From 07e56d129a73726d63fdead50a46ba8df067e2c1 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 2 Aug 2012 11:09:18 -0700 Subject: [PATCH] Add AUTOHELPERS option. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 2 ++ .../Samples/one-interface/shorewall.conf | 1 + .../Samples/three-interfaces/shorewall.conf | 1 + .../Samples/two-interfaces/shorewall.conf | 1 + Shorewall/configfiles/shorewall.conf | 1 + Shorewall/manpages/shorewall.conf.xml | 24 +++++++++++++++++++ Shorewall6/Samples6/Universal/shorewall6.conf | 1 + .../Samples6/one-interface/shorewall6.conf | 1 + .../Samples6/three-interfaces/shorewall6.conf | 1 + .../Samples6/two-interfaces/shorewall6.conf | 1 + Shorewall6/manpages/shorewall6.conf.xml | 21 ++++++++++++++++ 11 files changed, 55 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index d9fa1fd08..654083b42 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -656,6 +656,7 @@ sub initialize( $;$ ) { EXPORTMODULES => undef, LEGACY_FASTSTART => undef, USE_PHYSICAL_NAMES => undef, + AUTOHELPERS => undef, # # Packet Disposition # @@ -4260,6 +4261,7 @@ sub get_configuration( $$$ ) { default_yes_no 'LEGACY_FASTSTART' , 'Yes'; default_yes_no 'USE_PHYSICAL_NAMES' , ''; default_yes_no 'IPSET_WARNINGS' , 'Yes'; + default_yes_no 'AUTOHELPERS' , 'Yes'; require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 738978279..6397cdd60 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -127,6 +127,7 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes AUTOMAKE=No diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index cf300c7ef..c55aa08ef 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -125,6 +125,7 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes AUTOMAKE=No diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index 4f10feb01..e63e13dba 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -128,6 +128,7 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes AUTOMAKE=No diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index e0656356f..d902b345d 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -116,6 +116,7 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes AUTOMAKE=No diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 1a0af7d9b..d4a190028 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -299,6 +299,30 @@ + + AUTOHELPERS=[Yes|No] + + + Added in Shorewall 4.5.7. + + In Linux 3.5, the Netfilter team announced that the automatic + association of helpers with connections based on protocol and port + would no longer be supported after a certain point. This means that + explicit rules must be added in shorewall-conntrack (5) in order for + applications like FTP that require a helper to continue to work + correctly. To work around this problem, the AUTOHELPERS option was + added with a default value of Yes. + + If set to Yes and the CT Target capability is present in the + kernel and iptables, then Shorewall will automatically create the + same associations that were made by the modules themselves prior to + removal of the automatic association feature. The associations are + actually in shorewall-conntrack (5) so you can modify them to suit + your particular needs. + + + AUTOMAKE=[Yes|No] diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index 38b38e12d..73b0eba97 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -111,6 +111,7 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes AUTOMAKE=No diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index a32586eae..d766512a7 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -111,6 +111,7 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes AUTOMAKE=No diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index f818c3298..f0d709559 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -111,6 +111,7 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes AUTOMAKE=No diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index f0e2e18be..cdde00832 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -111,6 +111,7 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes AUTOMAKE=No diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 164eded19..600207c69 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -228,6 +228,27 @@ + + AUTOHELPERS=[Yes|No] + + + Added in Shorewall 4.5.7. + + In Linux 3.5, the Netfilter team announced that the automatic + association of helpers with connections based on protocol and port + would no longer be supported after a certain point. This means that + explicit rules must be added in shorewall-conntrack (5) in order for + applications like FTP that require a helper to continue to work + correctly. To work around this problem, the AUTOHELPERS option was + added with a default value of Yes. + + If set to Yes and the CT Target capability is present in the + kernel and iptables, then Shorewall will automatically create the + same associations that were made by the modules themselves prior to + removal of the automatic association feature. The associations are + actually in shorewall-conntrack (5) so you can modify them to suit + your particular needs.