summaryrefslogtreecommitdiff
path: root/python/vyos/firewall.py
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-09-28 17:24:12 +0200
committerGitHub <noreply@github.com>2023-09-28 17:24:12 +0200
commitef94ff7f9959b9f3dcef398f8d85355d143ac73b (patch)
treeb6f15840059df2d9af4f44260587cf8ce01f2843 /python/vyos/firewall.py
parent7c2a0e781e2391f50738e2b29011dfd25b60075c (diff)
parent11641f9979d45ae3b519f3220fab68bfd8700be0 (diff)
downloadvyos-1x-ef94ff7f9959b9f3dcef398f8d85355d143ac73b.tar.gz
vyos-1x-ef94ff7f9959b9f3dcef398f8d85355d143ac73b.zip
Merge pull request #2320 from vyos/mergify/bp/sagitta/pr-2306
firewall: T5614: Add support for matching on conntrack helper (backport #2306)
Diffstat (limited to 'python/vyos/firewall.py')
-rw-r--r--python/vyos/firewall.py14
1 files changed, 14 insertions, 0 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 53ff8259e..7de268a00 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -95,6 +95,20 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
if states:
output.append(f'ct state {{{states}}}')
+ if 'conntrack_helper' in rule_conf:
+ helper_map = {'h323': ['RAS', 'Q.931'], 'nfs': ['rpc'], 'sqlnet': ['tns']}
+ helper_out = []
+
+ for helper in rule_conf['conntrack_helper']:
+ if helper in helper_map:
+ helper_out.extend(helper_map[helper])
+ else:
+ helper_out.append(helper)
+
+ if helper_out:
+ helper_str = ','.join(f'"{s}"' for s in helper_out)
+ output.append(f'ct helper {{{helper_str}}}')
+
if 'connection_status' in rule_conf and rule_conf['connection_status']:
status = rule_conf['connection_status']
if status['nat'] == 'destination':