From: Aurelien Jarno <aurelien@aurel32.net>
Date: Tue, 11 Apr 2017 10:22:52 +0000 (+0200)
Subject: Switch FTP conntrack to explicit CT target
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=c900f03686f913f87c1163a03a24f90193175318;hp=--cc;p=mirror%2Fdsa-puppet.git

Switch FTP conntrack to explicit CT target

From Linux 4.7, automatic conntrack helper assignment has been disabled.
An explicit CT target should be used instead, which also automatically
loads the corresponding conntrack module.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---

c900f03686f913f87c1163a03a24f90193175318
diff --git a/modules/ferm/manifests/ftp_conntrack.pp b/modules/ferm/manifests/ftp_conntrack.pp
index ea502e2d9..868110b37 100644
--- a/modules/ferm/manifests/ftp_conntrack.pp
+++ b/modules/ferm/manifests/ftp_conntrack.pp
@@ -1,3 +1,20 @@
 class ferm::ftp_conntrack {
-	ferm::module { 'nf_conntrack_ftp': }
+
+	# Allow non-passive connections to an FTP server
+	@ferm::rule { 'dsa-ftp-conntrack-client':
+		domain      => '(ip ip6)',
+		description => 'ftp client connection tracking',
+		table       => 'raw',
+		chain       => 'OUTPUT',
+		rule        => 'proto tcp dport 21 CT helper ftp'
+	}
+
+	# Allow passive connections from an FTP client
+	@ferm::rule { 'dsa-ftp-conntrack-server':
+		domain      => '(ip ip6)',
+		description => 'ftp server connection tracking',
+		table       => 'raw',
+		chain       => 'PREROUTING',
+		rule        => 'proto tcp dport 21 CT helper ftp'
+	}
 }