Handle disabled helpers in pre-3.5 kernels.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-06 15:54:45 -07:00
parent 56caf3687f
commit c007f847a0
5 changed files with 211 additions and 38 deletions

View File

@ -2022,14 +2022,19 @@ determine_capabilities() {
NFACCT_MATCH= NFACCT_MATCH=
AMANDA_HELPER= AMANDA_HELPER=
FTP_HELPER= FTP_HELPER=
FTP0_HELPER=
IRC_HELPER= IRC_HELPER=
IRC0_HELPER=
NETBIOS_NS_HELPER= NETBIOS_NS_HELPER=
H323_HELPER= H323_HELPER=
PPTP_HELPER= PPTP_HELPER=
SANE_HELPER= SANE_HELPER=
SANE0_HELPER=
SIP_HELPER= SIP_HELPER=
SIP0_HELPER=
SNMP_HELPER= SNMP_HELPER=
TFTP_HELPER= TFTP_HELPER=
TFTP0_HELPER=
chain=fooX$$ chain=fooX$$
@ -2196,14 +2201,19 @@ determine_capabilities() {
qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp-0 && FTP0_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc-0 && IRC0_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane-0 && SANE0_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip-0 && SIP0_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp-0 && TFTP0_HELPER=Yes
fi fi
qt $g_tool -t raw -F $chain qt $g_tool -t raw -F $chain
@ -2268,6 +2278,7 @@ determine_capabilities() {
if [ -z "$CT_TARGET" ]; then if [ -z "$CT_TARGET" ]; then
AMANDA_HELPER=Yes AMANDA_HELPER=Yes
FTP_HELPER=Yes FTP_HELPER=Yes
FTP_HELPER=Yes
H323_HELPER=Yes H323_HELPER=Yes
IRC_HELPER=Yes IRC_HELPER=Yes
NS_HELPER=Yes NS_HELPER=Yes
@ -2408,14 +2419,19 @@ report_capabilities() {
report_capability "NFAcct match" $NFACCT_MATCH report_capability "NFAcct match" $NFACCT_MATCH
report_capability "Amanda Helper" $AMANDA_HELPER report_capability "Amanda Helper" $AMANDA_HELPER
report_capability "FTP Helper" $FTP_HELPER report_capability "FTP Helper" $FTP_HELPER
report_capability "FTP-0 Helper" $FTP0_HELPER
report_capability "IRC Helper" $IRC_HELPER report_capability "IRC Helper" $IRC_HELPER
report_capability "IRC-0 Helper" $IRC0_HELPER
report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
report_capability "H323 Helper" $H323_HELPER report_capability "H323 Helper" $H323_HELPER
report_capability "PPTP Helper" $PPTP_HELPER report_capability "PPTP Helper" $PPTP_HELPER
report_capability "SANE Helper" $SANE_HELPER report_capability "SANE Helper" $SANE_HELPER
report_capability "SANE-0 Helper" $SANE0_HELPER
report_capability "SIP Helper" $SIP_HELPER report_capability "SIP Helper" $SIP_HELPER
report_capability "SIP-0 Helper" $SIP0_HELPER
report_capability "SNMP Helper" $SNMP_HELPER report_capability "SNMP Helper" $SNMP_HELPER
report_capability "TFTP Helper" $TFTP_HELPER report_capability "TFTP Helper" $TFTP_HELPER
report_capability "TFTP-0 Helper" $TFTP0_HELPER
if [ $g_family -eq 4 ]; then if [ $g_family -eq 4 ]; then
report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@ -2514,13 +2530,19 @@ report_capabilities1() {
report_capability1 NFACCT_MATCH report_capability1 NFACCT_MATCH
report_capability1 AMANDA_HELPER report_capability1 AMANDA_HELPER
report_capability1 FTP_HELPER report_capability1 FTP_HELPER
report_capability1 FTP0_HELPER
report_capability1 IRC_HELPER report_capability1 IRC_HELPER
report_capability1 IRC0_HELPER
