From 3bf7abe7cfdc738959c092bd30ef9ee42789fc8d Mon Sep 17 00:00:00 2001

From: Eric Garver <eric@garver.life>

Date: Tue, 17 Sep 2019 14:54:13 -0400

Subject: [PATCH 102/109] fix: allow custom helpers using standard helper

 modules

e.g. a helper called "ftp-foobar" using module "nf_conntrack_ftp"

(cherry picked from commit 8c65bda2a750c1b1a15851a6030dfef8cdb74d15)

(cherry picked from commit 80260288c58b0555360822d1eb81b2a4d36a5ed1)

---

 src/firewall/core/fw_zone.py   | 10 ++++++----

 src/firewall/core/ipXtables.py |  4 ++--

 src/firewall/core/nftables.py  |  4 ++--

 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py

index 6b766d0dc3ba..c096e3efe028 100644

--- a/src/firewall/core/fw_zone.py

+++ b/src/firewall/core/fw_zone.py

@@ -1609,8 +1609,9 @@ class FirewallZone(object):

                         modules = [ ]

                         for helper in helpers:

                             module = helper.module

+                            _module_short_name = module.replace("-","_").replace("nf_conntrack_", "")

                             if self._fw.nf_conntrack_helper_setting == 0:

-                                if helper.name not in \

+                                if _module_short_name not in \

                                    self._fw.nf_conntrack_helpers[module]:

                                     raise FirewallError(

                                         errors.INVALID_HELPER,

@@ -1627,7 +1628,7 @@ class FirewallZone(object):

                                     for (port,proto) in helper.ports:

                                         rules = backend.build_zone_helper_ports_rules(

                                                         enable, zone, proto, port,

-                                                        destination, helper.name)

+                                                        destination, helper.name, _module_short_name)

                                         zone_transaction.add_rules(backend, rules)

                             else:

                                 if helper.module not in modules:

@@ -1819,7 +1820,8 @@ class FirewallZone(object):

             if self._fw.nf_conntrack_helper_setting == 0:

                 for helper in helpers:

                     module = helper.module

-                    if helper.name not in \

+                    _module_short_name = module.replace("-","_").replace("nf_conntrack_", "")

+                    if _module_short_name not in \

                        self._fw.nf_conntrack_helpers[module]:

                         raise FirewallError(

                             errors.INVALID_HELPER,

@@ -1836,7 +1838,7 @@ class FirewallZone(object):

                         for (port,proto) in helper.ports:

                             rules = backend.build_zone_helper_ports_rules(

                                             enable, zone, proto, port,

-                                            destination, helper.name)

+                                            destination, helper.name, _module_short_name)

                             zone_transaction.add_rules(backend, rules)

             for (port,proto) in svc.ports:

diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py

index 647a7a161517..b0a4c5e1c161 100644

--- a/src/firewall/core/ipXtables.py

+++ b/src/firewall/core/ipXtables.py

@@ -983,7 +983,7 @@ class ip4tables(object):

         return rules

     def build_zone_helper_ports_rules(self, enable, zone, proto, port,

-                                      destination, helper_name):

+                                      destination, helper_name, module_short_name):

         add_del = { True: "-A", False: "-D" }[enable]

         target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],

                                             zone=zone)

@@ -992,7 +992,7 @@ class ip4tables(object):

             rule += [ "--dport", "%s" % portStr(port) ]

         if destination:

             rule += [ "-d",  destination ]

-        rule += [ "-j", "CT", "--helper", helper_name ]

+        rule += [ "-j", "CT", "--helper", module_short_name ]

         return [rule]

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py

index 9d88e72f42bf..0317d820389f 100644

--- a/src/firewall/core/nftables.py

+++ b/src/firewall/core/nftables.py

@@ -927,7 +927,7 @@ class nftables(object):

         return rules

     def build_zone_helper_ports_rules(self, enable, zone, proto, port,

-                                      destination, helper_name):

+                                      destination, helper_name, module_short_name):

         add_del = { True: "add", False: "delete" }[enable]

         target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],

                                             zone=zone)

@@ -944,7 +944,7 @@ class nftables(object):

         helper_object = ["ct", "helper", "inet", TABLE_NAME,

                          "helper-%s-%s" % (helper_name, proto),

-                         "{", "type", "\"%s\"" % (helper_name), "protocol",

+                         "{", "type", "\"%s\"" % (module_short_name), "protocol",

                          proto, ";", "}"]

         return [helper_object, rule]

-- 

2.20.1