system-config-firewall conntrack patch

Vít Ondruch vondruch at redhat.com
Wed Jan 2 10:52:39 UTC 2013 

Thanks Andrew,

I am forwarding this to system-config-firewall maintainers, who might be 
interested.


Vít


Dne 24.12.2012 21:02, Andrew Wyatt napsal(a):
> Howdy folks, saw that you hadn't patched system-config-firewall to 
> support conntrack so I thought I'd send our patch your way.  Not a 
> large contribution by any means, but I hope it helps.
>
> diff -rupN system-config-firewall-1.2.29.orig/src/fw_iptables.py 
> system-config-firewall-1.2.29/src/fw_iptables.py
> --- system-config-firewall-1.2.29.orig/src/fw_iptables.py 2012-12-24 
> 14:44:23.094496819 -0500
> +++ system-config-firewall-1.2.29/src/fw_iptables.py    2012-12-24 
> 14:46:06.040498696 -0500
> @@ -362,7 +362,7 @@ class iptablesClass:
>
>          # accept established and related connections as early as 
> possible
>          #   RELATED is extremely important as it matches ICMP error 
> messages
> -        fd.write("-A INPUT -m state --state ESTABLISHED,RELATED -j 
> ACCEPT\n")
> +        fd.write("-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED 
> -j ACCEPT\n")
>
>          # icmp
>          self._icmp(conf, fd, "INPUT", reject_type)
> @@ -377,7 +377,7 @@ class iptablesClass:
>              for fwd in conf.forward_port:
>                  if fwd.has_key("toaddr"):
>                      continue
> -                line = "-A INPUT -i %s -m state --state NEW -m %s -p 
> %s" % \
> +                line = "-A INPUT -i %s -m conntrack --ctstate NEW -m 
> %s -p %s" % \
>                      (fwd["if"], fwd["proto"], fwd["proto"])
>                  if fwd.has_key("toport"):
>                      line += " --dport %s" % self._portStr(fwd["toport"])
> @@ -394,7 +394,7 @@ class iptablesClass:
>                      _dest = ""
>                      _port = ""
>                      if proto in [ "tcp", "udp" ]:
> -                        _state = "-m state --state NEW "
> +                        _state = "-m conntrack --ctstate NEW "
>                          _proto = "-m %s -p %s " % (proto, proto)
>                      else:
>                          if self.type == "ipv4":
> @@ -411,7 +411,7 @@ class iptablesClass:
>          # open ports
>          if conf.ports and len(conf.ports) > 0:
>              for (ports, proto) in conf.ports:
> -                fd.write("-A INPUT -m state --state NEW -m %s -p %s 
> --dport %s "
> +                fd.write("-A INPUT -m conntrack --ctstate NEW -m %s 
> -p %s --dport %s "
>                           "-j ACCEPT\n" % (proto, proto, 
> self._portStr(ports)))
>
>          # FORWARD
> @@ -419,7 +419,7 @@ class iptablesClass:
>                  (self.type == "ipv4" and conf.masq and len(conf.masq) 
> > 0) or \
>                  (self.type == "ipv4" and remote_forward):
>              # accept established and related connections
> -            fd.write("-A FORWARD -m state --state ESTABLISHED,RELATED "
> +            fd.write("-A FORWARD -m conntrack --ctstate 
> ESTABLISHED,RELATED "
>                       "-j ACCEPT\n")
>              # icmp
>              self._icmp(conf, fd, "FORWARD", reject_type)
> @@ -442,7 +442,7 @@ class iptablesClass:
>                          port = self._portStr(fwd["toport"])
>                      else:
>                          port = self._portStr(fwd["port"])
> -                    fd.write("-A FORWARD -i %s -m state --state NEW "
> +                    fd.write("-A FORWARD -i %s -m conntrack --ctstate 
> NEW "
>                               "-m %s -p %s -d %s --dport %s "
>                               "-j ACCEPT\n" % (fwd["if"], fwd["proto"],
>                                                fwd["proto"], 
> fwd["toaddr"],
>

More information about the devel mailing list