|
 |
843f86 |
From 3bcaadbc99a10634d5a7552d7398436ef836f428 Mon Sep 17 00:00:00 2001
|
|
|
843f86 |
From: Thomas Woerner <twoerner@redhat.com>
|
|
|
843f86 |
Date: Mon, 22 May 2017 17:59:10 +0200
|
|
|
843f86 |
Subject: [PATCH 3/6] firewall.core.fw_zone: Load NAT helpers with conntrack
|
|
|
843f86 |
helpers
|
|
|
843f86 |
|
|
|
843f86 |
If a conntrack helper is used, then the NAT helper will automatically be loaded
|
|
|
843f86 |
also if there is a matching NAT helper.
|
|
|
843f86 |
|
|
|
843f86 |
Fixes: RHBZ#1452681
|
|
|
843f86 |
(cherry picked from commit af59d816c92e0391d118949542eb19bcf8b74580)
|
|
|
843f86 |
---
|
|
|
843f86 |
src/firewall/core/fw_zone.py | 12 ++++++++++++
|
|
|
843f86 |
1 file changed, 12 insertions(+)
|
|
|
843f86 |
|
|
|
843f86 |
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
|
843f86 |
index 2c99b0cbce8a..3089d12edd1b 100644
|
|
|
843f86 |
--- a/src/firewall/core/fw_zone.py
|
|
|
843f86 |
+++ b/src/firewall/core/fw_zone.py
|
|
|
843f86 |
@@ -1155,9 +1155,15 @@ class FirewallZone(object):
|
|
|
843f86 |
_rule += [ "-j", "CT", "--helper", helper.name ]
|
|
|
843f86 |
self.__rule_source(rule.source, _rule)
|
|
|
843f86 |
zone_transaction.add_rule(ipv, _rule)
|
|
|
843f86 |
+ nat_module = module.replace("conntrack", "nat")
|
|
|
843f86 |
+ if nat_module in self._fw.nf_nat_helpers:
|
|
|
843f86 |
+ modules.append(nat_module)
|
|
|
843f86 |
else:
|
|
|
843f86 |
if helper.module not in modules:
|
|
|
843f86 |
modules.append(helper.module)
|
|
|
843f86 |
+ nat_module = helper.module.replace("conntrack", "nat")
|
|
|
843f86 |
+ if nat_module in self._fw.nf_nat_helpers:
|
|
|
843f86 |
+ modules.append(nat_module)
|
|
|
843f86 |
zone_transaction.add_modules(modules)
|
|
|
843f86 |
|
|
|
843f86 |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
|
|
|
843f86 |
@@ -1624,6 +1630,9 @@ class FirewallZone(object):
|
|
|
843f86 |
modules = [ ]
|
|
|
843f86 |
for helper in helpers:
|
|
|
843f86 |
modules.append(helper.module)
|
|
|
843f86 |
+ nat_module = helper.module.replace("conntrack", "nat")
|
|
|
843f86 |
+ if nat_module in self._fw.nf_nat_helpers:
|
|
|
843f86 |
+ modules.append(nat_module)
|
|
|
843f86 |
zone_transaction.add_modules(modules)
|
|
|
843f86 |
zone_transaction.add_chain("filter", "INPUT")
|
|
|
843f86 |
|
|
|
843f86 |
@@ -1641,6 +1650,9 @@ class FirewallZone(object):
|
|
|
843f86 |
raise FirewallError(
|
|
|
843f86 |
errors.INVALID_HELPER,
|
|
|
843f86 |
"'%s' is not available in kernel" % module)
|
|
|
843f86 |
+ nat_module = helper.module.replace("conntrack", "nat")
|
|
|
843f86 |
+ if nat_module in self._fw.nf_nat_helpers:
|
|
|
843f86 |
+ zone_transaction.add_module(nat_module)
|
|
|
843f86 |
if helper.family != "" and helper.family != ipv:
|
|
|
843f86 |
# no support for family ipv, continue
|
|
|
843f86 |
continue
|
|
|
843f86 |
--
|
|
|
843f86 |
2.12.0
|
|
|
843f86 |
|