Validate helper<->protocol

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-24 09:24:01 -08:00 · 2011-12-24 09:24:01 -08:00 · 5520a6d31d
commit 5520a6d31d
parent 97354c8ce8
2 changed files with 45 additions and 20 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -173,6 +173,7 @@ our %EXPORT_TAGS = (
 				       do_tos
 				       do_connbytes
 				       do_helper
+				       validate_helper
 				       do_headers
 				       do_condition
 				       have_ipset_rules
@ -558,19 +559,16 @@ sub initialize( $$$ ) {

    %ipset_exists       = ();   

-    %helpers = ( amanda          => 1,
-		 ftp             => 1,
-		 h323            => 1,
-		 irc             => 1,
-		 netbios_ns      => 1,
-		 netlink         => 1,
-		 proto_gre       => 1,
-		 proto_sctp      => 1,
-		 pptp            => 1,
-		 proto_udplite   => 1,
-		 sane            => 1,
-		 sip             => 1,
-		 tftp            => 1 );
+    %helpers = ( amanda          => TCP,
+		 ftp             => TCP,
+		 h323            => UDP,
+		 irc             => TCP,
+		 netbios_ns      => UDP,
+		 pptp            => TCP,
+		 sane            => TCP,
+		 sip             => UDP,
+		 snmp            => UDP,
+		 tftp            => UDP);
    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
    #
@ -4004,22 +4002,49 @@ sub do_connbytes( $ ) {
 }

 #
-# Create a soft "-m helper" match for the passed argument
+# Validate a helper/protocol pair
+#
+sub validate_helper( $;$ ) {
+    my ( $helper, $proto ) = @_;
+    my $helper_base = $helper;
+    $helper_base =~ s/-\d+$//;
+
+    my $helper_proto = $helpers{$helper_base};
+
+    if ( $helper_proto) {	    
+	#
+	#  Recognized helper
+	#
+	if ( supplied $proto ) {
+	    my $protonum = -1;
+
+	    unless ( $proto eq '-' ) {
+		fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );	
+	    }
+
+	    unless ( $protonum == $helper_proto ) {
+		fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
+	    }
+	}
+    } else {
+	fatal_error "Unrecognized helper ($helper_base)";
+    }
+}
+
+#
+# Create an "-m helper" match for the passed argument
 #
 sub do_helper( $ ) {
    my $helper = shift;

    return '' if $helper eq '-';

-    my $helper_base = $helper;
-
-    $helper_base =~ s/-\d+$//;
-
-    warning_message "Unrecognized helper ($helper)" unless $helpers{$helper_base};
+    validate_helper( $helper );

    qq(-m helper --helper "$helper" ) if defined wantarray;
 }

+
 #
 # Create a "-m length" match for the passed LENGTH
 #
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@ -76,7 +76,7 @@ sub process_notrack_rule( $$$$$$$ ) {
 	    if ( $option eq 'helper' ) {
 		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
 		fatal_error "A protocol protocol is required in CT:helper rules" if $proto eq '-'; 
-		do_helper( $args );
+		validate_helper( $args, $proto );
 		$action = "CT --helper $args";
 		$exception_rule = do_proto( $proto, '-', '-' );
 	    } elsif ( $option eq 'ctevents' ) {