report_capability1 NETBIOS_NS_HELPER report_capability1 NETBIOS_NS_HELPER
report_capability1 H323_HELPER report_capability1 H323_HELPER
report_capability1 PPTP_HELPER report_capability1 PPTP_HELPER
report_capability1 SANE_HELPER report_capability1 SANE_HELPER
report_capability1 SANE0_HELPER
report_capability1 SIP_HELPER
report_capability1 SIP0_HELPER
report_capability1 SNMP_HELPER report_capability1 SNMP_HELPER
report_capability1 TFTP_HELPER report_capability1 TFTP_HELPER
report_capability1 TFTP0_HELPER
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION

View File

@ -4359,7 +4359,7 @@ sub do_helper( $ ) {
validate_helper( $helper ); validate_helper( $helper );
qq(-m helper --helper "$helper" ) if defined wantarray; qq(-m helper --helper "$helpers_aliases{$helper}" ) if defined wantarray;
} }

View File

@ -148,6 +148,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
%helpers %helpers
%helpers_map %helpers_map
%helpers_enabled %helpers_enabled
%helpers_aliases
@auditoptions @auditoptions
@ -341,15 +342,20 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
NFACCT_MATCH => 'NFAcct Match', NFACCT_MATCH => 'NFAcct Match',
AMANDA_HELPER => 'Amanda Helper', AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper', FTP_HELPER => 'FTP Helper',
FTP0_HELPER => 'FTP-0 Helper',
H323_HELPER => 'H323 Helpers', H323_HELPER => 'H323 Helpers',
IRC_HELPER => 'IRC Helper', IRC_HELPER => 'IRC Helper',
IRC0_HELPER => 'IRC-0 Helper',
NETBIOS_NS_HELPER => NETBIOS_NS_HELPER =>
'Netbios-ns Helper', 'Netbios-ns Helper',
PPTP_HELPER => 'PPTP Helper', PPTP_HELPER => 'PPTP Helper',
SANE_HELPER => 'Amanda Helper', SANE_HELPER => 'SANE Helper',
SANE0_HELPER => 'SANE-0 Helper',
SIP_HELPER => 'SIP Helper', SIP_HELPER => 'SIP Helper',
SIP0_HELPER => 'SIP-0 Helper',
SNMP_HELPER => 'SNMP Helper', SNMP_HELPER => 'SNMP Helper',
TFTP_HELPER => 'TFTP Helper', TFTP_HELPER => 'TFTP Helper',
TFTP0_HELPER => 'TFTP-0 Helper',
# #
# Constants # Constants
# #
@ -382,21 +388,12 @@ our %helpers = ( amanda => UDP,
tftp => UDP, tftp => UDP,
); );
our %helpers_map = ( amanda => 'AMANDA_HELPER', our %helpers_map;
ftp => 'FTP_HELPER',
irc => 'IRC_HELPER',
'netbios-ns' => 'NETBIOS_NS_HELPER',
pptp => 'PPTP_HELPER',
'Q.931' => 'H323_HELPER',
RAS => 'H323_HELPER',
sane => 'SANE_HELPER',
sip => 'SIP_HELPER',
snmp => 'SNMP_HELPER',
tftp => 'TFTP_HELPER',
);
our %helpers_names; our %helpers_names;
our %helpers_aliases;
our %helpers_enabled; our %helpers_enabled;
our %config_files = ( #accounting => 1, our %config_files = ( #accounting => 1,
@ -852,14 +849,19 @@ sub initialize( $;$ ) {
NFACCT_MATCH => undef, NFACCT_MATCH => undef,
AMANDA_HELPER => undef, AMANDA_HELPER => undef,
FTP_HELPER => undef, FTP_HELPER => undef,
FTP0_HELPER => undef,
H323_HELPER => undef, H323_HELPER => undef,
IRC_HELPER => undef, IRC_HELPER => undef,
IRC0_HELPER => undef,
NETBIOS_NS_HELPER => undef, NETBIOS_NS_HELPER => undef,
PPTP_HELPER => undef, PPTP_HELPER => undef,
SANE_HELPER => undef, SANE_HELPER => undef,
SANE0_HELPER => undef,
SIP_HELPER => undef, SIP_HELPER => undef,
SIP0_HELPER => undef,
