diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index e47bc068d..b3698ee48 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -2024,7 +2024,7 @@ determine_capabilities() {
FTP_HELPER=
IRC_HELPER=
NETBIOS_NS_HELPER=
- H323_HELPERS=
+ H323_HELPER=
PPTP_HELPER=
SANE_HELPER=
SIP_HELPER=
@@ -2191,19 +2191,7 @@ determine_capabilities() {
qt $g_tool -t raw -X $chain
qt $g_tool -t raw -N $chain
- if qt $g_tool -t raw -A $chain -j CT --notrack; then
- CT_TARGET=Yes
- qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
- qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
- qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPERS=Yes
- qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
- qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
- qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
- qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
- qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
- qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
- qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
- fi
+ qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes;
qt $g_tool -t raw -F $chain
qt $g_tool -t raw -X $chain
@@ -2257,7 +2245,18 @@ determine_capabilities() {
fi
qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
- qt $g_tool -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
+
+ qt $g_tool -A $chain -p udp --dport 10080 -m helper --helper amanda && HELPER_MATCH=Yes && AMANDA_HELPER=Yes
+ qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp && HELPER_MATCH=Yes && FTP_HELPER=Yes
+ qt $g_tool -A $chain -p udp --dport 1719 -m helper --helper RAS && HELPER_MATCH=Yes && H323_HELPER=Yes
+ $g_tool -A $chain -p tcp --dport 6667 -m helper --helper irc && HELPER_MATCH=Yes && IRC_HELPER=Yes
+ qt $g_tool -A $chain -p udp --dport 137 -m helper --helper netbios-ns && HELPER_MATCH=Yes && NETBIOS_NS_HELPER=Yes
+ qt $g_tool -A $chain -p tcp --dport 1729 -m helper --helper pptp && HELPER_MATCH=Yes && PPTP_HELPER=Yes
+ qt $g_tool -A $chain -p tcp --dport 6566 -m helper --helper sane && HELPER_MATCH=Yes && SANE_HELPER=Yes
+ qt $g_tool -A $chain -p udp --dport 5060 -m helper --helper sip && HELPER_MATCH=Yes && SIP_HELPER=Yes
+ qt $g_tool -A $chain -p udp --dport 161 -m helper --helper snmp && HELPER_MATCH=Yes && SNMP_HELPER=Yes
+ qt $g_tool -A $chain -p udp --dport 69 -m helper --helper tftp && HELPER_MATCH=Yes && TFTP_HELPER=Yes
+
qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
@@ -2389,7 +2388,7 @@ report_capabilities() {
report_capability "FTP Helper" $FTP_HELPER
report_capability "IRC Helper" $IRC_HELPER
report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
- report_capability "H323 Helpers" H323_HELPERS
+ report_capability "H323 Helper" $H323_HELPER
report_capability "PPTP Helper" $PPTP_HELPER
report_capability "SANE Helper" $SANE_HELPER
report_capability "SIP Helper" $SIP_HELPER
@@ -2495,7 +2494,7 @@ report_capabilities1() {
report_capability1 FTP_HELPER
report_capability1 IRC_HELPER
report_capability1 NETBIOS_NS_HELPER
- report_capability1 H323_HELPERS
+ report_capability1 H323_HELPER
report_capability1 PPTP_HELPER
report_capability1 SANE_HELPER
report_capability1 SNMP_HELPER
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 709801f2b..0621d667d 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -79,7 +79,6 @@ our @EXPORT = qw(
add_interface_options
%chain_table
- %helpers
%targets
$raw_table
