From 6ce3b103270c19cfecf6607b91ea1ecc298faa3c Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Sat, 2 Jun 2018 12:33:07 -0700
Subject: [PATCH] Add support for the conntrack module on 3.x kernels
 https://github.com/webmin/webmin/issues/434

---
 firewall/edit_rule.cgi   | 10 ++++++----
 firewall/firewall-lib.pl | 11 ++++++++++-
 firewall/lang/en         |  4 ++++
 firewall/save_rule.cgi   |  9 +++++----
 firewall/save_rule6.cgi  |  9 +++++----
 5 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/firewall/edit_rule.cgi b/firewall/edit_rule.cgi
index a9aadb56d..44f35a626 100755
--- a/firewall/edit_rule.cgi
+++ b/firewall/edit_rule.cgi
@@ -306,13 +306,15 @@ if ($rule->{'chain'} eq 'OUTPUT') {
 print &ui_table_hr();
 
 # Connection states
+my $sd = &supports_conntrack() ? "ctstate" : "state";
 print &ui_table_row($text{'edit_state'},
 	"<table cellpadding=0 cellspacing=0><tr><td valign=top>".
-	&print_mode("state", $rule->{'state'})."</td>\n".
+	&print_mode($sd, $rule->{$sd})."</td>\n".
 	"<td>&nbsp;".
-	&ui_select("state", [ split(/,/, $rule->{'state'}->[1]) ],
+	&ui_select($sd, [ split(/,/, $rule->{$sd}->[1]) ],
 	   [ map { [ $_, $text{"edit_state_".lc($_)} ] }
-		 ('NEW', 'ESTABLISHED', 'RELATED', 'INVALID', 'UNTRACKED') ], 5, 1).
+		 ('NEW', 'ESTABLISHED', 'RELATED', 'INVALID', 'UNTRACKED',
+		  $sd eq "state" ? ( ) : ('SNAT', 'DNAT')) ], 5, 1).
 	"</td></tr></table>");
 
 # Type of service
@@ -346,7 +348,7 @@ print &ui_table_row($text{'edit_physdevisbridged'},
 print &ui_table_hr();
 
 # Show unknown modules
-@mods = grep { !/^(tcp|udp|icmp${ipvx_icmp}|multiport|mac|limit|owner|state|tos|comment|physdev)$/ } map { $_->[1] } @{$rule->{'m'}};
+@mods = grep { !/^(tcp|udp|icmp${ipvx_icmp}|multiport|mac|limit|owner|state|conntrack|tos|comment|physdev)$/ } map { $_->[1] } @{$rule->{'m'}};
 print &ui_table_row($text{'edit_mods'},
 	&ui_textbox("mods", join(" ", @mods), 60));
 
diff --git a/firewall/firewall-lib.pl b/firewall/firewall-lib.pl
index 747649a13..0861d642d 100755
--- a/firewall/firewall-lib.pl
+++ b/firewall/firewall-lib.pl
@@ -244,7 +244,7 @@ foreach $d ('p', 's', 'd', 'i', 'o', 'f', 'dport',
 	    'sport', 'tcp-flags', 'tcp-option',
 	    'icmp-type', 'icmpv6-type', 'mac-source', 'limit', 'limit-burst',
 	    'ports', 'uid-owner', 'gid-owner',
-	    'pid-owner', 'sid-owner', 'state', 'tos',
+	    'pid-owner', 'sid-owner', 'state', 'ctstate', 'tos',
 	    'dports', 'sports', 'physdev-in', 'physdev-out', 'args') {
 	if ($_[0]->{$d}) {
 
@@ -554,5 +554,14 @@ $out =~ s/Try\s.*more\s+information.*//;
 return $out;
 }
 
+sub supports_conntrack
+{
+if (!defined($supports_conntrack_cache)) {
+	my $out = &backquote_command("uname -r 2>/dev/null");
+	$supports_conntrack_cache = $out =~ /^[3-9]\./ ? 1 : 0;
+	}
+return $supports_conntrack_cache;
+}
+
 1;
 
diff --git a/firewall/lang/en b/firewall/lang/en
index 55cfcb2f5..d7a445080 100644
--- a/firewall/lang/en
+++ b/firewall/lang/en
@@ -134,6 +134,8 @@ desc_sid-owner=session group of sender is $1
 desc_sid-owner!=session group of sender is not $1
 desc_state=state of connection is $1
 desc_state!=state of connection is not $1
+desc_ctstate=state of connection is $1
+desc_ctstate!=state of connection is not $1
 desc_tos=type of service field is $1
 desc_tos!=type of service field is not $1
 desc_physdev-in=input physical interface is $1
@@ -199,6 +201,8 @@ edit_state_established=Existing connection
 edit_state_related=Related to existing
 edit_state_invalid=Not part of any connection
 edit_state_untracked=Not tracked
+edit_state_snat=Source NATd
+edit_state_dnat=Destination NATd
 edit_tos=Type of service
 edit_rtoports=Target ports for redirect
 edit_prange=Port range $1 to $2
diff --git a/firewall/save_rule.cgi b/firewall/save_rule.cgi
index a51fb94ed..79b3ae948 100755
--- a/firewall/save_rule.cgi
+++ b/firewall/save_rule.cgi
@@ -320,11 +320,12 @@ else {
 		}
 
 	# Save connection states and TOS
-	if (&parse_mode("state", $rule, "state")) {
-		@states = split(/\0/, $in{'state'});
+	my $sd = &supports_conntrack() ? "ctstate" : "state";
+	if (&parse_mode($sd, $rule, $sd)) {
+		@states = split(/\0/, $in{$sd});
 		@states || &error($text{'save_estates'});
-		$rule->{'state'}->[1] = join(",", @states);
-		push(@mods, "state");
+		$rule->{$sd}->[1] = join(",", @states);
+		push(@mods, $sd eq "state" ? "state" : "conntrack");
 		}
 	if (&parse_mode("tos", $rule, "tos")) {
 		$rule->{'tos'}->[1] = $in{'tos'};
diff --git a/firewall/save_rule6.cgi b/firewall/save_rule6.cgi
index 6b85faf66..deb42677c 100755
--- a/firewall/save_rule6.cgi
+++ b/firewall/save_rule6.cgi
@@ -318,11 +318,12 @@ else {
 		}
 
 	# Save connection states and TOS
-	if (&parse_mode("state", $rule, "state")) {
-		@states = split(/\0/, $in{'state'});
+	my $sd = &supports_conntrack() ? "ctstate" : "state";
+	if (&parse_mode($sd, $rule, $sd)) {
+		@states = split(/\0/, $in{$sd});
 		@states || &error($text{'save_estates'});
-		$rule->{'state'}->[1] = join(",", @states);
-		push(@mods, "state");
+		$rule->{$sd}->[1] = join(",", @states);
+		push(@mods, $sd eq "state" ? "state" : "conntrack");
 		}
 	if (&parse_mode("tos", $rule, "tos")) {
 		$rule->{'tos'}->[1] = $in{'tos'};