SNMP_HELPER => undef, SNMP_HELPER => undef,
TFTP_HELPER => undef, TFTP_HELPER => undef,
TFTP0_HELPER => undef,
CAPVERSION => undef, CAPVERSION => undef,
LOG_OPTIONS => 1, LOG_OPTIONS => 1,
@ -903,16 +905,48 @@ sub initialize( $;$ ) {
%helpers_enabled = ( %helpers_enabled = (
amanda => 1, amanda => 1,
ftp => 1, ftp => 1,
'ftp-0' => 1,
h323 => 1, h323 => 1,
irc => 1, irc => 1,
'irc-0' => 1,
'netbios-ns' => 1, 'netbios-ns' => 1,
pptp => 1, pptp => 1,
sane => 1, sane => 1,
'sane-0' => 1,
sip => 1, sip => 1,
'sip-0' => 1,
snmp => 1, snmp => 1,
tftp => 1, tftp => 1,
'tftp-0' => 1,
); );
%helpers_map = ( amanda => 'AMANDA_HELPER',
ftp => 'FTP_HELPER',
irc => 'IRC_HELPER',
'netbios-ns' => 'NETBIOS_NS_HELPER',
pptp => 'PPTP_HELPER',
'Q.931' => 'H323_HELPER',
RAS => 'H323_HELPER',
sane => 'SANE_HELPER',
sip => 'SIP_HELPER',
snmp => 'SNMP_HELPER',
tftp => 'TFTP_HELPER',
);
%helpers_aliases = ( amanda => 'amanda',
ftp => 'ftp',
irc => 'irc',
'netbios-ns' => 'netbios-ns',
pptp => 'pptp',
'Q.931' => 'Q.931',
RAS => 'RAS',
sane => 'sane',
sip => 'sip',
snmp => 'snmp',
tftp => 'tftp',
);
process_shorewallrc( $shorewallrc ) if $shorewallrc; process_shorewallrc( $shorewallrc ) if $shorewallrc;
$globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/"; $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
@ -1819,7 +1853,12 @@ sub evaluate_expression( $$$ ) {
my ( $first, $cap, $rest ) = ( $1, $3, $4); my ( $first, $cap, $rest ) = ( $1, $3, $4);
if ( exists $capdesc{$cap} ) { if ( exists $capdesc{$cap} ) {
$val = have_capability( $cap ) $val = have_capability( $cap );
if ( defined $val ) {
$val = "'$val'" unless $val =~ /^-?\d+$/;
} else {
$val = 0;
}
} elsif ( $cap =~ /^IPV([46])$/ ) { } elsif ( $cap =~ /^IPV([46])$/ ) {
$val = ( $family == $1 ); $val = ( $family == $1 );
} else { } else {
@ -3233,12 +3272,12 @@ sub Helper_Match() {
qt1( "$iptables -A $sillyname -p tcp --dport 21 -m helper --helper ftp" ); qt1( "$iptables -A $sillyname -p tcp --dport 21 -m helper --helper ftp" );
} }
sub have_helper( $ ) { sub have_helper( $$$ ) {
my $helper = $_[0]; my ( $helper, $proto, $port ) = @_;
if ( $helpers_enabled{$helper} ) { if ( $helpers_enabled{$helper} ) {
if ( have_capability 'CT_TARGET' ) { if ( have_capability 'CT_TARGET' ) {
qt1( "$iptables -t raw -A $sillyname -p udp --dport 10080 -j CT --helper $helper" ); qt1( "$iptables -t raw -A $sillyname -p $proto --dport $port -j CT --helper $helper" );
} else { } else {
have_capability 'HELPER_MATCH'; have_capability 'HELPER_MATCH';
} }
@ -3246,43 +3285,63 @@ sub have_helper( $ ) {
} }
sub Amanda_Helper() { sub Amanda_Helper() {
have_helper 'amanda'; have_helper( 'amanda', 'udp', 10080 );
} }
sub FTP_Helper() { sub FTP_Helper() {
have_helper 'ftp'; have_helper( 'ftp', 'tcp', 21 );
}
sub FTP0_Helper() {
have_helper( 'ftp-0', 'tcp', 21 ) and $helpers_aliases{ftp} = 'ftp-0';
} }
sub H323_Helpers() { sub H323_Helpers() {
have_helper 'RAS'; have_helper( 'RAS', 'udp', 1719 );
} }
sub IRC_Helper() { sub IRC_Helper() {
have_helper 'irc'; have_helper( 'irc', 'tcp', 6667 );
}
sub IRC0_Helper() {
have_helper( 'irc-0', 'tcp', 6667 ) and $helpers_aliases{irc} = 'irc-0';