$rawpost_table
@@ -331,19 +330,6 @@ our $rawpost_table;
our $nat_table;
our $mangle_table;
our $filter_table;
-our %helpers = ( amanda => UDP,
- ftp => TCP,
- irc => TCP,
- 'netbios-ns' => UDP,
- pptp => TCP,
- 'Q.931' => TCP,
- RAS => UDP,
- sane => TCP,
- sip => UDP,
- snmp => UDP,
- tftp => UDP,
- );
-
my $comment;
my @comments;
my $export;
@@ -1885,7 +1871,7 @@ sub dnat_chain( $ )
#
sub notrack_chain( $ )
{
- $_[0] . '_notrk';
+ $_[0] . '_ctrk';
}
#
@@ -4339,12 +4325,20 @@ sub validate_helper( $;$ ) {
#
# Recognized helper
#
+ my $capability = $helpers_map{$helper};
+ my $external_helper = lc $capability;
+
+ $external_helper =~ s/_helper//;
+ $external_helper =~ s/_/-/;
+
+ fatal_error "The $external_helper helper is not enabled" unless $helpers_enabled{$external_helper};
+
if ( supplied $proto ) {
require_capability $helpers_map{$helper}, "Helper $helper", 's';
my $protonum = -1;
- fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );
+ fatal_error "Unknown PROTO ($proto)" unless defined ( $protonum = resolve_proto( $proto ) );
unless ( $protonum == $helper_proto ) {
fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 40fef49fe..94232a0b6 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -144,13 +144,24 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
%config_files
%shorewallrc
+ %helpers
%helpers_map
+ %helpers_enabled
@auditoptions
F_IPV4
F_IPV6
+ TCP
+ UDP
+ UDPLITE
+ ICMP
+ DCCP
+ IPv6_ICMP
+ SCTP
+ GRE
+
MIN_VERBOSITY
MAX_VERBOSITY
@@ -162,7 +173,18 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
CONFIG_CONTINUATION
DO_INCLUDE
NORMAL_READ
- ) ] );
+ ) ] ,
+ protocols => [ qw (
+ TCP
+ UDP
+ UDPLITE
+ ICMP
+ DCCP
+ IPv6_ICMP
+ SCTP
+ GRE
+ ) ],
+ );
Exporter::export_ok_tags('internal');
@@ -318,10 +340,10 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
NFACCT_MATCH => 'NFAcct Match',
AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper',
- H323_HELPERS => 'H323 Helpers',
+ H323_HELPER => 'H323 Helpers',
IRC_HELPER => 'IRC Helper',
NETBIOS_NS_HELPER =>
- 'Amanda Helper',
+ 'Netbios-ns Helper',
PPTP_HELPER => 'PPTP Helper',
SANE_HELPER => 'Amanda Helper',
SIP_HELPER => 'SIP Helper',
@@ -335,19 +357,47 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
KERNELVERSION => 'Kernel Version',
);
+use constant {
+ ICMP => 1,
+ TCP => 6,
+ UDP => 17,
+ DCCP => 33,
+ GRE => 47,
+ IPv6_ICMP => 58,
+ SCTP => 132,
+ UDPLITE => 136,
+ };
+
+our %helpers = ( amanda => UDP,
+ ftp => TCP,
+ irc => TCP,
+ 'netbios-ns' => UDP,
+ pptp => TCP,
+ 'Q.931' => TCP,
+ RAS => UDP,
+ sane => TCP,
+ sip => UDP,
+ snmp => UDP,
+ tftp => UDP,
+ );
+
our %helpers_map = ( amanda => 'AMANDA_HELPER',
ftp => 'FTP_HELPER',
irc => 'IRC_HELPER',
'netbios-ns' => 'NETBIOS_NS_HELPER',
pptp => 'PPTP_HELPER',
- 'Q.931' => 'H323_HELPERS',
- RAS => 'H323_HELPERS',
+ 'Q.931' => 'H323_HELPER',
+ RAS => 'H323_HELPER',
sane => 'SANE_HELPER',
sip => 'SIP_HELPER',
snmp => 'SNMP_HELPER',
tftp => 'TFTP_HELPER',
);
+our %helpers_names;
+
+our %helpers_enabled;
+
our %config_files = ( #accounting => 1,
actions => 1,
blacklist => 1,
@@ -682,7 +732,7 @@ sub initialize( $;$ ) {
EXPORTMODULES => undef,
LEGACY_FASTSTART => undef,
USE_PHYSICAL_NAMES => undef,
- AUTOHELPERS => undef,
+ HELPERS => undef,
#
# Packet Disposition
#
@@ -801,7 +851,7 @@ sub initialize( $;$ ) {
NFACCT_MATCH => undef,
AMANDA_HELPER => undef,
FTP_HELPER => undef,
- H323_HELPERS => undef,
