holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Don't require a helper in the CT action.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-05-16 09:08:32 -07:00
parent 86ef3d3e35
commit 9329e7c36c
4 changed files with 24 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -765,7 +765,6 @@ sub initialize( $$$ ) {
RETURN => 1, RETURN => 1,
QUEUE => 1, QUEUE => 1,
CLASSIFY => 1, CLASSIFY => 1,
CT => 1,
DNAT => 1, DNAT => 1,
MASQUERADE => 1, MASQUERADE => 1,
NETMAP => 1, NETMAP => 1,

13
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -148,14 +148,19 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
$disposition = "helper"; $disposition = "helper";
if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) { if ( $args =~ /^([-\w.]*)\((.+)\)$/ ) {
$args = $1; $args = $1;
$modifiers = $2; $modifiers = $2;
} }
fatal_error "Invalid helper' ($args)" if $args =~ /,/; if ( supplied $args ) {
validate_helper( $args, $proto ); fatal_error "Invalid helper' ($args)" if $args =~ /,/;
$action = "CT --helper $helpers_aliases{$args}"; validate_helper( $args, $proto );
$action = "CT --helper $helpers_aliases{$args}";
} else {
$action = "CT ";
}
$exception_rule = do_proto( $proto, '-', '-' ); $exception_rule = do_proto( $proto, '-', '-' );
for my $mod ( split_list1( $modifiers, 'ctevents' ) ) { for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {

10
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -90,7 +90,7 @@
role="bold">NOTRACK</emphasis>|<emphasis role="bold">NOTRACK</emphasis>|<emphasis
role="bold">CT</emphasis>:<emphasis role="bold">CT</emphasis>:<emphasis
role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
role="bold">CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term> role="bold">CT:helper:(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
<listitem> <listitem>
<para>This column is only present when FORMAT &gt;= 2. Values other <para>This column is only present when FORMAT &gt;= 2. Values other
@ -114,7 +114,8 @@
<replaceable>name</replaceable> to this connection. This is more <replaceable>name</replaceable> to this connection. This is more
flexible than loading the conntrack helper with preset ports. If flexible than loading the conntrack helper with preset ports. If
a <replaceable>log-level</replaceable> is specified, the packet a <replaceable>log-level</replaceable> is specified, the packet
will also be logged at that level.</para> will also be logged at that level. Beginning with Shorewall
4.6.10, the helper name is optional</para>
<para>At this writing, the available helpers are:</para> <para>At this writing, the available helpers are:</para>
@ -242,6 +243,11 @@
expectation events for this connection.</para> expectation events for this connection.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>Beginning with Shorewall 4.6.10, the parenthesized list of
<replaceable>arg</replaceable>=<replaceable>val</replaceable>
pairs may be given without a helper name (e.g.,
CT:helper:(ctevents=assured,destroyed)).</para>
</listitem> </listitem>
<listitem> <listitem>

6
Shorewall6/manpages/shorewall6-conntrack.xml
View File

@ -90,6 +90,7 @@
role="bold">NOTRACK</emphasis>|<emphasis role="bold">NOTRACK</emphasis>|<emphasis
role="bold">CT</emphasis>:<emphasis role="bold">CT</emphasis>:<emphasis
role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
role="bold">CT:helper:(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])</emphasis>|<emphasis
role="bold">CT:notrack</emphasis>|DROP|LOG|NFLOG(<replaceable>nflog-parameters</replaceable>)|IP6TABLES(<replaceable>target</replaceable>)}[:<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term> role="bold">CT:notrack</emphasis>|DROP|LOG|NFLOG(<replaceable>nflog-parameters</replaceable>)|IP6TABLES(<replaceable>target</replaceable>)}[:<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
<listitem> <listitem>
@ -242,6 +243,11 @@
expectation events for this connection.</para> expectation events for this connection.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>Beginning with Shorewall 4.6.10, the parenthesized list of
<replaceable>arg</replaceable>=<replaceable>val</replaceable>
pairs may be given without a helper name (e.g.,
CT:helper:(ctevents=assured,destroyed)).</para>
</listitem> </listitem>
<listitem> <listitem>