Use correct state flag during initial rule setup https://github.com/webmin/webmin/issues/2264

2025-07-21 23:40:34 +00:00 · 2024-09-05 11:31:52 -07:00
parent c607990c48
commit 6b2a9d34bf
2 changed files with 12 additions and 8 deletions
--- a/firewall/setup.cgi
+++ b/firewall/setup.cgi
@ -83,6 +83,8 @@ if ($in{'auto'}) {
 			     'rules' => [ ],
 			     'defaults' => { } };
 		$table->{'defaults'}->{'INPUT'} = 'DROP';
+		my $sd = &supports_conntrack() ? "ctstate" : "state";
+		my $sm = $sd eq "state" ? "state" : "conntrack";
 		push(@{$table->{'rules'}},
 		     { 'chain' => 'INPUT',
 		       'i' => [ "!", $iface ],
@ -95,13 +97,13 @@ if ($in{'auto'}) {
 		       'j' => [ "", 'ACCEPT' ],
 		       'cmt' => 'Accept traffic with the ACK flag set' },
 		     { 'chain' => 'INPUT',
-		       'm' => [ [ "", "state" ] ],
-		       'state' => [ "", "ESTABLISHED" ],
+		       'm' => [ [ "", $sm ] ],
+		       $sd => [ "", "ESTABLISHED" ],
 		       'j' => [ "", 'ACCEPT' ],
 		       'cmt' => 'Allow incoming data that is part of a connection we established' },
 		     { 'chain' => 'INPUT',
-		       'm' => [ [ "", "state" ] ],
-		       'state' => [ "", "RELATED" ],
+		       'm' => [ [ "", $sm ] ],
+		       $sd => [ "", "RELATED" ],
 		       'j' => [ "", 'ACCEPT' ],
 		       'cmt' => 'Allow data that is related to existing connections' },
 		     { 'chain' => 'INPUT',
--- a/firewall/setup6.cgi
+++ b/firewall/setup6.cgi
@ -78,6 +78,8 @@ if ($in{'auto'}) {
 			     'rules' => [ ],
 			     'defaults' => { } };
 		$table->{'defaults'}->{'INPUT'} = 'DROP';
+		my $sd = &supports_conntrack() ? "ctstate" : "state";
+		my $sm = $sd eq "state" ? "state" : "conntrack";
 		push(@{$table->{'rules'}},
 		     { 'chain' => 'INPUT',
 		       'i' => [ "!", $iface ],
@ -90,13 +92,13 @@ if ($in{'auto'}) {
 		       'j' => [ "", 'ACCEPT' ],
 		       'cmt' => 'Accept traffic with the ACK flag set' },
 		     { 'chain' => 'INPUT',
-		       'm' => [ [ "", "state" ] ],
-		       'state' => [ "", "ESTABLISHED" ],
+		       'm' => [ [ "", $sm ] ],
+		       $sd => [ "", "ESTABLISHED" ],
 		       'j' => [ "", 'ACCEPT' ],
 		       'cmt' => 'Allow incoming data that is part of a connection we established' },
 		     { 'chain' => 'INPUT',
-		       'm' => [ [ "", "state" ] ],
-		       'state' => [ "", "RELATED" ],
+		       'm' => [ [ "", $sm ] ],
+		       $sd => [ "", "RELATED" ],
 		       'j' => [ "", 'ACCEPT' ],
 		       'cmt' => 'Allow data that is related to existing connections' },
 		     { 'chain' => 'INPUT',