+ H323_HELPER => undef,
IRC_HELPER => undef,
NETBIOS_NS_HELPER => undef,
PPTP_HELPER => undef,
@@ -849,6 +899,19 @@ sub initialize( $;$ ) {
CONFDIR => '/etc/',
);
+ %helpers_enabled = (
+ amanda => 1,
+ ftp => 1,
+ h323 => 1,
+ irc => 1,
+ 'netbios-ns' => 1,
+ pptp => 1,
+ sane => 1,
+ sip => 1,
+ snmp => 1,
+ tftp => 1,
+ );
+
process_shorewallrc( $shorewallrc ) if $shorewallrc;
$globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
@@ -3165,8 +3228,54 @@ sub Realm_Match() {
qt1( "$iptables -A $sillyname -m realm --realm 1" );
}
-sub Helper_Match() {
- qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
+sub Amanda_Helper() {
+ $capabilities{HELPER_MATCH} = 1 if
+ $helpers_enabled{amanda} && qt1( "$iptables -A $sillyname -p udp --dport 10080 -j CT --helper amanda" );
+}
+
+sub FTP_Helper() {
+ $capabilities{HELPER_MATCH} = 1 if
+ $helpers_enabled{ftp} && qt1( "$iptables -A $sillyname -p tcp --dport 21 -m helper --helper ftp" );
+}
+
+sub H323_Helpers() {
+ $capabilities{HELPER_MATCH} = 1 if
+ $helpers_enabled{h323} && qt1( "$iptables -A $sillyname -p udp --dport 1719 -m helper --helper RAS" );
+}
+
+sub IRC_Helper() {
+ $capabilities{HELPER_MATCH} = 1 if
+ $helpers_enabled{irc} && qt1( "$iptables -A $sillyname -p tcp --dport 6667 -m helper --helper irc" );
+}
+
+sub Netbios_ns_Helper() {
+ $capabilities{HELPER_MATCH} = 1 if
+ $helpers_enabled{'netbios-ns'} && qt1( "$iptables -A $sillyname -p udp --dport 137 -m helper --helper netbios-ns" );
+}
+
+sub PPTP_Helper() {
+ $capabilities{HELPER_MATCH} = 1 if
+ $helpers_enabled{pptp} && qt1( "$iptables -A $sillyname -p tcp --dport 1729 -m helper --helper pptp" );
+}
+
+sub SANE_Helper() {
+ $capabilities{HELPER_MATCH} = 1 if
+ $helpers_enabled{sane} && qt1( "$iptables -A $sillyname -p tcp --dport 6566 -m helper --helper sane" );
+}
+
+sub SIP_Helper() {
+ $capabilities{HELPER_MATCH} = 1 if
+ $helpers_enabled{sip} && qt1( "$iptables -A $sillyname -p udp --dport 5060 -m helper --helper sip" );
+}
+
+sub SNMP_Helper() {
+ $capabilities{HELPER_MATCH} = 1 if
+ $helpers_enabled{snmp} && qt1( "$iptables -A $sillyname -p udp --dport 161 -m helper --helper snmp" );
+}
+
+sub TFTP_Helper() {
+ $capabilities{HELPER_MATCH} = 1 if
+ $helpers_enabled{tftp} && qt1( "$iptables -A $sillyname -p udp --dport 69 -m helper --helper tftp" );
}
sub Connlimit_Match() {
@@ -3248,46 +3357,6 @@ sub Ct_Target() {
$ct_target;
}
-sub Amanda_Helper() {
- have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 10080 -j CT --helper amanda" );
-}
-
-sub FTP_Helper() {
- have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 21 -j CT --helper ftp" );
-}
-
-sub H323_Helpers() {
- have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 1719 -j CT --helper RAS" );
-}
-
-sub IRC_Helper() {
- have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 6667 -j CT --helper irc" );
-}
-
-sub Netbios_ns_Helper() {
- have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 137 -j CT --helper netbios-ns" );
-}
-
-sub PPTP_Helper() {
- have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 1729 -j CT --helper pptp" );
-}
-
-sub SANE_Helper() {
- have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 6566 -j CT --helper sane" );
-}
-
-sub SIP_Helper() {
- have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 5060 -j CT --helper sip" );
-}
-
-sub SNMP_Helper() {
- have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 161 -j CT --helper snmp" );
