firewall: Always enable connection tracking for GRE

If this module is not being loaded, the kernel will mark any
GRE connection as INVALID in connection tracking, which will
be then silently dropped by a firewall rule.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/rootfiles/core/147/filelists/files b/config/rootfiles/core/147/filelists/files
index ce4e5176819cd602789659e1ec55e95db3d971f4..ec47d36d35bf591e8998a4c42e28959b769ce58d 100644 (file)
--- a/config/rootfiles/core/147/filelists/files
+++ b/config/rootfiles/core/147/filelists/files
@@ -2,3 +2,4 @@ etc/system-release
 etc/issue
 srv/web/ipfire/cgi-bin/credits.cgi
 var/ipfire/langs
+etc/rc.d/init.d/firewall

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 00512d9fa6015c1804543500f331d75c44fdfc90..b0890c71731b8c90747227b6cacc540c5485289e 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -96,6 +96,9 @@ iptables_init() {
 
        # Conntrack helpers (https://home.regit.org/netfilter-en/secure-use-of-helpers/)
 
+       # GRE (always enabled)
+       modprobe nf_conntrack_proto_gre
+
        # SIP
        if [ "${CONNTRACK_SIP}" = "on" ]; then
                modprobe nf_nat_sip