Re: [Shorewall-users] Bug with H323 helper? Shorewall 4.5.16.1 as packaged up for Debian.

[Tom Eastep]

On 10/8/2013 2:19 AM, Jim Barber wrote:
> Hi all.
> 
> I can't seem to get the h323 connection tracking configured correctly for 
> Shorewall.
> I am using the Debian Shorewall 4.5.16.1 package.
> I am running a Debian 3.9 kernel like so:
> 
>       # uname -a
>       Linux gw 3.9-1-amd64 #1 SMP Debian 3.9.8-1 x86_64 GNU/Linux
> 
> My version of iptables is:
> 
>       # iptables -V
>       iptables v1.4.20
> 
> If I add the following rule in the /etc/shorewall/tcrules file to set a TOS 
> value based on the helper:
> 
>       TOS(0xa0/0xfc) $ALL    $RFC1918        { helper:Q.931 }
> 
> Then a 'shorewall check' results in the following error:
> 
>       ERROR: The h323 helper is not enabled /etc/shorewall/tcrules (line 94)
> 
> That also happens if I use a '{ helper:RAS }' entry as well.
> 
> Shorewall believes my kernel has H323 capabilities:
> 
>       # shorewall show capabilities | grep H323
>          H323 Helper: Available
> 
> The HELPERS entries in the /etc/shorewall/shorewall.conf file are:
> 
>       # grep HELPER /etc/shorewall/shorewall.conf
>       AUTOHELPERS=No
>       HELPERS=
>       LOAD_HELPERS_ONLY=No
> 
> If I try to force the h323 by defining HELPERS in shorewall.conf like so:
> 
>       HELPERS=ftp,h323,irs,netbios-ns,pptp,sip,snmp,tftp
> 
> Then shorewall check now results in:
> 
>       # shorewall check
>       Checking...
>       Processing /etc/shorewall/params ...
>       Processing /etc/shorewall/shorewall.conf...
>       Loading Modules...
>          ERROR: The h323 helper requires H323 Helpers in your kernel and 
> iptables
> 
> If I list my modules the h323 NAT and connection tracking modules are listed:
> 
>       # lsmod | grep h323
>       nf_nat_h323            12937  0
>       nf_conntrack_h323      42418  1 nf_nat_h323
>       nf_nat                 18378  15 
> nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,ipt_MASQUERADE,nf_nat_proto_gre,ip6t_MASQUERADE,nf_nat_h323,nf_nat_ipv4,nf_nat_ipv6,nf_nat_pptp,nf_nat_tftp,xt_nat,ip6table_nat,iptable_nat
>       nf_conntrack           59734  39 
> nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,ipt_MASQUERADE,nf_conntrack_proto_udplite,nf_nat,ip6t_MASQUERADE,xt_state,xt_connlimit,nf_nat_h323,nf_nat_ipv4,nf_nat_ipv6,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,ipt_CLUSTERIP,nf_conntrack_proto_sctp,nf_conntrack_netlink,ip6table_nat,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,iptable_nat,nf_conntrack_h32,nf_conntrack_ipv4,nf_conntrack_ipv6,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
> 
> And I don't seem to have any issue loading the same connection tracking 
> helper that Shorewall does when checking for h323 support.
> 
>       # iptables -t raw -N tmp_chain
>       # iptables -t raw -A tmp_chain -j CT --notrack ; echo $?
>       0
>       # iptables -t raw -A tmp_chain -p udp --dport 1719 -j CT --helper RAS ; 
> echo $?
>       0
>       # iptables -t raw -F tmp_chain
>       # iptables -t raw -X tmp_chain
> 
> I'm not sure what else to check now.
> Am I doing something wrong?
> Or is there a bug with the h323 helper stuff in Shorewall?
Jim,

There is a bug.

Patch attached.

        patch /usr/share/shorewall/Shorewall/Config.pm < H323.patch

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 2e4f1da..dce5013 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -4021,7 +4021,14 @@ sub Helper_Match() {
 sub have_helper( $$$ ) {
     my ( $helper, $proto, $port ) = @_;
 
-    if ( $helpers_enabled{$helper} ) {
+    my $helper_base = $helper;
+    
+    $helper_base =~ s/-\d$//;
+    $helper_base =  $helpers_map{$helper_base};
+    $helper_base =~ s/_HELPER//;
+    $helper_base =~ s/_/-/;
+
+    if ( $helpers_enabled{lc $helper_base} ) {
 	if ( have_capability 'CT_TARGET' ) {
 	    qt1( "$iptables $iptablesw -t raw -A $sillyname -p $proto --dport $port -j CT --helper $helper" );
 	} else {

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users