-}
-
-sub TFTP_Helper() {
- have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 69 -j CT --helper tftp" );
-}
-
sub Statistic_Match() {
qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
}
@@ -3348,10 +3417,9 @@ our %detect_capability =
FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
GEOIP_MATCH => \&GeoIP_Match,
GOTO_TARGET => \&Goto_Target,
- H323_HELPERS => \&H323_Helpers,
+ H323_HELPER => \&H323_Helpers,
HASHLIMIT_MATCH => \&Hashlimit_Match,
HEADER_MATCH => \&Header_Match,
- HELPER_MATCH => \&Helper_Match,
IMQ_TARGET => \&Imq_Target,
IPMARK_TARGET => \&IPMark_Target,
IPP2P_MATCH => \&Ipp2p_Match,
@@ -3502,7 +3570,6 @@ sub determine_capabilities() {
$capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' );
$capabilities{IPMARK_TARGET} = detect_capability( 'IPMARK_TARGET' );
$capabilities{TPROXY_TARGET} = detect_capability( 'TPROXY_TARGET' );
-
$capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' );
$capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' );
$capabilities{RAWPOST_TABLE} = detect_capability( 'RAWPOST_TABLE' );
@@ -3512,7 +3579,6 @@ sub determine_capabilities() {
$capabilities{TCPMSS_MATCH} = detect_capability( 'TCPMSS_MATCH' );
$capabilities{NFQUEUE_TARGET} = detect_capability( 'NFQUEUE_TARGET' );
$capabilities{REALM_MATCH} = detect_capability( 'REALM_MATCH' );
- $capabilities{HELPER_MATCH} = detect_capability( 'HELPER_MATCH' );
$capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' );
$capabilities{TIME_MATCH} = detect_capability( 'TIME_MATCH' );
$capabilities{GOTO_TARGET} = detect_capability( 'GOTO_TARGET' );
@@ -4366,7 +4432,29 @@ sub get_configuration( $$$ ) {
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
default_yes_no 'USE_PHYSICAL_NAMES' , '';
default_yes_no 'IPSET_WARNINGS' , 'Yes';
- default_yes_no 'AUTOHELPERS' , 'Yes';
+
+ if ( supplied $config{HELPERS} ) {
+ my %helpers_temp = %helpers_enabled;
+
+ $helpers_temp{$_} = 0 for keys %helpers_temp;
+
+ for ( split_list $config{HELPERS} , 'helper' ) {
+ my $name = $_;
+ if ( exists $helpers_enabled{$name} ) {
+ s/-/_/;
+ require_capability( uc( $_ ) . '_HELPER' , "The $name helper", 's' );
+ $helpers_temp{$name} = 1;
+ } else {
+ fatal_error "Unknown Helper ($_)";
+ }
+ }
+
+ %helpers_enabled = %helpers_temp;
+
+ while ( my ( $helper, $enabled ) = each %helpers_enabled ) {
+ $capabilities{uc($helper) . '_HELPER'} = 0 unless $enabled;
+ }
+ }
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm
index 609ce3f7e..84e724524 100644
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -26,7 +26,7 @@
#
package Shorewall::IPAddrs;
require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols );
use Socket;
use strict;
@@ -48,14 +48,6 @@ our @EXPORT = qw( ALLIPv4
ALLIP
NILIP
ALL
- TCP
- UDP
- UDPLITE
- ICMP
- DCCP
- IPv6_ICMP
- SCTP
- GRE
validate_address
validate_net
@@ -115,14 +107,7 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
IPv6_LINK_ALLRTRS => 'ff01::2' ,
IPv6_SITE_ALLNODES => 'ff02::1' ,
IPv6_SITE_ALLRTRS => 'ff02::2' ,
- ICMP => 1,
- TCP => 6,
- UDP => 17,
- DCCP => 33,
- GRE => 47,
- IPv6_ICMP => 58,
- SCTP => 132,
- UDPLITE => 136 };
+ };
my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index b3bd52b4e..1713690ec 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -20,7 +20,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-# This module contains the code that handles the /etc/shorewall/notrack file.
