|
 |
c8bceb |
From 3bf7abe7cfdc738959c092bd30ef9ee42789fc8d Mon Sep 17 00:00:00 2001
|
|
|
c8bceb |
From: Eric Garver <eric@garver.life>
|
|
|
c8bceb |
Date: Tue, 17 Sep 2019 14:54:13 -0400
|
|
|
c8bceb |
Subject: [PATCH 102/109] fix: allow custom helpers using standard helper
|
|
|
c8bceb |
modules
|
|
|
c8bceb |
|
|
|
c8bceb |
e.g. a helper called "ftp-foobar" using module "nf_conntrack_ftp"
|
|
|
c8bceb |
|
|
|
c8bceb |
(cherry picked from commit 8c65bda2a750c1b1a15851a6030dfef8cdb74d15)
|
|
|
c8bceb |
(cherry picked from commit 80260288c58b0555360822d1eb81b2a4d36a5ed1)
|
|
|
c8bceb |
---
|
|
|
c8bceb |
src/firewall/core/fw_zone.py | 10 ++++++----
|
|
|
c8bceb |
src/firewall/core/ipXtables.py | 4 ++--
|
|
|
c8bceb |
src/firewall/core/nftables.py | 4 ++--
|
|
|
c8bceb |
3 files changed, 10 insertions(+), 8 deletions(-)
|
|
|
c8bceb |
|
|
|
c8bceb |
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
|
c8bceb |
index 6b766d0dc3ba..c096e3efe028 100644
|
|
|
c8bceb |
--- a/src/firewall/core/fw_zone.py
|
|
|
c8bceb |
+++ b/src/firewall/core/fw_zone.py
|
|
|
c8bceb |
@@ -1609,8 +1609,9 @@ class FirewallZone(object):
|
|
|
c8bceb |
modules = [ ]
|
|
|
c8bceb |
for helper in helpers:
|
|
|
c8bceb |
module = helper.module
|
|
|
c8bceb |
+ _module_short_name = module.replace("-","_").replace("nf_conntrack_", "")
|
|
|
c8bceb |
if self._fw.nf_conntrack_helper_setting == 0:
|
|
|
c8bceb |
- if helper.name not in \
|
|
|
c8bceb |
+ if _module_short_name not in \
|
|
|
c8bceb |
self._fw.nf_conntrack_helpers[module]:
|
|
|
c8bceb |
raise FirewallError(
|
|
|
c8bceb |
errors.INVALID_HELPER,
|
|
|
c8bceb |
@@ -1627,7 +1628,7 @@ class FirewallZone(object):
|
|
|
c8bceb |
for (port,proto) in helper.ports:
|
|
|
c8bceb |
rules = backend.build_zone_helper_ports_rules(
|
|
|
c8bceb |
enable, zone, proto, port,
|
|
|
c8bceb |
- destination, helper.name)
|
|
|
c8bceb |
+ destination, helper.name, _module_short_name)
|
|
|
c8bceb |
zone_transaction.add_rules(backend, rules)
|
|
|
c8bceb |
else:
|
|
|
c8bceb |
if helper.module not in modules:
|
|
|
c8bceb |
@@ -1819,7 +1820,8 @@ class FirewallZone(object):
|
|
|
c8bceb |
if self._fw.nf_conntrack_helper_setting == 0:
|
|
|
c8bceb |
for helper in helpers:
|
|
|
c8bceb |
module = helper.module
|
|
|
c8bceb |
- if helper.name not in \
|
|
|
c8bceb |
+ _module_short_name = module.replace("-","_").replace("nf_conntrack_", "")
|
|
|
c8bceb |
+ if _module_short_name not in \
|
|
|
c8bceb |
self._fw.nf_conntrack_helpers[module]:
|
|
|
c8bceb |
raise FirewallError(
|
|
|
c8bceb |
errors.INVALID_HELPER,
|
|
|
c8bceb |
@@ -1836,7 +1838,7 @@ class FirewallZone(object):
|
|
|
c8bceb |
for (port,proto) in helper.ports:
|
|
|
c8bceb |
rules = backend.build_zone_helper_ports_rules(
|
|
|
c8bceb |
enable, zone, proto, port,
|
|
|
c8bceb |
- destination, helper.name)
|
|
|
c8bceb |
+ destination, helper.name, _module_short_name)
|
|
|
c8bceb |
zone_transaction.add_rules(backend, rules)
|
|
|
c8bceb |
|
|
|
c8bceb |
for (port,proto) in svc.ports:
|
|
|
c8bceb |
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
|
|
|
c8bceb |
index 647a7a161517..b0a4c5e1c161 100644
|
|
|
c8bceb |
--- a/src/firewall/core/ipXtables.py
|
|
|
c8bceb |
+++ b/src/firewall/core/ipXtables.py
|
|
|
c8bceb |
@@ -983,7 +983,7 @@ class ip4tables(object):
|
|
|
c8bceb |
return rules
|
|
|
c8bceb |
|
|
|
c8bceb |
def build_zone_helper_ports_rules(self, enable, zone, proto, port,
|
|
|
c8bceb |
- destination, helper_name):
|
|
|
c8bceb |
+ destination, helper_name, module_short_name):
|
|
|
c8bceb |
add_del = { True: "-A", False: "-D" }[enable]
|
|
|
c8bceb |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
|
|
|
c8bceb |
zone=zone)
|
|
|
c8bceb |
@@ -992,7 +992,7 @@ class ip4tables(object):
|
|
|
c8bceb |
rule += [ "--dport", "%s" % portStr(port) ]
|
|
|
c8bceb |
if destination:
|
|
|
c8bceb |
rule += [ "-d", destination ]
|
|
|
c8bceb |
- rule += [ "-j", "CT", "--helper", helper_name ]
|
|
|
c8bceb |
+ rule += [ "-j", "CT", "--helper", module_short_name ]
|
|
|
c8bceb |
|
|
|
c8bceb |
return [rule]
|
|
|
c8bceb |
|
|
|
c8bceb |
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
|
c8bceb |
index 9d88e72f42bf..0317d820389f 100644
|
|
|
c8bceb |
--- a/src/firewall/core/nftables.py
|
|
|
c8bceb |
+++ b/src/firewall/core/nftables.py
|
|
|
c8bceb |
@@ -927,7 +927,7 @@ class nftables(object):
|
|
|
c8bceb |
return rules
|
|
|
c8bceb |
|
|
|
c8bceb |
def build_zone_helper_ports_rules(self, enable, zone, proto, port,
|
|
|
c8bceb |
- destination, helper_name):
|
|
|
c8bceb |
+ destination, helper_name, module_short_name):
|
|
|
c8bceb |
add_del = { True: "add", False: "delete" }[enable]
|
|
|
c8bceb |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
|
|
|
c8bceb |
zone=zone)
|
|
|
c8bceb |
@@ -944,7 +944,7 @@ class nftables(object):
|
|
|
c8bceb |
|
|
|
c8bceb |
helper_object = ["ct", "helper", "inet", TABLE_NAME,
|
|
|
c8bceb |
"helper-%s-%s" % (helper_name, proto),
|
|
|
c8bceb |
- "{", "type", "\"%s\"" % (helper_name), "protocol",
|
|
|
c8bceb |
+ "{", "type", "\"%s\"" % (module_short_name), "protocol",
|
|
|
c8bceb |
proto, ";", "}"]
|
|
|
c8bceb |
|
|
|
c8bceb |
return [helper_object, rule]
|
|
|
c8bceb |
--
|
|
|
c8bceb |
2.20.1
|
|
|
c8bceb |
|