Add support for the conntrack module on 3.x kernels https://github.com/webmin/webmin/issues/434

firewall/edit_rule.cgi

@@ -306,13 +306,15 @@ if ($rule->{'chain'} eq 'OUTPUT') {
 print &ui_table_hr();
 
 # Connection states
+my $sd = &supports_conntrack() ? "ctstate" : "state";
 print &ui_table_row($text{'edit_state'},
 	"<table cellpadding=0 cellspacing=0><tr><td valign=top>".
-	&print_mode("state", $rule->{'state'})."</td>\n".
+	&print_mode($sd, $rule->{$sd})."</td>\n".
 	"<td>&nbsp;".
-	&ui_select("state", [ split(/,/, $rule->{'state'}->[1]) ],
+	&ui_select($sd, [ split(/,/, $rule->{$sd}->[1]) ],
 	   [ map { [ $_, $text{"edit_state_".lc($_)} ] }
-		 ('NEW', 'ESTABLISHED', 'RELATED', 'INVALID', 'UNTRACKED') ], 5, 1).
+		 ('NEW', 'ESTABLISHED', 'RELATED', 'INVALID', 'UNTRACKED',
+		  $sd eq "state" ? ( ) : ('SNAT', 'DNAT')) ], 5, 1).
 	"</td></tr></table>");
 
 # Type of service
@@ -346,7 +348,7 @@ print &ui_table_row($text{'edit_physdevisbridged'},
 print &ui_table_hr();
 
 # Show unknown modules
-@mods = grep { !/^(tcp|udp|icmp${ipvx_icmp}|multiport|mac|limit|owner|state|tos|comment|physdev)$/ } map { $_->[1] } @{$rule->{'m'}};
+@mods = grep { !/^(tcp|udp|icmp${ipvx_icmp}|multiport|mac|limit|owner|state|conntrack|tos|comment|physdev)$/ } map { $_->[1] } @{$rule->{'m'}};
 print &ui_table_row($text{'edit_mods'},
 	&ui_textbox("mods", join(" ", @mods), 60));
 

firewall/firewall-lib.pl

@@ -244,7 +244,7 @@ foreach $d ('p', 's', 'd', 'i', 'o', 'f', 'dport',
 	    'sport', 'tcp-flags', 'tcp-option',
 	    'icmp-type', 'icmpv6-type', 'mac-source', 'limit', 'limit-burst',
 	    'ports', 'uid-owner', 'gid-owner',
-	    'pid-owner', 'sid-owner', 'state', 'tos',
+	    'pid-owner', 'sid-owner', 'state', 'ctstate', 'tos',
 	    'dports', 'sports', 'physdev-in', 'physdev-out', 'args') {
 	if ($_[0]->{$d}) {
 
@@ -554,5 +554,14 @@ $out =~ s/Try\s.*more\s+information.*//;
 return $out;
 }
 
+sub supports_conntrack
+{
+if (!defined($supports_conntrack_cache)) {
+	my $out = &backquote_command("uname -r 2>/dev/null");
+	$supports_conntrack_cache = $out =~ /^[3-9]\./ ? 1 : 0;
+	}
+return $supports_conntrack_cache;
+}
+
 1;
 

firewall/lang/en

@@ -134,6 +134,8 @@ desc_sid-owner=session group of sender is $1
 desc_sid-owner!=session group of sender is not $1
 desc_state=state of connection is $1
 desc_state!=state of connection is not $1
+desc_ctstate=state of connection is $1
+desc_ctstate!=state of connection is not $1
 desc_tos=type of service field is $1
 desc_tos!=type of service field is not $1
 desc_physdev-in=input physical interface is $1
@@ -199,6 +201,8 @@ edit_state_established=Existing connection
 edit_state_related=Related to existing
 edit_state_invalid=Not part of any connection
 edit_state_untracked=Not tracked
+edit_state_snat=Source NATd
+edit_state_dnat=Destination NATd
 edit_tos=Type of service
 edit_rtoports=Target ports for redirect
 edit_prange=Port range $1 to $2

firewall/save_rule.cgi

@@ -320,11 +320,12 @@ else {
 		}
 
 	# Save connection states and TOS
-	if (&parse_mode("state", $rule, "state")) {
-		@states = split(/\0/, $in{'state'});
+	my $sd = &supports_conntrack() ? "ctstate" : "state";
+	if (&parse_mode($sd, $rule, $sd)) {
+		@states = split(/\0/, $in{$sd});
 		@states || &error($text{'save_estates'});
-		$rule->{'state'}->[1] = join(",", @states);
-		push(@mods, "state");
+		$rule->{$sd}->[1] = join(",", @states);
+		push(@mods, $sd eq "state" ? "state" : "conntrack");
 		}
 	if (&parse_mode("tos", $rule, "tos")) {
 		$rule->{'tos'}->[1] = $in{'tos'};

firewall/save_rule6.cgi

@@ -318,11 +318,12 @@ else {
 		}
 
 	# Save connection states and TOS
-	if (&parse_mode("state", $rule, "state")) {
-		@states = split(/\0/, $in{'state'});
+	my $sd = &supports_conntrack() ? "ctstate" : "state";
+	if (&parse_mode($sd, $rule, $sd)) {
+		@states = split(/\0/, $in{$sd});
 		@states || &error($text{'save_estates'});
-		$rule->{'state'}->[1] = join(",", @states);
-		push(@mods, "state");
+		$rule->{$sd}->[1] = join(",", @states);
+		push(@mods, $sd eq "state" ? "state" : "conntrack");
 		}
 	if (&parse_mode("tos", $rule, "tos")) {
 		$rule->{'tos'}->[1] = $in{'tos'};