From b40b19e1de852aee5b1a53a26c8fb0e3e00b6a71 Mon Sep 17 00:00:00 2001

From: Eric Garver <eric@garver.life>

Date: Fri, 20 Sep 2019 09:48:07 -0400

Subject: [PATCH 105/109] fix: service: usage of helpers with '-' in name

Fixes: 8c65bda2a750 ("fix: allow custom helpers using standard helper modules")

(cherry picked from commit 28f3e6a83167ca2798157fd6e2c752b296c72830)

(cherry picked from commit 98e77f8fb8fd6e72e71eb1267ea5ccbc0563cb83)

---

 src/firewall/core/fw_zone.py | 6 +++---

 src/firewall/functions.py    | 6 ++++--

 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py

index c096e3efe028..e7be779ebc8c 100644

--- a/src/firewall/core/fw_zone.py

+++ b/src/firewall/core/fw_zone.py

@@ -25,7 +25,7 @@ from firewall.core.base import SHORTCUTS, DEFAULT_ZONE_TARGET, \

 from firewall.core.logger import log

 from firewall.functions import portStr, checkIPnMask, checkIP6nMask, \

     checkProtocol, enable_ip_forwarding, check_single_address, check_mac, \

-    portInPortRange

+    portInPortRange, get_nf_conntrack_short_name

 from firewall.core.rich import Rich_Rule, Rich_Accept, \

     Rich_Mark, Rich_Service, Rich_Port, Rich_Protocol, \

     Rich_Masquerade, Rich_ForwardPort, Rich_SourcePort, Rich_IcmpBlock, \

@@ -1609,7 +1609,7 @@ class FirewallZone(object):

                         modules = [ ]

                         for helper in helpers:

                             module = helper.module

-                            _module_short_name = module.replace("-","_").replace("nf_conntrack_", "")

+                            _module_short_name = get_nf_conntrack_short_name(module)

                             if self._fw.nf_conntrack_helper_setting == 0:

                                 if _module_short_name not in \

                                    self._fw.nf_conntrack_helpers[module]:

@@ -1820,7 +1820,7 @@ class FirewallZone(object):

             if self._fw.nf_conntrack_helper_setting == 0:

                 for helper in helpers:

                     module = helper.module

-                    _module_short_name = module.replace("-","_").replace("nf_conntrack_", "")

+                    _module_short_name = get_nf_conntrack_short_name(module)

                     if _module_short_name not in \

                        self._fw.nf_conntrack_helpers[module]:

                         raise FirewallError(

diff --git a/src/firewall/functions.py b/src/firewall/functions.py

index 5f54a59204b8..ad2166905d1d 100644

--- a/src/firewall/functions.py

+++ b/src/firewall/functions.py

@@ -345,6 +345,9 @@ def enable_ip_forwarding(ipv):

         return writefile("/proc/sys/net/ipv6/conf/all/forwarding", "1\n")

     return False

+def get_nf_conntrack_short_name(module):

+    return module.replace("_","-").replace("nf-conntrack-", "")

+

 def get_nf_conntrack_helpers():

     kver = os.uname()[2]

     path = "/lib/modules/%s/kernel/net/netfilter/" % kver

@@ -361,8 +364,7 @@ def get_nf_conntrack_helpers():

             # the we add it to helpers list and goto next module

             if filename.startswith("nf_conntrack_proto_"):

                 helper = filename.split(".")[0].strip()

-                helper = helper.replace("_", "-")

-                helper = helper.replace("nf-conntrack-", "")

+                helper = get_nf_conntrack_short_name(helper)

                 helpers.setdefault(module, [ ]).append(helper)

                 continue

             # Else we get module alias and if "-helper" in the "alias:" line of modinfo

-- 

2.20.1