holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Validate helper<->protocol

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-12-24 09:24:01 -08:00
parent 97354c8ce8
commit 5520a6d31d
2 changed files with 45 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -173,6 +173,7 @@ our %EXPORT_TAGS = (
do_tos do_tos
do_connbytes do_connbytes
do_helper do_helper
validate_helper
do_headers do_headers
do_condition do_condition
have_ipset_rules have_ipset_rules
@ -558,19 +559,16 @@ sub initialize( $$$ ) {
%ipset_exists = (); %ipset_exists = ();
%helpers = ( amanda => 1, %helpers = ( amanda => TCP,
ftp => 1, ftp => TCP,
h323 => 1, h323 => UDP,
irc => 1, irc => TCP,
netbios_ns => 1, netbios_ns => UDP,
netlink => 1, pptp => TCP,
proto_gre => 1, sane => TCP,
proto_sctp => 1, sip => UDP,
pptp => 1, snmp => UDP,
proto_udplite => 1, tftp => UDP);
sane => 1,
sip => 1,
tftp => 1 );
# #
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined. # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
# #
@ -4004,22 +4002,49 @@ sub do_connbytes( $ ) {
} }
# #
# Create a soft "-m helper" match for the passed argument # Validate a helper/protocol pair
#
sub validate_helper( $;$ ) {
my ( $helper, $proto ) = @_;
my $helper_base = $helper;
$helper_base =~ s/-\d+$//;
my $helper_proto = $helpers{$helper_base};
if ( $helper_proto) {
#
# Recognized helper
#
if ( supplied $proto ) {
my $protonum = -1;
unless ( $proto eq '-' ) {
fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );
}
unless ( $protonum == $helper_proto ) {
fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
}
}
} else {
fatal_error "Unrecognized helper ($helper_base)";
}
}
#
# Create an "-m helper" match for the passed argument
# #
sub do_helper( $ ) { sub do_helper( $ ) {
my $helper = shift; my $helper = shift;
return '' if $helper eq '-'; return '' if $helper eq '-';
my $helper_base = $helper; validate_helper( $helper );
$helper_base =~ s/-\d+$//;
warning_message "Unrecognized helper ($helper)" unless $helpers{$helper_base};
qq(-m helper --helper "$helper" ) if defined wantarray; qq(-m helper --helper "$helper" ) if defined wantarray;
} }
# #
# Create a "-m length" match for the passed LENGTH # Create a "-m length" match for the passed LENGTH
# #

2
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -76,7 +76,7 @@ sub process_notrack_rule( $$$$$$$ ) {
if ( $option eq 'helper' ) { if ( $option eq 'helper' ) {
fatal_error "Invalid helper' ($args)" if $args =~ /,/; fatal_error "Invalid helper' ($args)" if $args =~ /,/;
fatal_error "A protocol protocol is required in CT:helper rules" if $proto eq '-'; fatal_error "A protocol protocol is required in CT:helper rules" if $proto eq '-';
do_helper( $args ); validate_helper( $args, $proto );
$action = "CT --helper $args"; $action = "CT --helper $args";
$exception_rule = do_proto( $proto, '-', '-' ); $exception_rule = do_proto( $proto, '-', '-' );
} elsif ( $option eq 'ctevents' ) { } elsif ( $option eq 'ctevents' ) {