From c007f847a0c46ffb2bbef4193d5b041bc19c0fa8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 6 Aug 2012 15:54:45 -0700 Subject: [PATCH] Handle disabled helpers in pre-3.5 kernels. Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 22 +++++ Shorewall/Perl/Shorewall/Chains.pm | 2 +- Shorewall/Perl/Shorewall/Config.pm | 147 ++++++++++++++++++++++------- Shorewall/Perl/Shorewall/Raw.pm | 2 +- docs/Helpers.xml | 76 +++++++++++++++ 5 files changed, 211 insertions(+), 38 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 0707849e2..5412ba517 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -2022,14 +2022,19 @@ determine_capabilities() { NFACCT_MATCH= AMANDA_HELPER= FTP_HELPER= + FTP0_HELPER= IRC_HELPER= + IRC0_HELPER= NETBIOS_NS_HELPER= H323_HELPER= PPTP_HELPER= SANE_HELPER= + SANE0_HELPER= SIP_HELPER= + SIP0_HELPER= SNMP_HELPER= TFTP_HELPER= + TFTP0_HELPER= chain=fooX$$ @@ -2196,14 +2201,19 @@ determine_capabilities() { qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes + qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp-0 && FTP0_HELPER=Yes qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes + qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc-0 && IRC0_HELPER=Yes qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes + qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane-0 && SANE0_HELPER=Yes qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes + qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip-0 && SIP0_HELPER=Yes qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes + qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp-0 && TFTP0_HELPER=Yes fi qt $g_tool -t raw -F $chain @@ -2268,6 +2278,7 @@ determine_capabilities() { if [ -z "$CT_TARGET" ]; then AMANDA_HELPER=Yes FTP_HELPER=Yes + FTP_HELPER=Yes H323_HELPER=Yes IRC_HELPER=Yes NS_HELPER=Yes @@ -2408,14 +2419,19 @@ report_capabilities() { report_capability "NFAcct match" $NFACCT_MATCH report_capability "Amanda Helper" $AMANDA_HELPER report_capability "FTP Helper" $FTP_HELPER + report_capability "FTP-0 Helper" $FTP0_HELPER report_capability "IRC Helper" $IRC_HELPER + report_capability "IRC-0 Helper" $IRC0_HELPER report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER report_capability "H323 Helper" $H323_HELPER report_capability "PPTP Helper" $PPTP_HELPER report_capability "SANE Helper" $SANE_HELPER + report_capability "SANE-0 Helper" $SANE0_HELPER report_capability "SIP Helper" $SIP_HELPER + report_capability "SIP-0 Helper" $SIP0_HELPER report_capability "SNMP Helper" $SNMP_HELPER report_capability "TFTP Helper" $TFTP_HELPER + report_capability "TFTP-0 Helper" $TFTP0_HELPER if [ $g_family -eq 4 ]; then report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S @@ -2514,13 +2530,19 @@ report_capabilities1() { report_capability1 NFACCT_MATCH report_capability1 AMANDA_HELPER report_capability1 FTP_HELPER + report_capability1 FTP0_HELPER report_capability1 IRC_HELPER + report_capability1 IRC0_HELPER report_capability1 NETBIOS_NS_HELPER report_capability1 H323_HELPER report_capability1 PPTP_HELPER report_capability1 SANE_HELPER + report_capability1 SANE0_HELPER + report_capability1 SIP_HELPER + report_capability1 SIP0_HELPER report_capability1 SNMP_HELPER report_capability1 TFTP_HELPER + report_capability1 TFTP0_HELPER echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 0621d667d..7e1393a27 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4359,7 +4359,7 @@ sub do_helper( $ ) { validate_helper( $helper ); - qq(-m helper --helper "$helper" ) if defined wantarray; + qq(-m helper --helper "$helpers_aliases{$helper}" ) if defined wantarray; } diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 32ae00c31..232e716ab 