Differences

This shows you the differences between two versions of the page.

--- doc:appunti:linux:sa:nf_conntrack_expect [2025/01/10 12:56] – [Shorewall and helpers] niccolo
+++ doc:appunti:linux:sa:nf_conntrack_expect [2025/06/09 09:57] (current) – [Shorewall and helpers] niccolo
@@ Line 142: / Line 142: @@
 </file>
-And be more specific with helpers in **/etc/shorewall/rules** or **/etc/shorewall/conntrack**.
+And be more specific with helpers in **/etc/shorewall/rules**, e.g.:
 <file>
+HELPER    loc    -    udp    5060    ; helper=sip
 </file>
+This combination will create the following iptable rule into the raw table:
+<code>
+Chain PREROUTING (policy ACCEPT 12 packets, 792 bytes)
+ pkts bytes target  prot opt in     out  source     destination
+     0 CT      17   --  lan0   *    0.0.0.0/0  0.0.0.0/0    udp dpt:5060 CT helper sip
+</code>
+The default **Debian 12 Bookworm** configuration for Shorewall provides a **conntrack** file where helpers can be enabled only if the Shorewall **AUTOHELPERS** option is enabled (in ''shorewall.conf'') and if the **CT_TARGET** iptables/netfilter capability is available (verify the output of ''shorewall show capabilities'').
+For example you can enable the sip helper adding this line in **/etc/shorewall/conntrack**:
+<code>
+CT:helper:sip:PO
+</code>
+In this case the helper is instantiated into the raw table in both PREROUTING and OUTPUT chains.
+==== Shorewall upgrade from Debian 11 to 12 ====
+In Debian, upgrading to **Shorewall 5.2.8** as per upgrade from **Debian 11 Bullseye** to **Debian 12 Bookworm**, connection tracking protocol helpers are no longer globally enabled by default; use **shorewall-conntrack(5)** or **shorewall-rules(5)** to enable them as appropriate where they are required.
-FIXME ... edit shorewall-conntrack or shorewall-rules.
+Setting **AUTOHELPERS** to 'Yes' in shorewall.conf restores the previous behavior.
 ===== Web references =====