From 3bf7abe7cfdc738959c092bd30ef9ee42789fc8d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 17 Sep 2019 14:54:13 -0400
Subject: [PATCH 102/109] fix: allow custom helpers using standard helper
modules
e.g. a helper called "ftp-foobar" using module "nf_conntrack_ftp"
(cherry picked from commit 8c65bda2a750c1b1a15851a6030dfef8cdb74d15)
(cherry picked from commit 80260288c58b0555360822d1eb81b2a4d36a5ed1)
---
src/firewall/core/fw_zone.py | 10 ++++++----
src/firewall/core/ipXtables.py | 4 ++--
src/firewall/core/nftables.py | 4 ++--
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 6b766d0dc3ba..c096e3efe028 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1609,8 +1609,9 @@ class FirewallZone(object):
modules = [ ]
for helper in helpers:
module = helper.module
+ _module_short_name = module.replace("-","_").replace("nf_conntrack_", "")
if self._fw.nf_conntrack_helper_setting == 0:
- if helper.name not in \
+ if _module_short_name not in \
self._fw.nf_conntrack_helpers[module]:
raise FirewallError(
errors.INVALID_HELPER,
@@ -1627,7 +1628,7 @@ class FirewallZone(object):
for (port,proto) in helper.ports:
rules = backend.build_zone_helper_ports_rules(
enable, zone, proto, port,
- destination, helper.name)
+ destination, helper.name, _module_short_name)
zone_transaction.add_rules(backend, rules)
else:
if helper.module not in modules:
@@ -1819,7 +1820,8 @@ class FirewallZone(object):
if self._fw.nf_conntrack_helper_setting == 0:
for helper in helpers:
module = helper.module
- if helper.name not in \
+ _module_short_name = module.replace("-","_").replace("nf_conntrack_", "")
+ if _module_short_name not in \
self._fw.nf_conntrack_helpers[module]:
raise FirewallError(
errors.INVALID_HELPER,
@@ -1836,7 +1838,7 @@ class FirewallZone(object):
for (port,proto) in helper.ports:
rules = backend.build_zone_helper_ports_rules(
enable, zone, proto, port,
- destination, helper.name)
+ destination, helper.name, _module_short_name)
zone_transaction.add_rules(backend, rules)
for (port,proto) in svc.ports:
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 647a7a161517..b0a4c5e1c161 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -983,7 +983,7 @@ class ip4tables(object):
return rules
def build_zone_helper_ports_rules(self, enable, zone, proto, port,
- destination, helper_name):
+ destination, helper_name, module_short_name):
add_del = { True: "-A", False: "-D" }[enable]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
zone=zone)
@@ -992,7 +992,7 @@ class ip4tables(object):
rule += [ "--dport", "%s" % portStr(port) ]
if destination:
rule += [ "-d", destination ]
- rule += [ "-j", "CT", "--helper", helper_name ]
+ rule += [ "-j", "CT", "--helper", module_short_name ]
return [rule]
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 9d88e72f42bf..0317d820389f 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -927,7 +927,7 @@ class nftables(object):
return rules
def build_zone_helper_ports_rules(self, enable, zone, proto, port,
- destination, helper_name):
+ destination, helper_name, module_short_name):
add_del = { True: "add", False: "delete" }[enable]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
zone=zone)
@@ -944,7 +944,7 @@ class nftables(object):
helper_object = ["ct", "helper", "inet", TABLE_NAME,
"helper-%s-%s" % (helper_name, proto),
- "{", "type", "\"%s\"" % (helper_name), "protocol",
+ "{", "type", "\"%s\"" % (module_short_name), "protocol",
proto, ";", "}"]
return [helper_object, rule]
--
2.20.1