From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 16 Jun 2020 15:40:44 +0000 (+0000)
Subject: firewall: Always enable connection tracking for GRE
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a5a0c8a530aba6b234bf941c1fe927475524c894;p=people%2Fms%2Fipfire-2.x.git

firewall: Always enable connection tracking for GRE

If this module is not being loaded, the kernel will mark any
GRE connection as INVALID in connection tracking, which will
be then silently dropped by a firewall rule.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/rootfiles/core/147/filelists/files b/config/rootfiles/core/147/filelists/files
index ce4e517681..ec47d36d35 100644
--- a/config/rootfiles/core/147/filelists/files
+++ b/config/rootfiles/core/147/filelists/files
@@ -2,3 +2,4 @@ etc/system-release
 etc/issue
 srv/web/ipfire/cgi-bin/credits.cgi
 var/ipfire/langs
+etc/rc.d/init.d/firewall
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 00512d9fa6..b0890c7173 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -96,6 +96,9 @@ iptables_init() {
 
 	# Conntrack helpers (https://home.regit.org/netfilter-en/secure-use-of-helpers/)
 
+	# GRE (always enabled)
+	modprobe nf_conntrack_proto_gre
+
 	# SIP
 	if [ "${CONNTRACK_SIP}" = "on" ]; then
 		modprobe nf_nat_sip