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -148,6 +148,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script %helpers %helpers_map %helpers_enabled + %helpers_aliases @auditoptions @@ -341,15 +342,20 @@ my %capdesc = ( NAT_ENABLED => 'NAT', NFACCT_MATCH => 'NFAcct Match', AMANDA_HELPER => 'Amanda Helper', FTP_HELPER => 'FTP Helper', + FTP0_HELPER => 'FTP-0 Helper', H323_HELPER => 'H323 Helpers', IRC_HELPER => 'IRC Helper', + IRC0_HELPER => 'IRC-0 Helper', NETBIOS_NS_HELPER => 'Netbios-ns Helper', PPTP_HELPER => 'PPTP Helper', - SANE_HELPER => 'Amanda Helper', + SANE_HELPER => 'SANE Helper', + SANE0_HELPER => 'SANE-0 Helper', SIP_HELPER => 'SIP Helper', + SIP0_HELPER => 'SIP-0 Helper', SNMP_HELPER => 'SNMP Helper', TFTP_HELPER => 'TFTP Helper', + TFTP0_HELPER => 'TFTP-0 Helper', # # Constants # @@ -382,21 +388,12 @@ our %helpers = ( amanda => UDP, tftp => UDP, ); -our %helpers_map = ( amanda => 'AMANDA_HELPER', - ftp => 'FTP_HELPER', - irc => 'IRC_HELPER', - 'netbios-ns' => 'NETBIOS_NS_HELPER', - pptp => 'PPTP_HELPER', - 'Q.931' => 'H323_HELPER', - RAS => 'H323_HELPER', - sane => 'SANE_HELPER', - sip => 'SIP_HELPER', - snmp => 'SNMP_HELPER', - tftp => 'TFTP_HELPER', - ); +our %helpers_map; our %helpers_names; +our %helpers_aliases; + our %helpers_enabled; our %config_files = ( #accounting => 1, @@ -852,14 +849,19 @@ sub initialize( $;$ ) { NFACCT_MATCH => undef, AMANDA_HELPER => undef, FTP_HELPER => undef, + FTP0_HELPER => undef, H323_HELPER => undef, IRC_HELPER => undef, + IRC0_HELPER => undef, NETBIOS_NS_HELPER => undef, PPTP_HELPER => undef, SANE_HELPER => undef, + SANE0_HELPER => undef, SIP_HELPER => undef, + SIP0_HELPER => undef, SNMP_HELPER => undef, TFTP_HELPER => undef, + TFTP0_HELPER => undef, CAPVERSION => undef, LOG_OPTIONS => 1, @@ -903,16 +905,48 @@ sub initialize( $;$ ) { %helpers_enabled = ( amanda => 1, ftp => 1, + 'ftp-0' => 1, h323 => 1, irc => 1, + 'irc-0' => 1, 'netbios-ns' => 1, pptp => 1, sane => 1, + 'sane-0' => 1, sip => 1, + 'sip-0' => 1, snmp => 1, tftp => 1, + 'tftp-0' => 1, ); + %helpers_map = ( amanda => 'AMANDA_HELPER', + ftp => 'FTP_HELPER', + irc => 'IRC_HELPER', + 'netbios-ns' => 'NETBIOS_NS_HELPER', + pptp => 'PPTP_HELPER', + 'Q.931' => 'H323_HELPER', + RAS => 'H323_HELPER', + sane => 'SANE_HELPER', + sip => 'SIP_HELPER', + snmp => 'SNMP_HELPER', + tftp => 'TFTP_HELPER', + ); + + %helpers_aliases = ( amanda => 'amanda', + ftp => 'ftp', + irc => 'irc', + 'netbios-ns' => 'netbios-ns', + pptp => 'pptp', + 'Q.931' => 'Q.931', + RAS => 'RAS', + sane => 'sane', + sip => 'sip', + snmp => 'snmp', + tftp => 'tftp', + ); + + process_shorewallrc( $shorewallrc ) if $shorewallrc; $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/"; @@ -1819,7 +1853,12 @@ sub evaluate_expression( $$$ ) { my ( $first, $cap, $rest ) = ( $1, $3, $4); if ( exists $capdesc{$cap} ) { - $val = have_capability( $cap ) + $val = have_capability( $cap ); + if ( defined $val ) { + $val = "'$val'" unless $val =~ /^-?\d+$/; + } else { + $val = 0; + } } elsif ( $cap =~ /^IPV([46])$/ ) { $val = ( $family == $1 ); } else { @@ -3233,12 +3272,12 @@ sub Helper_Match() { qt1( "$iptables -A $sillyname -p tcp --dport 21 -m helper --helper ftp" ); } -sub have_helper( $ ) { - my $helper = $_[0]; +sub have_helper( $$$ ) { + my ( $helper, $proto, $port ) = @_; if ( $helpers_enabled{$helper} ) { if ( have_capability 'CT_TARGET' ) { - qt1( "$iptables -t raw -A $sillyname -p udp --dport 10080 -j CT --helper $helper" ); + qt1( "$iptables -t raw -A $sillyname -p $proto --dport $port -j CT --helper $helper" ); } else { have_capability 'HELPER_MATCH'; } @@ -3246,43 +3285,63 @@ sub have_helper( $ ) { } sub Amanda_Helper() { - have_helper 'amanda'; + have_helper( 