+# This module contains the code that handles the /etc/shorewall/conntrack file.
#
package Shorewall::Raw;
require Exporter;
@@ -55,7 +55,7 @@ sub process_notrack_rule( $$$$$$$ ) {
my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
- require_capability 'RAW_TABLE', 'Notrack rules', '';
+ require_capability 'RAW_TABLE', 'conntrack rules', '';
my $target = $action;
my $exception_rule = '';
@@ -66,10 +66,10 @@ sub process_notrack_rule( $$$$$$$ ) {
fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
- require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
+ require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
if ( $option eq 'notrack' ) {
- fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
+ fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
$action = 'CT --notrack';
} else {
fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
@@ -158,7 +158,7 @@ sub setup_notrack() {
my ( $source, $dest, $proto, $ports, $sports, $user );
if ( $format == 1 ) {
- ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+ ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
if ( $source eq 'FORMAT' ) {
$format = process_format( $dest );
@@ -170,7 +170,7 @@ sub setup_notrack() {
next;
}
} else {
- ( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+ ( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
if ( $action eq 'FORMAT' ) {
$format = process_format( $source );
diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index 9815595e2..d334682db 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -116,8 +116,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
-AUTOHELPERS=Yes
-
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@@ -146,6 +144,8 @@ FASTACCEPT=Yes
FORWARD_CLEAR_MARK=
+HELPERS=
+
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index 6397cdd60..38af1be72 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -127,8 +127,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
-AUTOHELPERS=Yes
-
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@@ -157,6 +155,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
+HELPERS=
+
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index c55aa08ef..e4f7b5142 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -125,8 +125,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
-AUTOHELPERS=Yes
-
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@@ -155,6 +153,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
+HELPERS=
+
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index e63e13dba..58ff0e882 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -128,8 +128,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
-AUTOHELPERS=Yes
-
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@@ -158,6 +156,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
+HELPERS=
+
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
diff --git a/Shorewall/configfiles/conntrack b/Shorewall/configfiles/conntrack
index 34cb07071..2ca3b9eab 100644
--- a/Shorewall/configfiles/conntrack
+++ b/Shorewall/configfiles/conntrack
@@ -7,40 +7,34 @@
FORMAT 2
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
-?IF $AUTOHELPERS && __CT_TARGET
-COMMENT AUTOHELPERS
-?IF __AMANDA_HELPER
+?IF __CT_TARGET && __AMANDA_HELPER
CT:helper:amanda all - udp 10080
?ENDIF
-?IF __FTP_HELPER
+?IF __CT_TARGET && __FTP_HELPER
CT:helper:ftp all - tcp 21
?ENDIF
-?IF __H323_HELPERS
-COMMENT AUTOHELPERS - H323
+?IF __CT_TARGET && __H323_HELPER
CT:helper:RAS all - udp 1719
CT:helper:Q.931 all - tcp 1720
-COMMENT AUTOHELPERS
?ENDIF
-?IF __IRC_HELPER
+?IF __CT_TARGET && __IRC_HELPER
CT:helper:irc all - tcp 6667
?ENDIF
-?IF __NETBIOS_NS_HELPER
+?IF __CT_TARGET && __NETBIOS_NS_HELPER
CT:helper:netbios-ns all - udp 137
?ENDIF
-?IF __PPTP_HELPER
+?IF __CT_TARGET && __PPTP_HELPER
CT:helper:pptp all - tcp 1729
?ENDIF
-?IF __SANE_HELPER
+?IF __CT_TARGET && __SANE_HELPER
CT:helper:sane all - tcp 6566
?ENDIF
-?IF __SIP_HELPER
+?IF __CT_TARGET && __SIP_HELPER
CT:helper:sip all - udp 5060
?ENDIF
-?IF __SNMP_HELPER
+?IF __CT_TARGET && __SNMP_HELPER
CT:helper:snmp all - udp 161
?ENDIF
-?IF __TFTP_HELPER
+?IF __CT_TARGET && __TFTP_HELPER
CT:helper:tftp all - udp 69
?ENDIF
-COMMENT
-?ENDIF
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index d902b345d..8d7f3a0df 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -116,8 +116,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
-AUTOHELPERS=Yes
-
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@@ -146,6 +144,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
+HELPERS=
+
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml
index a3b716476..022acfebb 100644
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -46,6 +46,13 @@
where format is either 1 or 2.
