Arrange for HELPER to match in the RELATED section.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2012-08-13 15:44:19 -07:00 · 2012-08-13 15:44:19 -07:00 · fdc45a990d
commit fdc45a990d
parent 44a550870c
4 changed files with 87 additions and 15 deletions
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1823,7 +1823,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		  if ( $blacklist ) {
 		      $action = 'RETURN';
 		  } elsif ( $helper ne '-' ) {
-		      $actiontype |= HELPER;
+		      $actiontype |= HELPER if $section eq 'NEW';
 		  }
 	      } ,
 	      
@ -2029,6 +2029,18 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      do_headers( $headers ) ,
 		      do_condition( $condition ) ,
 		    );
+    } elsif ( $section eq 'RELATED' ) {
+	$rule = join( '',
+		      do_proto($proto, $ports, $sports),
+		      do_ratelimit( $ratelimit, $basictarget ) ,
+		      do_user( $user ) ,
+		      do_test( $mark , $globals{TC_MASK} ) ,
+		      do_connlimit( $connlimit ),
+		      do_time( $time ) ,
+		      do_headers( $headers ) ,
+		      do_condition( $condition ) ,
+		      do_helper( $helper ) ,
+		    );
    } else {
 	$rule = join( '',
 		      do_proto($proto, $ports, $sports),
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@ -1369,11 +1369,18 @@
        <term><emphasis role="bold">HELPER</emphasis> - [helper]</term>

        <listitem>
-          <para>Added in Shorewall 4.5.7. Causes the named conntrack
+          <para>Added in Shorewall 4.5.7.</para>
+
+          <para>In the NEW section, causes the named conntrack
          <replaceable>helper</replaceable> to be associated with this
-          connection. The contents of this column are ignored unless ACTION is
-          ACCEPT*, DNAT* or REDIRECT*. The <replaceable>helper</replaceable>
-          may be one of:</para>
+          connection; the contents of this column are ignored unless ACTION is
+          ACCEPT*, DNAT* or REDIRECT*.</para>
+
+          <para>In the RELATED section, will only match if the related
+          connection has the named <replaceable>helper</replaceable>
+          associated with it.</para>
+
+          <para>The <replaceable>helper</replaceable> may be one of:</para>

          <simplelist>
            <member><option>amanda</option></member>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@ -1207,11 +1207,18 @@
        <term><emphasis role="bold">HELPER</emphasis> - [helper]</term>

        <listitem>
-          <para>Added in Shorewall 4.5.7. Causes the named conntrack
+          <para>Added in Shorewall 4.5.7.</para>
+
+          <para>In the NEW section, causes the named conntrack
          <replaceable>helper</replaceable> to be associated with this
-          connection. The contents of this column are ignored unless ACTION is
-          ACCEPT*, DNAT* or REDIRECT*. The <replaceable>helper</replaceable>
-          may be one of:</para>
+          connection; the contents of this column are ignored unless ACTION is
+          ACCEPT*, DNAT* or REDIRECT*.</para>
+
+          <para>In the RELATED section, will only match if the related
+          connection has the named <replaceable>helper</replaceable>
+          associated with it.</para>
+
+          <para>The <replaceable>helper</replaceable> may be one of:</para>

          <simplelist>
            <member><option>amanda</option></member>
@ -1238,8 +1245,8 @@
          </simplelist>

          <para>If the HELPERS option is specified in <ulink
-          url="shorewall.conf.html">shorewall6.conf</ulink>(5), then any
-          module specified in this column most be listed in the HELPERS
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), then any module
+          specified in this column most be listed in the HELPERS
          setting.</para>
        </listitem>
      </varlistentry>
--- a/docs/Helpers.xml
+++ b/docs/Helpers.xml
@ -388,10 +388,18 @@
      iptables; see the table above.</para>

      <para>Beginning with Shorewall 4.5.7, there is a HELPER column in <ulink
-      url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5). This
-      column allows the explicit association of a helper with connections
-      allowed by a given rules. The column may contain any of the helper names
-      recognized by iptables (see the table above).</para>
+      url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5). In the
+      NEW section, this column allows the explicit association of a helper
+      with connections allowed by a given rules. The column may contain any of
+      the helper names recognized by iptables (see the table above). In the
+      RELATED section, the rule will only match the packet if the related
+      connection has the named helper attached.</para>
+
+      <para>Also added in Shorewall 4.5.7 is the HELPER action in <ulink
+      url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5). HELPER
+      rules associate the helper listed in the HELPER column with connections
+      that match the rule. A destination zone should not be specified in
+      HELPER rules.</para>
    </section>

    <section>
@ -447,4 +455,42 @@ loadmodule nf_conntrack_sane        ports=0</programlisting>
      module name.</para>
    </section>
  </section>
+
+  <section>
+    <title>Kernel &gt;= 3.5 and Shorewall &gt;= 4.5.7</title>
+
+    <para>While the AUTOHELPER option described above provides for seamless
+    migration to kernel 3.5 and beyond, we recommend setting AUTOHELPER=No at
+    the first opportunity after migrating. Additionally, you should:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Use the HELPER action and the HELPER column in <ulink
+        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) to
+        attach helpers to only those connections that you need to
+        support.</para>
+      </listitem>
+
+      <listitem>
+        <para>If you run one or more servers (such as an FTP server) that
+        interact with helpers, you should consider adding rules to the RELATED
+        section of <ulink
+        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) to
+        limit the scope of the helper. Suppose that your Linux FTP server is
+        in zone dmz and has address 70.90.191.123.</para>
+
+        <programlisting>#ACTION               SOURCE                         DEST                      PROTO            DEST           SOURCE
+#                                                                                               PORT(S)        PORT(2)
+SECTION RELATED
+ACCEPT                all                            dmz:70.90.191.123                          32768:               ; helper=ftp   # passive FTP to dmz server; /proc/sys/net/ipv4/ip_local_port_range == 32760:65535
+ACCEPT                dmz:70.90.191.123              all                       tcp              1024:          20    ; helper=ftp   # active  FTP to dmz server
+ACCEPT                loc,dmz,$FW                    net                       tcp              -              1024: ; helper=ftp   # passive FTP to net
+ACCEPT                net                            all                       tcp              1024:          20    ; helper=ftp   # active  FTP from net
+DROP:info             all                            all                                                             ; helper=ftp   # 
+SECTION NEW
+HELPER                all                            net                       tcp              21                   ; helper=ftp
+ACCEPT                all                            dmz:70.90.191.123         tcp              21                   ; helper=ftp</programlisting>
+      </listitem>
+    </itemizedlist>
+  </section>
 </article>