'amanda', 'udp', 10080 ); } sub FTP_Helper() { - have_helper 'ftp'; + have_helper( 'ftp', 'tcp', 21 ); +} + +sub FTP0_Helper() { + have_helper( 'ftp-0', 'tcp', 21 ) and $helpers_aliases{ftp} = 'ftp-0'; } sub H323_Helpers() { - have_helper 'RAS'; + have_helper( 'RAS', 'udp', 1719 ); } sub IRC_Helper() { - have_helper 'irc'; + have_helper( 'irc', 'tcp', 6667 ); +} + +sub IRC0_Helper() { + have_helper( 'irc-0', 'tcp', 6667 ) and $helpers_aliases{irc} = 'irc-0'; } sub Netbios_ns_Helper() { - have_helper 'netbios-ns'; + have_helper( 'netbios-ns', 'udp', 137 ); } sub PPTP_Helper() { - have_helper 'pptp'; + have_helper( 'pptp', 'tcp', 1729 ); } sub SANE_Helper() { - have_helper 'sane'; + have_helper( 'sane', 'tcp', 6566 ); +} + +sub SANE0_Helper() { + have_helper( 'sane-0', 'tcp', 6566 ) and $helpers_aliases{sane} = 'sane-0'; } sub SIP_Helper() { - have_helper 'sip'; + have_helper( 'sip', 'udp', 5060 ); +} + +sub SIP0_Helper() { + have_helper( 'sip-0', 'udp', 5060 ) and $helpers_aliases{sip} = 'sip-0'; } sub SNMP_Helper() { - have_helper 'snmp'; + have_helper( 'snmp', 'udp', 161 ); } sub TFTP_Helper() { - have_helper 'tftp'; + have_helper( 'tftp', 'udp', 69 ); +} + +sub TFTP0_Helper() { + have_helper( 'tftp-0', 'udp', 69 ) and $helpers_aliases{tftp} = 'tftp-0'; } sub Connlimit_Match() { @@ -3421,6 +3480,7 @@ our %detect_capability = EXMARK => \&Exmark, FLOW_FILTER => \&Flow_Filter, FTP_HELPER => \&FTP_Helper, + FTP0_HELPER => \&FTP0_Helper, FWMARK_RT_MASK => \&Fwmark_Rt_Mask, GEOIP_MATCH => \&GeoIP_Match, GOTO_TARGET => \&Goto_Target, @@ -3434,6 +3494,7 @@ our %detect_capability = IPRANGE_MATCH => \&IPRange_Match, IPSET_MATCH => \&IPSet_Match, IRC_HELPER => \&IRC_Helper, + IRC0_HELPER => \&IRC0_Helper, OLD_IPSET_MATCH => \&Old_IPSet_Match, IPSET_V5 => \&IPSET_V5, IPTABLES_S => \&Iptables_S, @@ -3469,11 +3530,14 @@ our %detect_capability = RECENT_MATCH => \&Recent_Match, RPFILTER_MATCH => \&RPFilter_Match, SANE_HELPER => \&SANE_Helper, + SANE0_HELPER => \&SANE0_Helper, SIP_HELPER => \&SIP_Helper, + SIP0_HELPER => \&SIP0_Helper, SNMP_HELPER => \&SNMP_Helper, STATISTIC_MATCH => \&Statistic_Match, TCPMSS_MATCH => \&Tcpmss_Match, TFTP_HELPER => \&TFTP_Helper, + TFTP0_HELPER => \&TFTP0_Helper, TIME_MATCH => \&Time_Match, TPROXY_TARGET => \&Tproxy_Target, USEPKTTYPE => \&Usepkttype, @@ -3529,6 +3593,17 @@ sub determine_capabilities() { $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE'; + if ( have_capability 'CT_TARGET' ) { + $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ), + 'FTP0_HELPER', + 'IRC0_HELPER', + 'SANE0_HELPER', + 'SIP0_HELPER', + 'TFTP0_HELPER' ); + } else { + $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH'; + } + unless ( $config{ LOAD_HELPERS_ONLY } ) { # # Using 'detect_capability()' is a bit less efficient than calling the individual detection @@ -3611,14 +3686,7 @@ sub determine_capabilities() { $capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' ); $capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' ); $capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' ); - $capabilities{HELPER_MATCH} = detect_capability( 'HELPER_MATCH' ); - if ( $capabilities{CT_TARGET} ) { - for ( values %helpers_map ) { - $capabilities{$_} = detect_capability $_; - } - } - qt1( "$iptables -F $sillyname" ); qt1( "$iptables -X $sillyname" ); qt1( "$iptables -F $sillyname1" ); @@ -3953,6 +4021,7 @@ sub read_capabilities() { } $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE}; + } # @@ -4241,6 +4310,14 @@ sub get_configuration( $$$ ) { get_capabilities( $export ); + report_capabilities unless $config{LOAD_HELPERS_ONLY}; + + $helpers_aliases{ftp} = 'ftp-0', $capabilities{FTP_HELPER} = 1 if $capabilities{FTP0_HELPER}; + $helpers_aliases{irc} = 'irc-0', $capabilities{IRC_HELPER} = 1 if $capabilities{IRC0_HELPER}; + $helpers_aliases{sane} = 'sane-0', $capabilities{SANE_HELPER} = 1 if $capabilities{SANE0_HELPER}; + $helpers_aliases{sip} = 'sip-0', $capabilities{SIP_HELPER} = 1 if $capabilities{SIP0_HELPER}; + $helpers_aliases{tftp} = 'tftp-0', $capabilities{TFTP_HELPER} = 1 if $capabilities{TFTP0_HELPER}; + $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH'; # @@ -4716,8 +4793,6 @@ sub get_configuration( $$$ ) { $config{LOCKFILE} = ''; } - report_capabilities unless $config{LOAD_HELPERS_ONLY}; - require_capability( 'MULTIPORT' , "Shorewall $globals{VERSION}" , 's' ); require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL}; require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{PROVIDER_OFFSET} > 0; diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index 4a11c1a7c..9bd9b4001 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -84,7 +84,7 @@ sub process_notrack_rule( $$$$$$$ ) { fatal_error "Invalid helper' ($args)" if $args =~ /,/; validate_helper( $args, $proto ); - $action = "CT --helper $args"; + $action = "CT --helper $helpers_aliases{$args}"; $exception_rule = do_proto( $proto, '-', '-' ); for my $mod ( split_list1( $modifiers, 'ctevents' ) ) { diff --git a/docs/Helpers.xml b/docs/Helpers.xml index 2a8f1aef5..b47d5f53b 100644 --- a/docs/Helpers.xml +++ b/docs/Helpers.xml @@ -336,6 +336,29 @@ tftp + + After disabling one or more helpers using this method, you + must: + + + + Unload the related module(s). + + + + Restart Shorewall (use the -c option (e.g., shorewall + restart -c) if you have AUTOMAKE=Yes in shorewall.conf + (5)).. + + + + Note that if you choose to reboot your system to unload the + modules, then if you have CT:helper entries in shorewall-conntrack (5) + that refer to the module(s) and you have AUTOMAKE=Yes in shorewall.conf (5), then + Shorewall will fail to start at boot time.
@@ -353,5 +376,58 @@ In these files, Shorewall supports the same module names as iptables; see the table above.
+ +
+ Capabilities + + The output of shorewall show capabilities has + two entries for each of the helpers listed above that can be disabled by + adding ports=0 in + /etc/shorewall/helpers. + + shorewall show capabilities + Amanda Helper: Available + FTP Helper: Not available + FTP-0 Helper: Available + IRC Helper: Not available + IRC-0 Helper: Available + Netbios_ns Helper: Available + H323 Helper: Not available + PPTP Helper: Available + SANE Helper: Not available + SANE-0 Helper: Available + SNMP Helper: Available + TFTP Helper: Not available + TFTP-0 Helper: Available + iptables -S (IPTABLES_S): Available + Basic Filter (BASIC_FILTER): Available + CT Target (CT_TARGET): Available + Kernel Version (KERNELVERSION): 30404 + Capabilities Version (CAPVERSION): 40507 + + + + The above output is produced when this /etc/shorewall/helpers file + is used on a system running kernel 3.4.4: + + loadmodule nf_conntrack_ftp ports=0 +loadmodule nf_conntrack_irc ports=0 +loadmodule nf_conntrack_netbios_ns +loadmodule nf_conntrack_sip ports=0 +loadmodule nf_conntrack_tftp ports=0 +loadmodule nf_conntrack_sane ports=0 + + The reason for the double capabilities is that when ports=0 is specified, the iptables name of the + helper gets '-0' added to it. So in order for the compiler to generate + the correct iptables commands, it needs to know if ports=0 was specified for each of the helprs that + support it. + + Notice that most of the other helpers are available, even though + their modules were not loaded. That's because auto-loading occurs during + capability detection on those modules whose iptables name matches the + module name. +