From a5a0c8a530aba6b234bf941c1fe927475524c894 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 16 Jun 2020 15:40:44 +0000
Subject: [PATCH] firewall: Always enable connection tracking for GRE

If this module is not being loaded, the kernel will mark any
GRE connection as INVALID in connection tracking, which will
be then silently dropped by a firewall rule.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/core/147/filelists/files | 1 +
 src/initscripts/system/firewall           | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/config/rootfiles/core/147/filelists/files b/config/rootfiles/core/147/filelists/files
index ce4e517681..ec47d36d35 100644
--- a/config/rootfiles/core/147/filelists/files
+++ b/config/rootfiles/core/147/filelists/files
@@ -2,3 +2,4 @@ etc/system-release
 etc/issue
 srv/web/ipfire/cgi-bin/credits.cgi
 var/ipfire/langs
+etc/rc.d/init.d/firewall
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 00512d9fa6..b0890c7173 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -96,6 +96,9 @@ iptables_init() {
 
 	# Conntrack helpers (https://home.regit.org/netfilter-en/secure-use-of-helpers/)
 
+	# GRE (always enabled)
+	modprobe nf_conntrack_proto_gre
+
 	# SIP
 	if [ "${CONNTRACK_SIP}" = "on" ]; then
 		modprobe nf_nat_sip
-- 
2.39.5