Move adjustment of the protocol in process_conntrack_rule()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-22 23:53:30 +01:00 · 2017-12-29 13:51:33 -08:00 · 2017-12-29 13:51:33 -08:00 · 46f68c6dcb
commit 46f68c6dcb
parent b42678269c
1 changed files with 6 additions and 2 deletions
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@ -91,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {

    my $disposition = $action;
    my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
+
    my $level = '';

    if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
@ -138,6 +138,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {

 	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';

+	$proto = TCP . ':syn' if $proto !~ /:syn$/ && resolve_proto( $proto ) == TCP;
+
 	if ( $option eq 'notrack' ) {
 	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
@ -199,7 +201,9 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
    expand_rule( $chainref ,
 		 $restriction ,
 		 '',
-		 $rule,
+		 do_proto( $proto, $ports, $sports ) . 
+		 do_user ( $user ) . 
+		 do_condition( $switch , $chainref->{name} ),
 		 $source ,
 		 $dest ,
 		 '' ,