Merge remote-tracking branch 'waldi/rsyncd-vsftpd-systemd-all'

author Martin Zobel-Helas <zobel@debian.org>

Tue, 11 Apr 2017 10:51:29 +0000 (12:51 +0200)

committer Martin Zobel-Helas <zobel@debian.org>

Tue, 11 Apr 2017 10:51:29 +0000 (12:51 +0200)
author Martin Zobel-Helas <zobel@debian.org>
Tue, 11 Apr 2017 10:51:29 +0000 (12:51 +0200)
committer Martin Zobel-Helas <zobel@debian.org>
Tue, 11 Apr 2017 10:51:29 +0000 (12:51 +0200)
diff --git a/modules/ferm/manifests/ftp_conntrack.pp b/modules/ferm/manifests/ftp_conntrack.pp

index ea502e2..45e060b 100644 (file)
--- a/modules/ferm/manifests/ftp_conntrack.pp
+++ b/modules/ferm/manifests/ftp_conntrack.pp
@@ -1,3 +1,24 @@
  class ferm::ftp_conntrack {
-       ferm::module { 'nf_conntrack_ftp': }
+       # This also works for jessie hosts, but requires a reboot
+       if (versioncmp($::lsbmajdistrelease, '9') >= 0) {
+               # Allow non-passive connections to an FTP server
+               @ferm::rule { 'dsa-ftp-conntrack-client':
+                       domain      => '(ip ip6)',
+                       description => 'ftp client connection tracking',
+                       table       => 'raw',
+                       chain       => 'OUTPUT',
+                       rule        => 'proto tcp dport 21 CT helper ftp'
+               }
+
+               # Allow passive connections from an FTP client
+               @ferm::rule { 'dsa-ftp-conntrack-server':
+                       domain      => '(ip ip6)',
+                       description => 'ftp server connection tracking',
+                       table       => 'raw',
+                       chain       => 'PREROUTING',
+                       rule        => 'proto tcp dport 21 CT helper ftp'
+               }
+       } else {
+               ferm::module { 'nf_conntrack_ftp': }
+       }
  }
author	Martin Zobel-Helas <zobel@debian.org>
	Tue, 11 Apr 2017 10:51:29 +0000 (12:51 +0200)
committer	Martin Zobel-Helas <zobel@debian.org>
	Tue, 11 Apr 2017 10:51:29 +0000 (12:51 +0200)