+ Comments may be attached to Netfilter rules generated from entries
+ in this file through the use of COMMENT lines. These lines begin with the
+ word COMMENT; the remainder of the line is treated as a comment which is
+ attached to subsequent rules until another COMMENT line is found or until
+ the end of the file is reached. To stop adding comments to rules, use a
+ line with only the word COMMENT.
+
The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).
@@ -222,13 +229,9 @@
url="shorewall-exclusion.html">shorewall-exclusion
(5)).
- Comments may be attached to Netfilter rules generated from
- entries in this file through the use of COMMENT lines. These lines
- begin with the word COMMENT; the remainder of the line is treated as
- a comment which is attached to subsequent rules until another
- COMMENT line is found or until the end of the file is reached. To
- stop adding comments to rules, use a line with only the word
- COMMENT.
+ Beginning with Shorewall 4.5.7, can be
+ used as the zone name to mean
+ all zones.
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index d4a190028..209eff551 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -299,30 +299,6 @@
-
- AUTOHELPERS=[Yes|No]
-
-
- Added in Shorewall 4.5.7.
-
- In Linux 3.5, the Netfilter team announced that the automatic
- association of helpers with connections based on protocol and port
- would no longer be supported after a certain point. This means that
- explicit rules must be added in shorewall-conntrack (5) in order for
- applications like FTP that require a helper to continue to work
- correctly. To work around this problem, the AUTOHELPERS option was
- added with a default value of Yes.
-
- If set to Yes and the CT Target capability is present in the
- kernel and iptables, then Shorewall will automatically create the
- same associations that were made by the modules themselves prior to
- removal of the automatic association feature. The associations are
- actually in shorewall-conntrack (5) so you can modify them to suit
- your particular needs.
-
-
-
AUTOMAKE=[Yes|No]
@@ -708,6 +684,62 @@ net all DROP infothen the chain name is 'net2all'
+
+ HELPERS=[helper[,helper...]]
+
+
+ Added in Shorewall 4.5.7. This option lists the Netfilter
+ application helps that are to be enabled. If not specified, the
+ default is to enable all helpers.
+
+ Possible values for helper
+ are:
+
+
+
+ amanda
+
+
+
+ ftp
+
+
+
+ h323
+
+
+
+ irc
+
+
+
+ netbios-ns
+
+
+
+ pptp
+
+
+
+ sane
+
+
+
+ sip
+
+
+
+ snmp
+
+
+
+ tftp
+
+
+
+
+
HIGH_ROUTE_MARKS={Yes|No}
diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf
index 73b0eba97..af44a223e 100644
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
-AUTOHELPERS=Yes
-
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@@ -137,6 +135,8 @@ FASTACCEPT=Yes
FORWARD_CLEAR_MARK=
+HELPERS=
+
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf
index d766512a7..5b2864e23 100644
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
-AUTOHELPERS=Yes
-
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@@ -137,6 +135,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
+HELPERS=
+
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
index f0d709559..3cf36656e 100644
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
-AUTOHELPERS=Yes
-
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@@ -137,6 +135,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
+HELPERS=
+
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
index cdde00832..35beedfbd 100644
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
-AUTOHELPERS=Yes
-
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@@ -137,6 +135,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
+HELPERS=
+
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
diff --git a/Shorewall6/configfiles/conntrack b/Shorewall6/configfiles/conntrack
index a8a0e315a..b59c8455c 100644
