From 15811369946e05646a4743712dd8a58a3bd37038 Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Tue, 11 Apr 2017 12:33:30 +0200 Subject: [PATCH] Only switch FTP conntrack to explicit CT target for stretch hosts While it also works for jessie works, it requires a reboot as module loading is disabled. Signed-off-by: Aurelien Jarno --- modules/ferm/manifests/ftp_conntrack.pp | 36 ++++++++++++++----------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/modules/ferm/manifests/ftp_conntrack.pp b/modules/ferm/manifests/ftp_conntrack.pp index 868110b37..45e060b62 100644 --- a/modules/ferm/manifests/ftp_conntrack.pp +++ b/modules/ferm/manifests/ftp_conntrack.pp @@ -1,20 +1,24 @@ class ferm::ftp_conntrack { + # This also works for jessie hosts, but requires a reboot + if (versioncmp($::lsbmajdistrelease, '9') >= 0) { + # Allow non-passive connections to an FTP server + @ferm::rule { 'dsa-ftp-conntrack-client': + domain => '(ip ip6)', + description => 'ftp client connection tracking', + table => 'raw', + chain => 'OUTPUT', + rule => 'proto tcp dport 21 CT helper ftp' + } - # Allow non-passive connections to an FTP server - @ferm::rule { 'dsa-ftp-conntrack-client': - domain => '(ip ip6)', - description => 'ftp client connection tracking', - table => 'raw', - chain => 'OUTPUT', - rule => 'proto tcp dport 21 CT helper ftp' - } - - # Allow passive connections from an FTP client - @ferm::rule { 'dsa-ftp-conntrack-server': - domain => '(ip ip6)', - description => 'ftp server connection tracking', - table => 'raw', - chain => 'PREROUTING', - rule => 'proto tcp dport 21 CT helper ftp' + # Allow passive connections from an FTP client + @ferm::rule { 'dsa-ftp-conntrack-server': + domain => '(ip ip6)', + description => 'ftp server connection tracking', + table => 'raw', + chain => 'PREROUTING', + rule => 'proto tcp dport 21 CT helper ftp' + } + } else { + ferm::module { 'nf_conntrack_ftp': } } } -- 2.20.1