From 7444ae626da90de7304b062d1d2cd29c1a7bca1b Mon Sep 17 00:00:00 2001
From: Alexey Berezhok <a@bayrepo.ru>
Date: Thu, 4 Jul 2024 23:01:04 +0300
Subject: [PATCH] Added nftables fix

---
 bin/v-list-sys-services     | 11 +++++++++--
 bin/v-start-service         | 10 ++++++++++
 bin/v-update-firewall       | 24 ++++++++++++++++--------
 install/hst-install-rhel.sh |  6 ++----
 4 files changed, 37 insertions(+), 14 deletions(-)

diff --git a/bin/v-list-sys-services b/bin/v-list-sys-services
index 330695e..2029128 100755
--- a/bin/v-list-sys-services
+++ b/bin/v-list-sys-services
@@ -328,8 +328,15 @@ fi
 # Checking FIREWALL system
 if [ -n "$FIREWALL_SYSTEM" ] && [ "$FIREWALL_SYSTEM" != 'remote' ]; then
 	state="stopped"
-	if $(iptables -S INPUT | grep -qx '\-P INPUT DROP'); then
-		state="running"
+	if [ -f /etc/redhat-release ]; then
+		RES=$(systemctl is-active nftables | grep -E "^active")
+		if [ -n "$RES" ]; then
+			state="running"
+		fi
+	else
+		if $(iptables -S INPUT | grep -qx '\-P INPUT DROP'); then
+			state="running"
+		fi
 	fi
 	data="$data\nNAME='$FIREWALL_SYSTEM' SYSTEM='firewall'"
 	data="$data STATE='$state' CPU='0' MEM='0' RTIME='0'"
diff --git a/bin/v-start-service b/bin/v-start-service
index 6ef8f8a..5698f0b 100755
--- a/bin/v-start-service
+++ b/bin/v-start-service
@@ -42,6 +42,16 @@ fi
 
 for service in $service_list; do
 	if [ "$service" = "iptables" ]; then
+		if [ -f /etc/redhat-release ]; then
+			RES=$(systemctl is-enabled nftables | grep enabled)
+			if [ -z "$RES" ]; then
+				systemctl enable nftables --now
+			fi
+			systemctl status nftables
+			if [ $? -ne 0 ]; then
+				systemctl start nftables
+			fi
+		fi
 		$BIN/v-update-firewall
 	else
 		systemctl start "$service"
diff --git a/bin/v-update-firewall b/bin/v-update-firewall
index 81605e0..ef1bef3 100755
--- a/bin/v-update-firewall
+++ b/bin/v-update-firewall
@@ -46,18 +46,26 @@ if [ ! -e "$rules" ]; then
 	exit
 fi
 
-# Checking conntrack module avaiabilty
-$modprobe nf_conntrack > /dev/null 2>&1
-if [ $? -ne 0 ]; then
-	$sysctl net.netfilter.nf_conntrack_max > /dev/null 2>&1
+if [ -f /etc/redhat-release ]; then
+	conntrack='yes'
+else
+	# Checking conntrack module avaiabilty
+	$modprobe nf_conntrack > /dev/null 2>&1
 	if [ $? -ne 0 ]; then
-		conntrack='no'
+		$sysctl net.netfilter.nf_conntrack_max > /dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			conntrack='no'
+		fi
 	fi
 fi
 
-$modprobe nf_conntrack_ftp > /dev/null 2>&1
-if [ $? -ne 0 ]; then
-	conntrack_ftp='no'
+if [ -f /etc/redhat-release ]; then
+	conntrack_ftp='yes'
+else
+	$modprobe nf_conntrack_ftp > /dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		conntrack_ftp='no'
+	fi
 fi
 
 # Checking custom OpenSSH  port
diff --git a/install/hst-install-rhel.sh b/install/hst-install-rhel.sh
index cdbcfba..259971c 100755
--- a/install/hst-install-rhel.sh
+++ b/install/hst-install-rhel.sh
@@ -901,12 +901,10 @@ fi
 
 if [ "$iptables" = 'yes' ]; then
 	if [ -f /etc/redhat-release ]; then
-		# Revert from nftables to iptables only first time
+		dnf install iptables-nft -y
 		systemctl stop firewalld
 		systemctl disable firewalld
-		dnf erase nftables -y
-		dnf install iptables-legacy iptables-legacy-libs iptables-services iptables-utils ipset -y
-		systemctl enable iptables --now
+		systemctl enable nftables --now
 	fi
 fi