From 8e7c5e65ad3ad6ab9005b0018b9dfaa4532183b4 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 20 Apr 2016 16:04:24 +0100
Subject: [PATCH] firewall: Fix connection tracking for PPTP

GRE connections were not correctly forwarded without the helper
being enabled. Choosing the wrong protocol here did not allow
us to load it properly.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/optionsfw.cgi      | 5 +++++
 src/initscripts/init.d/firewall | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index 7a0e8e0c4e..3e90f2b003 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -129,6 +129,9 @@ $checked{'CONNTRACK_H323'}{$settings{'CONNTRACK_H323'}} = "checked='checked'";
 $checked{'CONNTRACK_IRC'}{'off'} = '';
 $checked{'CONNTRACK_IRC'}{'on'} = '';
 $checked{'CONNTRACK_IRC'}{$settings{'CONNTRACK_IRC'}} = "checked='checked'";
+$checked{'CONNTRACK_PPTP'}{'off'} = '';
+$checked{'CONNTRACK_PPTP'}{'on'} = '';
+$checked{'CONNTRACK_PPTP'}{$settings{'CONNTRACK_PPTP'}} = "checked='checked'";
 $checked{'CONNTRACK_SIP'}{'off'} = '';
 $checked{'CONNTRACK_SIP'}{'on'} = '';
 $checked{'CONNTRACK_SIP'}{$settings{'CONNTRACK_SIP'}} = "checked='checked'";
@@ -248,6 +251,8 @@ END
 																						<input type='radio' name='CONNTRACK_H323' value='off' $checked{'CONNTRACK_H323'}{'off'} /> off</td></tr>
 <tr><td align='left' width='60%'>IRC</td><td align='left'>on <input type='radio' name='CONNTRACK_IRC' value='on' $checked{'CONNTRACK_IRC'}{'on'} />/
 																						<input type='radio' name='CONNTRACK_IRC' value='off' $checked{'CONNTRACK_IRC'}{'off'} /> off</td></tr>
+<tr><td align='left' width='60%'>PPTP</td><td align='left'>on <input type='radio' name='CONNTRACK_PPTP' value='on' $checked{'CONNTRACK_PPTP'}{'on'} />/
+																						<input type='radio' name='CONNTRACK_PPTP' value='off' $checked{'CONNTRACK_PPTP'}{'off'} /> off</td></tr>
 <tr><td align='left' width='60%'>SIP</td><td align='left'>on <input type='radio' name='CONNTRACK_SIP' value='on' $checked{'CONNTRACK_SIP'}{'on'} />/
 																						<input type='radio' name='CONNTRACK_SIP' value='off' $checked{'CONNTRACK_SIP'}{'off'} /> off</td></tr>
 <tr><td align='left' width='60%'>TFTP</td><td align='left'>on <input type='radio' name='CONNTRACK_TFTP' value='on' $checked{'CONNTRACK_TFTP'}{'on'} />/
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index cb52670d6a..1d6309c1b0 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -128,7 +128,7 @@ iptables_init() {
 	if [ "${CONNTRACK_PPTP}" = "on" ]; then
 		iptables -A CONNTRACK -m conntrack --ctstate RELATED \
 			-m helper --helper pptp -j ACCEPT
-		iptables -t raw -A CONNTRACK -p udp --dport 1723 -j CT --helper pptp
+		iptables -t raw -A CONNTRACK -p tcp --dport 1723 -j CT --helper pptp
 	fi
 
 	# TFTP
-- 
2.39.5