On Sat, 2011-12-24 at 08:47 -0800, Tom Eastep wrote: > > I've taken a look, and the most recently-released helper is the one for > Sane whose copyright dates back to 2007. So I think that I'll just make > this an error. Note that even if I validate the name and protocol, there > is no guarantee that the rule will load successfully; the only way that > I could insure that would be to create a detected capability for each of > the helpers.
Here is the (hopefully) final patch against RC 2. Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 0e8b582..9aea52b 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -173,6 +173,7 @@ our %EXPORT_TAGS = (
do_tos
do_connbytes
do_helper
+ validate_helper
do_headers
do_condition
have_ipset_rules
@@ -558,19 +559,16 @@ sub initialize( $$$ ) {
%ipset_exists = ();
- %helpers = ( amanda => 1,
- ftp => 1,
- h323 => 1,
- irc => 1,
- netbios_ns => 1,
- netlink => 1,
- proto_gre => 1,
- proto_sctp => 1,
- pptp => 1,
- proto_udplite => 1,
- sane => 1,
- sip => 1,
- tftp => 1 );
+ %helpers = ( amanda => TCP,
+ ftp => TCP,
+ h323 => UDP,
+ irc => TCP,
+ netbios_ns => UDP,
+ pptp => TCP,
+ sane => TCP,
+ sip => UDP,
+ snmp => UDP,
+ tftp => UDP);
#
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
#
@@ -4004,22 +4002,47 @@ sub do_connbytes( $ ) {
}
#
-# Create a soft "-m helper" match for the passed argument
+# Validate a helper/protocol pair
+#
+sub validate_helper( $;$ ) {
+ my ( $helper, $proto ) = @_;
+ my $helper_base = $helper;
+ $helper_base =~ s/-\d+$//;
+
+ my $helper_proto = $helpers{$helper_base};
+
+ if ( $helper_proto) {
+ #
+ # Recognized helper
+ #
+ if ( supplied $proto ) {
+ my $protonum = -1;
+
+ unless ( $proto eq '-' ) {
+ fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );
+ }
+
+ fatal_error "The $helper_base helper requires PROTO=$helper_proto" unless $protonum == $helper_proto;
+ }
+ } else {
+ fatal_error "Unrecognized helper ($helper_base)";
+ }
+}
+
+#
+# Create an "-m helper" match for the passed argument
#
sub do_helper( $ ) {
my $helper = shift;
return '' if $helper eq '-';
- my $helper_base = $helper;
-
- $helper_base =~ s/-\d+$//;
-
- warning_message "Unrecognized helper ($helper)" unless $helpers{$helper_base};
+ validate_helper( $helper );
qq(-m helper --helper "$helper" ) if defined wantarray;
}
+
#
# Create a "-m length" match for the passed LENGTH
#
diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index cebf8a1..a2ea833 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -76,7 +76,7 @@ sub process_notrack_rule( $$$$$$$ ) {
if ( $option eq 'helper' ) {
fatal_error "Invalid helper' ($args)" if $args =~ /,/;
fatal_error "A protocol protocol is required in CT:helper rules" if $proto eq '-';
- do_helper( $args );
+ validate_helper( $args, $proto );
$action = "CT --helper $args";
$exception_rule = do_proto( $proto, '-', '-' );
} elsif ( $option eq 'ctevents' ) {
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
