevents and expevents

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-05-16 13:40:40 -07:00
parent 9329e7c36c
commit acd921cd08
3 changed files with 68 additions and 21 deletions

View File

@ -146,20 +146,16 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
if ( $option eq 'helper' ) { if ( $option eq 'helper' ) {
my $modifiers = ''; my $modifiers = '';
$disposition = "helper"; $disposition = 'helper';
if ( $args =~ /^([-\w.]*)\((.+)\)$/ ) { if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
$args = $1; $args = $1;
$modifiers = $2; $modifiers = $2;
} }
if ( supplied $args ) { fatal_error "Invalid helper' ($args)" if $args =~ /,/;
fatal_error "Invalid helper' ($args)" if $args =~ /,/; validate_helper( $args, $proto );
validate_helper( $args, $proto ); $action = "CT --helper $helpers_aliases{$args}";
$action = "CT --helper $helpers_aliases{$args}";
} else {
$action = "CT ";
}
$exception_rule = do_proto( $proto, '-', '-' ); $exception_rule = do_proto( $proto, '-', '-' );
@ -181,6 +177,17 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
fatal_error "Invalid helper option ($mod)"; fatal_error "Invalid helper option ($mod)";
} }
} }
} elsif ( $option eq 'ctevents' ) {
$disposition = 'helper';
for ( split_list( $args, 'ctevents' ) ) {
fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
}
$action = "CT --ctevents $args";
} elsif ( $option eq 'expevents' ) {
fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
$action = 'CT --expevents new';
} else { } else {
fatal_error "Invalid CT option ($option)"; fatal_error "Invalid CT option ($option)";
} }

View File

@ -90,7 +90,8 @@
role="bold">NOTRACK</emphasis>|<emphasis role="bold">NOTRACK</emphasis>|<emphasis
role="bold">CT</emphasis>:<emphasis role="bold">CT</emphasis>:<emphasis
role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
role="bold">CT:helper:(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term> role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new</emphasis><emphasis
role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
<listitem> <listitem>
<para>This column is only present when FORMAT &gt;= 2. Values other <para>This column is only present when FORMAT &gt;= 2. Values other
@ -243,11 +244,31 @@
expectation events for this connection.</para> expectation events for this connection.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem>
<para>Beginning with Shorewall 4.6.10, the parenthesized list of <listitem>
<replaceable>arg</replaceable>=<replaceable>val</replaceable> <para>ctevents:<replaceable>event</replaceable>[,...]</para>
pairs may be given without a helper name (e.g.,
CT:helper:(ctevents=assured,destroyed)).</para> <para>Added in Shorewall 4.6.10. Only generate the specified
conntrack events for this connection. Possible event types are:
<emphasis role="bold">new</emphasis>, <emphasis
role="bold">related</emphasis>, <emphasis
role="bold">destroy</emphasis>, <emphasis
role="bold">reply</emphasis>, <emphasis
role="bold">assured</emphasis>, <emphasis
role="bold">protoinfo</emphasis>, <emphasis
role="bold">helper</emphasis>, <emphasis
role="bold">mark</emphasis> (this is connection mark, not packet
mark), <emphasis role="bold">natseqinfo</emphasis>, and
<emphasis role="bold">secmark</emphasis>.</para>
</listitem>
<listitem>
<para>expevents=new</para>
<para>Added in Shorewall 4.6.10. Only generate <emphasis
role="bold">new</emphasis> expectation events for this
connection.</para>
</listitem> </listitem>
<listitem> <listitem>

View File

@ -90,8 +90,7 @@
role="bold">NOTRACK</emphasis>|<emphasis role="bold">NOTRACK</emphasis>|<emphasis
role="bold">CT</emphasis>:<emphasis role="bold">CT</emphasis>:<emphasis
role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
role="bold">CT:helper:(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])</emphasis>|<emphasis role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new|notrack</emphasis>|DROP|LOG|NFLOG(<replaceable>nflog-parameters</replaceable>)|IP6TABLES(<replaceable>target</replaceable>)}[:<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
role="bold">CT:notrack</emphasis>|DROP|LOG|NFLOG(<replaceable>nflog-parameters</replaceable>)|IP6TABLES(<replaceable>target</replaceable>)}[:<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
<listitem> <listitem>
<para>This column is only present when FORMAT &gt;= 2. Values other <para>This column is only present when FORMAT &gt;= 2. Values other
@ -239,15 +238,35 @@
<listitem> <listitem>
<para><option>expevents</option><option>=new</option></para> <para><option>expevents</option><option>=new</option></para>
<para>Only generate a <emphasis role="bold">new</emphasis> <para>Only generate <emphasis role="bold">new</emphasis>
expectation events for this connection.</para> expectation events for this connection.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem>
<para>Beginning with Shorewall 4.6.10, the parenthesized list of <listitem>
<replaceable>arg</replaceable>=<replaceable>val</replaceable> <para>ctevents:<replaceable>event</replaceable>[,...]</para>
pairs may be given without a helper name (e.g.,
CT:helper:(ctevents=assured,destroyed)).</para> <para>Added in Shorewall 4.6.10. Only generate the specified
conntrack events for this connection. Possible event types are:
<emphasis role="bold">new</emphasis>, <emphasis
role="bold">related</emphasis>, <emphasis
role="bold">destroy</emphasis>, <emphasis
role="bold">reply</emphasis>, <emphasis
role="bold">assured</emphasis>, <emphasis
role="bold">protoinfo</emphasis>, <emphasis
role="bold">helper</emphasis>, <emphasis
role="bold">mark</emphasis> (this is connection mark, not packet
mark), <emphasis role="bold">natseqinfo</emphasis>, and
<emphasis role="bold">secmark</emphasis>.</para>
</listitem>
<listitem>
<para>expevents=new</para>
<para>Added in Shorewall 4.6.10. Only generate <emphasis
role="bold">new</emphasis> expectation events for this
connection.</para>
</listitem> </listitem>
<listitem> <listitem>