Switch FTP conntrack to explicit CT target

From Linux 4.7, automatic conntrack helper assignment has been disabled.
An explicit CT target should be used instead, which also automatically
loads the corresponding conntrack module.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>

diff --git a/modules/ferm/manifests/ftp_conntrack.pp b/modules/ferm/manifests/ftp_conntrack.pp
index ea502e2..868110b 100644 (file)
--- a/modules/ferm/manifests/ftp_conntrack.pp
+++ b/modules/ferm/manifests/ftp_conntrack.pp
@@ -1,3 +1,20 @@
 class ferm::ftp_conntrack {
-       ferm::module { 'nf_conntrack_ftp': }
+
+       # Allow non-passive connections to an FTP server
+       @ferm::rule { 'dsa-ftp-conntrack-client':
+               domain      => '(ip ip6)',
+               description => 'ftp client connection tracking',
+               table       => 'raw',
+               chain       => 'OUTPUT',
+               rule        => 'proto tcp dport 21 CT helper ftp'
+       }
+
+       # Allow passive connections from an FTP client
+       @ferm::rule { 'dsa-ftp-conntrack-server':
+               domain      => '(ip ip6)',
+               description => 'ftp server connection tracking',
+               table       => 'raw',
+               chain       => 'PREROUTING',
+               rule        => 'proto tcp dport 21 CT helper ftp'
+       }
 }