} }
sub Netbios_ns_Helper() { sub Netbios_ns_Helper() {
have_helper 'netbios-ns'; have_helper( 'netbios-ns', 'udp', 137 );
} }
sub PPTP_Helper() { sub PPTP_Helper() {
have_helper 'pptp'; have_helper( 'pptp', 'tcp', 1729 );
} }
sub SANE_Helper() { sub SANE_Helper() {
have_helper 'sane'; have_helper( 'sane', 'tcp', 6566 );
}
sub SANE0_Helper() {
have_helper( 'sane-0', 'tcp', 6566 ) and $helpers_aliases{sane} = 'sane-0';
} }
sub SIP_Helper() { sub SIP_Helper() {
have_helper 'sip'; have_helper( 'sip', 'udp', 5060 );
}
sub SIP0_Helper() {
have_helper( 'sip-0', 'udp', 5060 ) and $helpers_aliases{sip} = 'sip-0';
} }
sub SNMP_Helper() { sub SNMP_Helper() {
have_helper 'snmp'; have_helper( 'snmp', 'udp', 161 );
} }
sub TFTP_Helper() { sub TFTP_Helper() {
have_helper 'tftp'; have_helper( 'tftp', 'udp', 69 );
}
sub TFTP0_Helper() {
have_helper( 'tftp-0', 'udp', 69 ) and $helpers_aliases{tftp} = 'tftp-0';
} }
sub Connlimit_Match() { sub Connlimit_Match() {
@ -3421,6 +3480,7 @@ our %detect_capability =
EXMARK => \&Exmark, EXMARK => \&Exmark,
FLOW_FILTER => \&Flow_Filter, FLOW_FILTER => \&Flow_Filter,
FTP_HELPER => \&FTP_Helper, FTP_HELPER => \&FTP_Helper,
FTP0_HELPER => \&FTP0_Helper,
FWMARK_RT_MASK => \&Fwmark_Rt_Mask, FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
GEOIP_MATCH => \&GeoIP_Match, GEOIP_MATCH => \&GeoIP_Match,
GOTO_TARGET => \&Goto_Target, GOTO_TARGET => \&Goto_Target,
@ -3434,6 +3494,7 @@ our %detect_capability =
IPRANGE_MATCH => \&IPRange_Match, IPRANGE_MATCH => \&IPRange_Match,
IPSET_MATCH => \&IPSet_Match, IPSET_MATCH => \&IPSet_Match,
IRC_HELPER => \&IRC_Helper, IRC_HELPER => \&IRC_Helper,
IRC0_HELPER => \&IRC0_Helper,
OLD_IPSET_MATCH => \&Old_IPSet_Match, OLD_IPSET_MATCH => \&Old_IPSet_Match,
IPSET_V5 => \&IPSET_V5, IPSET_V5 => \&IPSET_V5,
IPTABLES_S => \&Iptables_S, IPTABLES_S => \&Iptables_S,
@ -3469,11 +3530,14 @@ our %detect_capability =
RECENT_MATCH => \&Recent_Match, RECENT_MATCH => \&Recent_Match,
RPFILTER_MATCH => \&RPFilter_Match, RPFILTER_MATCH => \&RPFilter_Match,
SANE_HELPER => \&SANE_Helper, SANE_HELPER => \&SANE_Helper,
SANE0_HELPER => \&SANE0_Helper,
SIP_HELPER => \&SIP_Helper, SIP_HELPER => \&SIP_Helper,
SIP0_HELPER => \&SIP0_Helper,
SNMP_HELPER => \&SNMP_Helper, SNMP_HELPER => \&SNMP_Helper,
STATISTIC_MATCH => \&Statistic_Match, STATISTIC_MATCH => \&Statistic_Match,
TCPMSS_MATCH => \&Tcpmss_Match, TCPMSS_MATCH => \&Tcpmss_Match,
TFTP_HELPER => \&TFTP_Helper, TFTP_HELPER => \&TFTP_Helper,
TFTP0_HELPER => \&TFTP0_Helper,
TIME_MATCH => \&Time_Match, TIME_MATCH => \&Time_Match,
TPROXY_TARGET => \&Tproxy_Target, TPROXY_TARGET => \&Tproxy_Target,
USEPKTTYPE => \&Usepkttype, USEPKTTYPE => \&Usepkttype,
@ -3529,6 +3593,17 @@ sub determine_capabilities() {
$globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE'; $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';
if ( have_capability 'CT_TARGET' ) {
$capabilities{$_} = detect_capability $_ for ( values( %helpers_map ),
'FTP0_HELPER',
'IRC0_HELPER',
'SANE0_HELPER',
'SIP0_HELPER',
'TFTP0_HELPER' );
} else {
$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
