Shorewall users - Oct 2013 - Bug with H323 helper? Shorewall 4.5.16.1 as packaged up for Debian.

Hi all.

I can''t seem to get the h323 connection tracking configured correctly
for Shorewall.
I am using the Debian Shorewall 4.5.16.1 package.
I am running a Debian 3.9 kernel like so:

	# uname -a
	Linux gw 3.9-1-amd64 #1 SMP Debian 3.9.8-1 x86_64 GNU/Linux

My version of iptables is:

	# iptables -V
	iptables v1.4.20

If I add the following rule in the /etc/shorewall/tcrules file to set a TOS
value based on the helper:

	TOS(0xa0/0xfc) $ALL    $RFC1918        { helper:Q.931 }

Then a ''shorewall check'' results in the following error:

	ERROR: The h323 helper is not enabled /etc/shorewall/tcrules (line 94)

That also happens if I use a ''{ helper:RAS }'' entry as well.

Shorewall believes my kernel has H323 capabilities:

	# shorewall show capabilities | grep H323
	   H323 Helper: Available

The HELPERS entries in the /etc/shorewall/shorewall.conf file are:

	# grep HELPER /etc/shorewall/shorewall.conf
	AUTOHELPERS=No
	HELPERS	LOAD_HELPERS_ONLY=No

If I try to force the h323 by defining HELPERS in shorewall.conf like so:

	HELPERS=ftp,h323,irs,netbios-ns,pptp,sip,snmp,tftp

Then shorewall check now results in:

	# shorewall check
	Checking...
	Processing /etc/shorewall/params ...
	Processing /etc/shorewall/shorewall.conf...
	Loading Modules...
	   ERROR: The h323 helper requires H323 Helpers in your kernel and iptables

If I list my modules the h323 NAT and connection tracking modules are listed:

	# lsmod | grep h323
	nf_nat_h323            12937  0
	nf_conntrack_h323      42418  1 nf_nat_h323
	nf_nat                 18378  15
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,ipt_MASQUERADE,nf_nat_proto_gre,ip6t_MASQUERADE,nf_nat_h323,nf_nat_ipv4,nf_nat_ipv6,nf_nat_pptp,nf_nat_tftp,xt_nat,ip6table_nat,iptable_nat
	nf_conntrack           59734  39
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,ipt_MASQUERADE,nf_conntrack_proto_udplite,nf_nat,ip6t_MASQUERADE,xt_state,xt_connlimit,nf_nat_h323,nf_nat_ipv4,nf_nat_ipv6,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,ipt_CLUSTERIP,nf_conntrack_proto_sctp,nf_conntrack_netlink,ip6table_nat,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,iptable_nat,nf_conntrack_h32,nf_conntrack_ipv4,nf_conntrack_ipv6,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp

And I don''t seem to have any issue loading the same connection tracking
helper that Shorewall does when checking for h323 support.

	# iptables -t raw -N tmp_chain
	# iptables -t raw -A tmp_chain -j CT --notrack ; echo $?
	0
	# iptables -t raw -A tmp_chain -p udp --dport 1719 -j CT --helper RAS ; echo $?
	0
	# iptables -t raw -F tmp_chain
	# iptables -t raw -X tmp_chain

I''m not sure what else to check now.
Am I doing something wrong?
Or is there a bug with the h323 helper stuff in Shorewall?

Regards,

-- 
Jim Barber


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk

On 10/8/2013 2:19 AM, Jim Barber wrote:
> Hi all.
> 
> I can''t seem to get the h323 connection tracking configured
correctly for Shorewall.
> I am using the Debian Shorewall 4.5.16.1 package.
> I am running a Debian 3.9 kernel like so:
> 
> 	# uname -a
> 	Linux gw 3.9-1-amd64 #1 SMP Debian 3.9.8-1 x86_64 GNU/Linux
> 
> My version of iptables is:
> 
> 	# iptables -V
> 	iptables v1.4.20
> 
> If I add the following rule in the /etc/shorewall/tcrules file to set a TOS
value based on the helper:
> 
> 	TOS(0xa0/0xfc) $ALL    $RFC1918        { helper:Q.931 }
> 
> Then a ''shorewall check'' results in the following error:
> 
> 	ERROR: The h323 helper is not enabled /etc/shorewall/tcrules (line 94)
> 
> That also happens if I use a ''{ helper:RAS }'' entry as
well.
> 
> Shorewall believes my kernel has H323 capabilities:
> 
> 	# shorewall show capabilities | grep H323
> 	   H323 Helper: Available
> 
> The HELPERS entries in the /etc/shorewall/shorewall.conf file are:
> 
> 	# grep HELPER /etc/shorewall/shorewall.conf
> 	AUTOHELPERS=No
> 	HELPERS> 	LOAD_HELPERS_ONLY=No
> 
> If I try to force the h323 by defining HELPERS in shorewall.conf like so:
> 
> 	HELPERS=ftp,h323,irs,netbios-ns,pptp,sip,snmp,tftp
> 
> Then shorewall check now results in:
> 
> 	# shorewall check
> 	Checking...
> 	Processing /etc/shorewall/params ...
> 	Processing /etc/shorewall/shorewall.conf...
> 	Loading Modules...
> 	   ERROR: The h323 helper requires H323 Helpers in your kernel and
iptables
> 
> If I list my modules the h323 NAT and connection tracking modules are
listed:
> 
> 	# lsmod | grep h323
> 	nf_nat_h323            12937  0
> 	nf_conntrack_h323      42418  1 nf_nat_h323
> 	nf_nat                 18378  15
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,ipt_MASQUERADE,nf_nat_proto_gre,ip6t_MASQUERADE,nf_nat_h323,nf_nat_ipv4,nf_nat_ipv6,nf_nat_pptp,nf_nat_tftp,xt_nat,ip6table_nat,iptable_nat
> 	nf_conntrack           59734  39
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,ipt_MASQUERADE,nf_conntrack_proto_udplite,nf_nat,ip6t_MASQUERADE,xt_state,xt_connlimit,nf_nat_h323,nf_nat_ipv4,nf_nat_ipv6,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,ipt_CLUSTERIP,nf_conntrack_proto_sctp,nf_conntrack_netlink,ip6table_nat,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,iptable_nat,nf_conntrack_h32,nf_conntrack_ipv4,nf_conntrack_ipv6,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
> 
> And I don''t seem to have any issue loading the same connection
tracking helper that Shorewall does when checking for h323 support.
> 
> 	# iptables -t raw -N tmp_chain
> 	# iptables -t raw -A tmp_chain -j CT --notrack ; echo $?
> 	0
> 	# iptables -t raw -A tmp_chain -p udp --dport 1719 -j CT --helper RAS ;
echo $?
> 	0
> 	# iptables -t raw -F tmp_chain
> 	# iptables -t raw -X tmp_chain
> 
> I''m not sure what else to check now.
> Am I doing something wrong?
> Or is there a bug with the h323 helper stuff in Shorewall?
Jim,

There is a bug.

Patch attached.

	patch /usr/share/shorewall/Shorewall/Config.pm < H323.patch

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk

On 8/10/2013 11:25 PM, Tom Eastep wrote:
 >
> Jim,
>
> There is a bug.
>
> Patch attached.
>
> 	patch /usr/share/shorewall/Shorewall/Config.pm < H323.patch
>
> -Tom
Thank you.

The patch has fixed the problem.

- Jim Barber

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk