From 3bf7abe7cfdc738959c092bd30ef9ee42789fc8d Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Tue, 17 Sep 2019 14:54:13 -0400 Subject: [PATCH 102/109] fix: allow custom helpers using standard helper modules e.g. a helper called "ftp-foobar" using module "nf_conntrack_ftp" (cherry picked from commit 8c65bda2a750c1b1a15851a6030dfef8cdb74d15) (cherry picked from commit 80260288c58b0555360822d1eb81b2a4d36a5ed1) --- src/firewall/core/fw_zone.py | 10 ++++++---- src/firewall/core/ipXtables.py | 4 ++-- src/firewall/core/nftables.py | 4 ++-- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py index 6b766d0dc3ba..c096e3efe028 100644 --- a/src/firewall/core/fw_zone.py +++ b/src/firewall/core/fw_zone.py @@ -1609,8 +1609,9 @@ class FirewallZone(object): modules = [ ] for helper in helpers: module = helper.module + _module_short_name = module.replace("-","_").replace("nf_conntrack_", "") if self._fw.nf_conntrack_helper_setting == 0: - if helper.name not in \ + if _module_short_name not in \ self._fw.nf_conntrack_helpers[module]: raise FirewallError( errors.INVALID_HELPER, @@ -1627,7 +1628,7 @@ class FirewallZone(object): for (port,proto) in helper.ports: rules = backend.build_zone_helper_ports_rules( enable, zone, proto, port, - destination, helper.name) + destination, helper.name, _module_short_name) zone_transaction.add_rules(backend, rules) else: if helper.module not in modules: @@ -1819,7 +1820,8 @@ class FirewallZone(object): if self._fw.nf_conntrack_helper_setting == 0: for helper in helpers: module = helper.module - if helper.name not in \ + _module_short_name = module.replace("-","_").replace("nf_conntrack_", "") + if _module_short_name not in \ self._fw.nf_conntrack_helpers[module]: raise FirewallError( errors.INVALID_HELPER, @@ -1836,7 +1838,7 @@ class FirewallZone(object): for (port,proto) in helper.ports: rules = backend.build_zone_helper_ports_rules( enable, zone, proto, port, - destination, helper.name) + destination, helper.name, _module_short_name) zone_transaction.add_rules(backend, rules) for (port,proto) in svc.ports: diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py index 647a7a161517..b0a4c5e1c161 100644 --- a/src/firewall/core/ipXtables.py +++ b/src/firewall/core/ipXtables.py @@ -983,7 +983,7 @@ class ip4tables(object): return rules def build_zone_helper_ports_rules(self, enable, zone, proto, port, - destination, helper_name): + destination, helper_name, module_short_name): add_del = { True: "-A", False: "-D" }[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], zone=zone) @@ -992,7 +992,7 @@ class ip4tables(object): rule += [ "--dport", "%s" % portStr(port) ] if destination: rule += [ "-d", destination ] - rule += [ "-j", "CT", "--helper", helper_name ] + rule += [ "-j", "CT", "--helper", module_short_name ] return [rule] diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py index 9d88e72f42bf..0317d820389f 100644 --- a/src/firewall/core/nftables.py +++ b/src/firewall/core/nftables.py @@ -927,7 +927,7 @@ class nftables(object): return rules def build_zone_helper_ports_rules(self, enable, zone, proto, port, - destination, helper_name): + destination, helper_name, module_short_name): add_del = { True: "add", False: "delete" }[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) @@ -944,7 +944,7 @@ class nftables(object): helper_object = ["ct", "helper", "inet", TABLE_NAME, "helper-%s-%s" % (helper_name, proto), - "{", "type", "\"%s\"" % (helper_name), "protocol", + "{", "type", "\"%s\"" % (module_short_name), "protocol", proto, ";", "}"] return [helper_object, rule] -- 2.20.1