Move to conntrack module

e-router

@@ -84,43 +84,43 @@ setup_whitenets() {
 
 setup_badips() {
     ipset create -! $banset hash:ip hashsize 4096 timeout $banttl
-    iptables -A INPUT -i ${wan} -m set --match-set $banset src -p udp -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-    iptables -A INPUT -i ${wan} -m set --match-set $banset src -p tcp -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
+    iptables -A INPUT -i ${wan} -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
+    iptables -A INPUT -i ${wan} -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
 }
 
 setup_scanips() {
     ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl
-    iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p udp -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-    iptables -A INPUT -i ${wan} -m set --match-set $scanset src -p tcp -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
+    iptables -A INPUT -i ${wan} -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
+    iptables -A INPUT -i ${wan} -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
 }
 
 setup_white() {
     iptables -N FW-FILTERED
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-FILTERED -m udp -p udp --dport $port -j ACCEPT
+        iptables -A FW-FILTERED -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
     done < $CONFD/WHITE.udp
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-FILTERED -m tcp -p tcp --dport $port -j ACCEPT
+        iptables -A FW-FILTERED -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
     done < $CONFD/WHITE.tcp
-    iptables -A INPUT -p udp -i ${wan} -m set --match-set $whiteset src -m conntrack --ctstate NEW -j FW-FILTERED
-    iptables -A INPUT -p tcp --syn -i ${wan} -m set --match-set $whiteset src -m conntrack --ctstate NEW -j FW-FILTERED
-    iptables -A INPUT -i ${wan} -p icmp --icmp-type 8 -m conntrack --ctstate NEW -m set --match-set $whiteset src  -j ACCEPT
+    iptables -A INPUT -i ${wan} -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
+    iptables -A INPUT -i ${wan} -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
+    iptables -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
 }
 
 setup_open() {
     iptables -N FW-OPEN
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-OPEN -m udp -p udp --dport $port -j ACCEPT
+        iptables -A FW-OPEN -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
     done < $CONFD/ACCEPT.udp
     while read -r port ; do
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
-        iptables -A FW-OPEN -m tcp -p tcp --dport $port -j ACCEPT
+        iptables -A FW-OPEN -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
     done < $CONFD/ACCEPT.tcp
-    iptables -A INPUT -p udp -i ${wan} -m conntrack --ctstate NEW -j FW-OPEN
-    iptables -A INPUT -p tcp --syn -i ${wan} -m conntrack --ctstate NEW -j FW-OPEN
+    iptables -A INPUT -i ${wan} -m conntrack --ctstate NEW --ctproto UDP -j FW-OPEN
+    iptables -A INPUT -i ${wan} -m conntrack --ctstate NEW --ctproto TCP -j FW-OPEN
 }
 
 setup_cast() {