}
unless ( $config{ LOAD_HELPERS_ONLY } ) { unless ( $config{ LOAD_HELPERS_ONLY } ) {
# #
# Using 'detect_capability()' is a bit less efficient than calling the individual detection # Using 'detect_capability()' is a bit less efficient than calling the individual detection
@ -3611,13 +3686,6 @@ sub determine_capabilities() {
$capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' ); $capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' );
$capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' ); $capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' );
$capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' ); $capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' );
$capabilities{HELPER_MATCH} = detect_capability( 'HELPER_MATCH' );
if ( $capabilities{CT_TARGET} ) {
for ( values %helpers_map ) {
$capabilities{$_} = detect_capability $_;
}
}
qt1( "$iptables -F $sillyname" ); qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" ); qt1( "$iptables -X $sillyname" );
@ -3953,6 +4021,7 @@ sub read_capabilities() {
} }
$globals{KLUDGEFREE} = $capabilities{KLUDGEFREE}; $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE};
} }
# #
@ -4241,6 +4310,14 @@ sub get_configuration( $$$ ) {
get_capabilities( $export ); get_capabilities( $export );
report_capabilities unless $config{LOAD_HELPERS_ONLY};
$helpers_aliases{ftp} = 'ftp-0', $capabilities{FTP_HELPER} = 1 if $capabilities{FTP0_HELPER};
$helpers_aliases{irc} = 'irc-0', $capabilities{IRC_HELPER} = 1 if $capabilities{IRC0_HELPER};
$helpers_aliases{sane} = 'sane-0', $capabilities{SANE_HELPER} = 1 if $capabilities{SANE0_HELPER};
$helpers_aliases{sip} = 'sip-0', $capabilities{SIP_HELPER} = 1 if $capabilities{SIP0_HELPER};
$helpers_aliases{tftp} = 'tftp-0', $capabilities{TFTP_HELPER} = 1 if $capabilities{TFTP0_HELPER};
$globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH'; $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
# #
@ -4716,8 +4793,6 @@ sub get_configuration( $$$ ) {
$config{LOCKFILE} = ''; $config{LOCKFILE} = '';
} }
report_capabilities unless $config{LOAD_HELPERS_ONLY};
require_capability( 'MULTIPORT' , "Shorewall $globals{VERSION}" , 's' ); require_capability( 'MULTIPORT' , "Shorewall $globals{VERSION}" , 's' );
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL}; require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL};
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{PROVIDER_OFFSET} > 0; require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{PROVIDER_OFFSET} > 0;

View File

@ -84,7 +84,7 @@ sub process_notrack_rule( $$$$$$$ ) {
fatal_error "Invalid helper' ($args)" if $args =~ /,/; fatal_error "Invalid helper' ($args)" if $args =~ /,/;
validate_helper( $args, $proto ); validate_helper( $args, $proto );
$action = "CT --helper $args"; $action = "CT --helper $helpers_aliases{$args}";
$exception_rule = do_proto( $proto, '-', '-' ); $exception_rule = do_proto( $proto, '-', '-' );
for my $mod ( split_list1( $modifiers, 'ctevents' ) ) { for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {

View File

@ -336,6 +336,29 @@
