Added nftables fix

9 months ago · 7444ae626d
parent 719c7d9d67
commit 7444ae626d
4 changed files with 37 additions and 14 deletions
--- a/bin/v-list-sys-services
+++ b/bin/v-list-sys-services
@ -328,8 +328,15 @@ fi
 # Checking FIREWALL system
 if [ -n "$FIREWALL_SYSTEM" ] && [ "$FIREWALL_SYSTEM" != 'remote' ]; then
 	state="stopped"
-	if $(iptables -S INPUT | grep -qx '\-P INPUT DROP'); then
-		state="running"
+	if [ -f /etc/redhat-release ]; then
+		RES=$(systemctl is-active nftables | grep -E "^active")
+		if [ -n "$RES" ]; then
+			state="running"
+		fi
+	else
+		if $(iptables -S INPUT | grep -qx '\-P INPUT DROP'); then
+			state="running"
+		fi
 	fi
 	data="$data\nNAME='$FIREWALL_SYSTEM' SYSTEM='firewall'"
 	data="$data STATE='$state' CPU='0' MEM='0' RTIME='0'"
--- a/bin/v-start-service
+++ b/bin/v-start-service
@ -42,6 +42,16 @@ fi

 for service in $service_list; do
 	if [ "$service" = "iptables" ]; then
+		if [ -f /etc/redhat-release ]; then
+			RES=$(systemctl is-enabled nftables | grep enabled)
+			if [ -z "$RES" ]; then
+				systemctl enable nftables --now
+			fi
+			systemctl status nftables
+			if [ $? -ne 0 ]; then
+				systemctl start nftables
+			fi
+		fi
 		$BIN/v-update-firewall
 	else
 		systemctl start "$service"
--- a/bin/v-update-firewall
+++ b/bin/v-update-firewall
@ -46,18 +46,26 @@ if [ ! -e "$rules" ]; then
 	exit
 fi

-# Checking conntrack module avaiabilty
-$modprobe nf_conntrack > /dev/null 2>&1
-if [ $? -ne 0 ]; then
-	$sysctl net.netfilter.nf_conntrack_max > /dev/null 2>&1
+if [ -f /etc/redhat-release ]; then
+	conntrack='yes'
+else
+	# Checking conntrack module avaiabilty
+	$modprobe nf_conntrack > /dev/null 2>&1
 	if [ $? -ne 0 ]; then
-		conntrack='no'
+		$sysctl net.netfilter.nf_conntrack_max > /dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			conntrack='no'
+		fi
 	fi
 fi

-$modprobe nf_conntrack_ftp > /dev/null 2>&1
-if [ $? -ne 0 ]; then
-	conntrack_ftp='no'
+if [ -f /etc/redhat-release ]; then
+	conntrack_ftp='yes'
+else
+	$modprobe nf_conntrack_ftp > /dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		conntrack_ftp='no'
+	fi
 fi

 # Checking custom OpenSSH  port
--- a/install/hst-install-rhel.sh
+++ b/install/hst-install-rhel.sh
@ -901,12 +901,10 @@ fi

 if [ "$iptables" = 'yes' ]; then
 	if [ -f /etc/redhat-release ]; then
-		# Revert from nftables to iptables only first time
+		dnf install iptables-nft -y
 		systemctl stop firewalld
 		systemctl disable firewalld
-		dnf erase nftables -y
-		dnf install iptables-legacy iptables-legacy-libs iptables-services iptables-utils ipset -y
-		systemctl enable iptables --now
+		systemctl enable nftables --now
 	fi
 fi