--- a/Shorewall6/configfiles/conntrack
+++ b/Shorewall6/configfiles/conntrack
@@ -7,40 +7,34 @@
FORMAT 2
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
-?IF $AUTOHELPERS && __CT_TARGET
-COMMENT AUTOHELPERS
-?IF __AMANDA_HELPER
+?IF __CT_TARGET && __AMANDA_HELPER
CT:helper:amanda all - udp 10080
?ENDIF
-?IF __FTP_HELPER
+?IF __CT_TARGET && __FTP_HELPER
CT:helper:ftp all - tcp 21
?ENDIF
-?IF __H323_HELPERS
-COMMENT AUTOHELPERS - H323
+?IF __CT_TARGET && __H323_HELPER
CT:helper:RAS all - udp 1719
CT:helper:Q.931 all - tcp 1720
-COMMENT AUTOHELPERS
?ENDIF
-?IF __IRC_HELPER
+?IF __CT_TARGET && __IRC_HELPER
CT:helper:irc all - tcp 6667
?ENDIF
-?IF __NETBIOS_NS_HELPER
+?IF __CT_TARGET && __NETBIOS_NS_HELPER
CT:helper:netbios-ns all - udp 137
?ENDIF
-?IF __PPTP_HELPER
+?IF __CT_TARGET && __PPTP_HELPER
CT:helper:pptp all - tcp 1729
?ENDIF
-?IF __SANE_HELPER
+?IF __CT_TARGET && __SANE_HELPER
CT:helper:sane all - tcp 6566
?ENDIF
-?IF __SIP_HELPER
+?IF __CT_TARGET && __SIP_HELPER
CT:helper:sip all - udp 5060
?ENDIF
-?IF __SNMP_HELPER
+?IF __CT_TARGET && __SNMP_HELPER
CT:helper:snmp all - udp 161
?ENDIF
-?IF __TFTP_HELPER
+?IF __CT_TARGET && __TFTP_HELPER
CT:helper:tftp all - udp 69
?ENDIF
-COMMENT
-?ENDIF
diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf
index 722b825ed..096f64b58 100644
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
-AUTOHELPERS=Yes
-
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@@ -137,6 +135,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=Yes
+HELPERS=
+
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml
index a29824ec7..a3cb5c4d5 100644
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -45,6 +45,13 @@
where format is either 1 or 2.
+ Comments may be attached to Netfilter rules generated from entries
+ in this file through the use of COMMENT lines. These lines begin with the
+ word COMMENT; the remainder of the line is treated as a comment which is
+ attached to subsequent rules until another COMMENT line is found or until
+ the end of the file is reached. To stop adding comments to rules, use a
+ line with only the word COMMENT.
+
The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).
@@ -124,6 +131,10 @@
list of addresses (may contain exclusion - see shorewall6-exclusion
(5)).
+
+ Beginning with Shorewall 4.5.7, can be
+ used as the zone name to mean
+ all zones.
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 600207c69..5ef8a559f 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -228,30 +228,6 @@
-
- AUTOHELPERS=[Yes|No]
-
-
- Added in Shorewall 4.5.7.
-
- In Linux 3.5, the Netfilter team announced that the automatic
- association of helpers with connections based on protocol and port
- would no longer be supported after a certain point. This means that
- explicit rules must be added in shorewall-conntrack (5) in order for
- applications like FTP that require a helper to continue to work
- correctly. To work around this problem, the AUTOHELPERS option was
- added with a default value of Yes.
-
- If set to Yes and the CT Target capability is present in the
- kernel and iptables, then Shorewall will automatically create the
- same associations that were made by the modules themselves prior to
- removal of the automatic association feature. The associations are
- actually in shorewall-conntrack (5) so you can modify them to suit
- your particular needs.
-
-
-
AUTOMAKE=[Yes|No]
@@ -617,6 +593,62 @@ net all DROP infothen the chain name is 'net2all'
+
+ HELPERS=[helper[,helper...]]
+
+
+ Added in Shorewall 4.5.7. This option lists the Netfilter
+ application helps that are to be enabled. If not specified, the
+ default is to enable all helpers.
+
+ Possible values for helper
+ are:
+
+
+
+ amanda
+
+
+
+ ftp
+
+
+
+ h323
+
+
+
+ irc
+
+
+
+ netbios-ns
+
+
+
+ pptp
+
+
+
+ sane
+
+
+
+ sip
+
+
+
+ snmp
+
+
+
+ tftp
+
+
+
+
+
HIGH_ROUTE_MARKS={Yes|No}