From 6b2a9d34bf6ede7294b30fe2863466ad43a0f451 Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Thu, 5 Sep 2024 11:31:52 -0700
Subject: [PATCH] Use correct state flag during initial rule setup
 https://github.com/webmin/webmin/issues/2264

---
 firewall/setup.cgi  | 10 ++++++----
 firewall/setup6.cgi | 10 ++++++----
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/firewall/setup.cgi b/firewall/setup.cgi
index 5fdce19c8..f714420b8 100755
--- a/firewall/setup.cgi
+++ b/firewall/setup.cgi
@@ -83,6 +83,8 @@ if ($in{'auto'}) {
 			     'rules' => [ ],
 			     'defaults' => { } };
 		$table->{'defaults'}->{'INPUT'} = 'DROP';
+		my $sd = &supports_conntrack() ? "ctstate" : "state";
+		my $sm = $sd eq "state" ? "state" : "conntrack";
 		push(@{$table->{'rules'}},
 		     { 'chain' => 'INPUT',
 		       'i' => [ "!", $iface ],
@@ -95,13 +97,13 @@ if ($in{'auto'}) {
 		       'j' => [ "", 'ACCEPT' ],
 		       'cmt' => 'Accept traffic with the ACK flag set' },
 		     { 'chain' => 'INPUT',
-		       'm' => [ [ "", "state" ] ],
-		       'state' => [ "", "ESTABLISHED" ],
+		       'm' => [ [ "", $sm ] ],
+		       $sd => [ "", "ESTABLISHED" ],
 		       'j' => [ "", 'ACCEPT' ],
 		       'cmt' => 'Allow incoming data that is part of a connection we established' },
 		     { 'chain' => 'INPUT',
-		       'm' => [ [ "", "state" ] ],
-		       'state' => [ "", "RELATED" ],
+		       'm' => [ [ "", $sm ] ],
+		       $sd => [ "", "RELATED" ],
 		       'j' => [ "", 'ACCEPT' ],
 		       'cmt' => 'Allow data that is related to existing connections' },
 		     { 'chain' => 'INPUT',
diff --git a/firewall/setup6.cgi b/firewall/setup6.cgi
index dcd67362b..df330f85d 100755
--- a/firewall/setup6.cgi
+++ b/firewall/setup6.cgi
@@ -78,6 +78,8 @@ if ($in{'auto'}) {
 			     'rules' => [ ],
 			     'defaults' => { } };
 		$table->{'defaults'}->{'INPUT'} = 'DROP';
+		my $sd = &supports_conntrack() ? "ctstate" : "state";
+		my $sm = $sd eq "state" ? "state" : "conntrack";
 		push(@{$table->{'rules'}},
 		     { 'chain' => 'INPUT',
 		       'i' => [ "!", $iface ],
@@ -90,13 +92,13 @@ if ($in{'auto'}) {
 		       'j' => [ "", 'ACCEPT' ],
 		       'cmt' => 'Accept traffic with the ACK flag set' },
 		     { 'chain' => 'INPUT',
-		       'm' => [ [ "", "state" ] ],
-		       'state' => [ "", "ESTABLISHED" ],
+		       'm' => [ [ "", $sm ] ],
+		       $sd => [ "", "ESTABLISHED" ],
 		       'j' => [ "", 'ACCEPT' ],
 		       'cmt' => 'Allow incoming data that is part of a connection we established' },
 		     { 'chain' => 'INPUT',
-		       'm' => [ [ "", "state" ] ],
-		       'state' => [ "", "RELATED" ],
+		       'm' => [ [ "", $sm ] ],
+		       $sd => [ "", "RELATED" ],
 		       'j' => [ "", 'ACCEPT' ],
 		       'cmt' => 'Allow data that is related to existing connections' },
 		     { 'chain' => 'INPUT',