firewall.core.fw_zone: Load NAT helpers with conntrack helpers

If a conntrack helper is used, then the NAT helper will automatically be loaded also if there is a matching NAT helper. Fixes: RHBZ#1452681
t-woerner · May 22, 2017 · af59d81 · af59d81
1 parent f0109e0
commit af59d81
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
@@ -1155,9 +1155,15 @@ def __rule_prepare(self, enable, zone, rule, mark_id, zone_transaction):
                                 _rule += [ "-j", "CT", "--helper", helper.name ]
                                 self.__rule_source(rule.source, _rule)
                                 zone_transaction.add_rule(ipv, _rule)
+                                nat_module = module.replace("conntrack", "nat")
+                                if nat_module in self._fw.nf_nat_helpers:
+                                    modules.append(nat_module)
                         else:
                             if helper.module not in modules:
                                 modules.append(helper.module)
+                                nat_module = helper.module.replace("conntrack", "nat")
+                                if nat_module in self._fw.nf_nat_helpers:
+                                    modules.append(nat_module)
                     zone_transaction.add_modules(modules)
 
                 target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
@@ -1621,6 +1627,9 @@ def __service(self, enable, zone, service, use_zone_transaction=None):
                 modules = [ ]
                 for helper in helpers:
                     modules.append(helper.module)
+                    nat_module = helper.module.replace("conntrack", "nat")
+                    if nat_module in self._fw.nf_nat_helpers:
+                        modules.append(nat_module)
                 zone_transaction.add_modules(modules)
             zone_transaction.add_chain("filter", "INPUT")
 
@@ -1638,6 +1647,9 @@ def __service(self, enable, zone, service, use_zone_transaction=None):
                         raise FirewallError(
                             errors.INVALID_HELPER,
                             "'%s' is not available in kernel" % module)
+                    nat_module = helper.module.replace("conntrack", "nat")
+                    if nat_module in self._fw.nf_nat_helpers:
+                        zone_transaction.add_module(nat_module)
                     if helper.family != "" and helper.family != ipv:
                         # no support for family ipv, continue
                         continue