From 2a22bc9fa5c293653170a36648b547b07a74ca90 Mon Sep 17 00:00:00 2001
From: Jordi Sanfeliu <jordi@fibranet.cat>
Date: Mon, 4 Mar 2013 16:22:11 +0100
Subject: [PATCH] Fixed in 'nginx' and 'port' graph to properly use 'conntrack'
 instead of 'state' in the iptables rules

---
 lib/nginx.pm | 4 ++--
 lib/port.pm  | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/nginx.pm b/lib/nginx.pm
index ee1a54a..4f0e987 100644
--- a/lib/nginx.pm
+++ b/lib/nginx.pm
@@ -84,8 +84,8 @@ sub nginx_init {
 
 	if($config->{os} eq "Linux") {
 		system("iptables -N monitorix_nginx_IN 2>/dev/null");
-		system("iptables -I INPUT -p tcp --sport 1024:65535 --dport $nginx->{port} -m state --state NEW,ESTABLISHED,RELATED -j monitorix_nginx_IN -c 0 0");
-		system("iptables -I OUTPUT -p tcp --sport $nginx->{port} --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j monitorix_nginx_IN -c 0 0");
+		system("iptables -I INPUT -p tcp --sport 1024:65535 --dport $nginx->{port} -m conntack --ctstate NEW,ESTABLISHED,RELATED -j monitorix_nginx_IN -c 0 0");
+		system("iptables -I OUTPUT -p tcp --sport $nginx->{port} --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j monitorix_nginx_IN -c 0 0");
 	}
 	if(grep {$_ eq $config->{os}} ("FreeBSD", "OpenBSD", "NetBSD")) {
 		system("ipfw delete $nginx->{rule} 2>/dev/null");
diff --git a/lib/port.pm b/lib/port.pm
index ef2321d..8369f79 100644
--- a/lib/port.pm
+++ b/lib/port.pm
@@ -110,13 +110,13 @@ sub port_init {
 				my $conn = lc((split(',', $port->{desc}->{$pl[$n]}))[2]);
 				if($conn =~ /in/ || $conn =~ /in\/out/) {
 					system("iptables -N monitorix_IN_$n 2>/dev/null");
-					system("iptables -I INPUT -p $p --sport 1024:65535 --dport $pl[$n] -m state --state NEW,ESTABLISHED,RELATED -j monitorix_IN_$n -c 0 0");
-					system("iptables -I OUTPUT -p $p --sport $pl[$n] --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j monitorix_IN_$n -c 0 0");
+					system("iptables -I INPUT -p $p --sport 1024:65535 --dport $pl[$n] -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j monitorix_IN_$n -c 0 0");
+					system("iptables -I OUTPUT -p $p --sport $pl[$n] --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j monitorix_IN_$n -c 0 0");
 				}
 				if($conn =~ /out/ || $conn =~ /in\/out/) {
 					system("iptables -N monitorix_OUT_$n 2>/dev/null");
-					system("iptables -I INPUT -p $p --sport $pl[$n] --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j monitorix_OUT_$n -c 0 0");
-					system("iptables -I OUTPUT -p $p --sport 1024:65535 --dport $pl[$n] -m state --state NEW,ESTABLISHED,RELATED -j monitorix_OUT_$n -c 0 0");
+					system("iptables -I INPUT -p $p --sport $pl[$n] --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j monitorix_OUT_$n -c 0 0");
+					system("iptables -I OUTPUT -p $p --sport 1024:65535 --dport $pl[$n] -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j monitorix_OUT_$n -c 0 0");
 				}
 				if($conn !~ /in/ && $conn !~ /out/) {
 					logger("$myself: Invalid connection type '$conn'; must be 'in', 'out' or 'in/out'.");