bayrepo/hestiacp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added nftables fix

Browse Source
This commit is contained in:
Alexey Berezhok
2024-07-04 23:01:04 +03:00
parent 719c7d9d67
commit 7444ae626d
4 changed files with 37 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
bin/v-list-sys-services
View File

@@ -328,8 +328,15 @@ fi
# Checking FIREWALL system # Checking FIREWALL system
if [ -n "$FIREWALL_SYSTEM" ] && [ "$FIREWALL_SYSTEM" != 'remote' ]; then if [ -n "$FIREWALL_SYSTEM" ] && [ "$FIREWALL_SYSTEM" != 'remote' ]; then
state="stopped" state="stopped"
if $(iptables -S INPUT | grep -qx '\-P INPUT DROP'); then if [ -f /etc/redhat-release ]; then
state="running" RES=$(systemctl is-active nftables | grep -E "^active")
if [ -n "$RES" ]; then
state="running"
fi
else
if $(iptables -S INPUT | grep -qx '\-P INPUT DROP'); then
state="running"
fi
fi fi
data="$data\nNAME='$FIREWALL_SYSTEM' SYSTEM='firewall'" data="$data\nNAME='$FIREWALL_SYSTEM' SYSTEM='firewall'"
data="$data STATE='$state' CPU='0' MEM='0' RTIME='0'" data="$data STATE='$state' CPU='0' MEM='0' RTIME='0'"

10
bin/v-start-service
View File

@@ -42,6 +42,16 @@ fi
for service in $service_list; do for service in $service_list; do
if [ "$service" = "iptables" ]; then if [ "$service" = "iptables" ]; then
if [ -f /etc/redhat-release ]; then
RES=$(systemctl is-enabled nftables | grep enabled)
if [ -z "$RES" ]; then
systemctl enable nftables --now
fi
systemctl status nftables
if [ $? -ne 0 ]; then
systemctl start nftables
fi
fi
$BIN/v-update-firewall $BIN/v-update-firewall
else else
systemctl start "$service" systemctl start "$service"

24
bin/v-update-firewall
View File

@@ -46,18 +46,26 @@ if [ ! -e "$rules" ]; then
exit exit
fi fi
# Checking conntrack module avaiabilty if [ -f /etc/redhat-release ]; then
$modprobe nf_conntrack > /dev/null 2>&1 conntrack='yes'
if [ $? -ne 0 ]; then else
$sysctl net.netfilter.nf_conntrack_max > /dev/null 2>&1 # Checking conntrack module avaiabilty
$modprobe nf_conntrack > /dev/null 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
conntrack='no' $sysctl net.netfilter.nf_conntrack_max > /dev/null 2>&1
if [ $? -ne 0 ]; then
conntrack='no'
fi
fi fi
fi fi
$modprobe nf_conntrack_ftp > /dev/null 2>&1 if [ -f /etc/redhat-release ]; then
if [ $? -ne 0 ]; then conntrack_ftp='yes'
conntrack_ftp='no' else
$modprobe nf_conntrack_ftp > /dev/null 2>&1
if [ $? -ne 0 ]; then
conntrack_ftp='no'
fi
fi fi
# Checking custom OpenSSH port # Checking custom OpenSSH port

6
install/hst-install-rhel.sh
View File

@@ -901,12 +901,10 @@ fi
if [ "$iptables" = 'yes' ]; then if [ "$iptables" = 'yes' ]; then
if [ -f /etc/redhat-release ]; then if [ -f /etc/redhat-release ]; then
# Revert from nftables to iptables only first time dnf install iptables-nft -y
systemctl stop firewalld systemctl stop firewalld
systemctl disable firewalld systemctl disable firewalld
dnf erase nftables -y systemctl enable nftables --now
dnf install iptables-legacy iptables-legacy-libs iptables-services iptables-utils ipset -y
systemctl enable iptables --now
fi fi
fi fi