From c900f03686f913f87c1163a03a24f90193175318 Mon Sep 17 00:00:00 2001
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Tue, 11 Apr 2017 12:22:52 +0200
Subject: [PATCH] Switch FTP conntrack to explicit CT target

From Linux 4.7, automatic conntrack helper assignment has been disabled.
An explicit CT target should be used instead, which also automatically
loads the corresponding conntrack module.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---
 modules/ferm/manifests/ftp_conntrack.pp | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/modules/ferm/manifests/ftp_conntrack.pp b/modules/ferm/manifests/ftp_conntrack.pp
index ea502e2d9..868110b37 100644
--- a/modules/ferm/manifests/ftp_conntrack.pp
+++ b/modules/ferm/manifests/ftp_conntrack.pp
@@ -1,3 +1,20 @@
 class ferm::ftp_conntrack {
-	ferm::module { 'nf_conntrack_ftp': }
+
+	# Allow non-passive connections to an FTP server
+	@ferm::rule { 'dsa-ftp-conntrack-client':
+		domain      => '(ip ip6)',
+		description => 'ftp client connection tracking',
+		table       => 'raw',
+		chain       => 'OUTPUT',
+		rule        => 'proto tcp dport 21 CT helper ftp'
+	}
+
+	# Allow passive connections from an FTP client
+	@ferm::rule { 'dsa-ftp-conntrack-server':
+		domain      => '(ip ip6)',
+		description => 'ftp server connection tracking',
+		table       => 'raw',
+		chain       => 'PREROUTING',
+		rule        => 'proto tcp dport 21 CT helper ftp'
+	}
 }
-- 
2.20.1