Merge pull request #89 from arnova/conntrack_legacy_fix

fixed: Newer kernels no longer provide sysctl net.netfilter.nf_conntr…
arno-iptables-firewall · Feb 28, 2023 · a4569b7 · a4569b7
2 parents b98f690 + c00176d
commit a4569b7
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,5 +1,6 @@
-Version 2.1.1a-DEVEL (March 29, 2021)
--------------------------------------
+Version 2.1.1a (February 28, 2023)
+----------------------------------
+! Newer kernels no longer provide sysctl net.netfilter.nf_conntrack_helper. Workaround by performing kernel version check
 * Move start script handling from configure script to install script
 + Missing LAN_LAN_OPEN_ICMP setting
 

diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-MY_VERSION="2.1.1a-DEVEL"
+MY_VERSION="2.1.1a"
 
 # Location of the main configuration file for the firewall
 ##########################################################
@@ -12,7 +12,7 @@ CONFIG_FILE=/etc/arno-iptables-firewall/firewall.conf
 #
 #                           ~ In memory of my dear father ~
 #
-# (C) Copyright 2001-2021 by Arno van Amersfoort & Lonnie Abelbeck
+# (C) Copyright 2001-2023 by Arno van Amersfoort & Lonnie Abelbeck
 # Homepage              : https://rocky.eld.leidenuniv.nl/
 # Email                 : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
 #                         (note: you must remove all spaces and substitute the @ and the .
@@ -442,7 +442,7 @@ setup_kernel_settings()
   #############################################################
   if sysctl_key_match net.netfilter.nf_conntrack_helper; then
     sysctl -w net.netfilter.nf_conntrack_helper=0
-  else
+  elif ! kernel_ver_chk 6 0 0; then
     echo " Conntrack legacy automatic helper assignment is ENABLED"
     # Fallback to an older conntrack match method
     NF_CONNTRACK_STATE="-m state --state"
@@ -800,7 +800,7 @@ init_firewall_chains()
 
   # Apply conntrack helper chain, fallback to RELATED connections
   ###############################################################
-  if [ "$(sysctl_get_value net.netfilter.nf_conntrack_helper)" = "0" ]; then
+  if kernel_ver_chk 6 0 0 || [ "$(sysctl_get_value net.netfilter.nf_conntrack_helper)" = "0" ]; then
     iptables -N CONNTRACK_HELPER
     iptables -A BASE_INPUT_CHAIN -j CONNTRACK_HELPER
     iptables -A BASE_FORWARD_CHAIN -j CONNTRACK_HELPER