<para>tftp</para> <para>tftp</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>After disabling one or more helpers using this method, you
must:</para>
<itemizedlist>
<listitem>
<para>Unload the related module(s).</para>
</listitem>
<listitem>
<para>Restart Shorewall (use the -c option (e.g., <command>shorewall
restart -c</command>) if you have AUTOMAKE=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>
(5))..</para>
</listitem>
</itemizedlist>
<para>Note that if you choose to reboot your system to unload the
modules, then if you have CT:helper entries in <ulink
url="manpages/shorewall-conntrack.html">shorewall-conntrack</ulink> (5)
that refer to the module(s) and you have AUTOMAKE=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5), then
Shorewall will fail to start at boot time.</para>
</section> </section>
<section> <section>
@ -353,5 +376,58 @@
<para>In these files, Shorewall supports the same module names as <para>In these files, Shorewall supports the same module names as
iptables; see the table above.</para> iptables; see the table above.</para>
</section> </section>
<section>
<title>Capabilities</title>
<para>The output of <command>shorewall show capabilities</command> has
two entries for each of the helpers listed above that can be disabled by
adding<emphasis role="bold"> ports=0</emphasis> in
/etc/shorewall/helpers.</para>
<programlisting>shorewall show capabilities
Amanda Helper: Available
<emphasis role="bold">FTP Helper: Not available
FTP-0 Helper: Available</emphasis>
<emphasis role="bold"> IRC Helper: Not available
IRC-0 Helper: Available
</emphasis> Netbios_ns Helper: Available
H323 Helper: Not available
PPTP Helper: Available
<emphasis role="bold"> SANE Helper: Not available
SANE-0 Helper: Available
</emphasis> SNMP Helper: Available
<emphasis role="bold"> TFTP Helper: Not available
TFTP-0 Helper: Available
</emphasis> iptables -S (IPTABLES_S): Available
Basic Filter (BASIC_FILTER): Available
CT Target (CT_TARGET): Available
Kernel Version (KERNELVERSION): 30404
Capabilities Version (CAPVERSION): 40507
</programlisting>
<para>The above output is produced when this /etc/shorewall/helpers file
is used on a system running kernel 3.4.4:</para>
<programlisting>loadmodule nf_conntrack_ftp ports=0
loadmodule nf_conntrack_irc ports=0
loadmodule nf_conntrack_netbios_ns
loadmodule nf_conntrack_sip ports=0
loadmodule nf_conntrack_tftp ports=0
loadmodule nf_conntrack_sane ports=0</programlisting>
<para>The reason for the double capabilities is that when <emphasis
role="bold">ports=0</emphasis> is specified, the iptables name of the
helper gets '-0' added to it. So in order for the compiler to generate
the correct iptables commands, it needs to know if <emphasis
role="bold">ports=0</emphasis> was specified for each of the helprs that
support it.</para>
<para>Notice that most of the other helpers are available, even though
their modules were not loaded. That's because auto-loading occurs during
capability detection on those modules whose iptables name matches the
module name.</para>
</section>
</section> </section>
</article> </article>