From c2a82e83a88b8b1a2fd52ab2d7862e0ea707789e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Mon, 17 May 2010 11:58:21 +0300
Subject: [PATCH] Fix ip6tables states for kernels older than 2.6.20 (which
 have states broken).

---
 firewall/manifests/init.pp       | 2 ++
 firewall/templates/ip6tables.erb | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/firewall/manifests/init.pp b/firewall/manifests/init.pp
index f1aa96b..820c7e4 100644
--- a/firewall/manifests/init.pp
+++ b/firewall/manifests/init.pp
@@ -76,6 +76,8 @@ class firewall::common::iptables {
 	ensure => installed,
     }
 
+    $ip6states = versioncmp($kernelversion, "2.6.20")
+
     file { "/etc/sysconfig/iptables":
 	ensure  => present,
 	mode    => 0600,
diff --git a/firewall/templates/ip6tables.erb b/firewall/templates/ip6tables.erb
index 1a664ed..0e30dfb 100644
--- a/firewall/templates/ip6tables.erb
+++ b/firewall/templates/ip6tables.erb
@@ -6,7 +6,12 @@
 -A INPUT -i lo -j ACCEPT
 -A INPUT -m ipv6header --header ah -j ACCEPT
 -A INPUT -m ipv6header --header esp -j ACCEPT
+<% if ip6states >= 0 -%>
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+<% else -%>
+-A INPUT -m tcp -p tcp ! --syn -j ACCEPT
+-A INPUT -m udp -p udp --dport 32768:61000 -j ACCEPT
+<% end -%>
 -A INPUT -p ipv6-icmp -j ACCEPT
 <%
   firewall_rules.each do |rule|