From 3bcaadbc99a10634d5a7552d7398436ef836f428 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Mon, 22 May 2017 17:59:10 +0200
Subject: [PATCH 3/6] firewall.core.fw_zone: Load NAT helpers with conntrack
 helpers

If a conntrack helper is used, then the NAT helper will automatically be loaded
also if there is a matching NAT helper.

Fixes: RHBZ#1452681
(cherry picked from commit af59d816c92e0391d118949542eb19bcf8b74580)
---
 src/firewall/core/fw_zone.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 2c99b0cbce8a..3089d12edd1b 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1155,9 +1155,15 @@ class FirewallZone(object):
                                 _rule += [ "-j", "CT", "--helper", helper.name ]
                                 self.__rule_source(rule.source, _rule)
                                 zone_transaction.add_rule(ipv, _rule)
+                                nat_module = module.replace("conntrack", "nat")
+                                if nat_module in self._fw.nf_nat_helpers:
+                                    modules.append(nat_module)
                         else:
                             if helper.module not in modules:
                                 modules.append(helper.module)
+                                nat_module = helper.module.replace("conntrack", "nat")
+                                if nat_module in self._fw.nf_nat_helpers:
+                                    modules.append(nat_module)
                     zone_transaction.add_modules(modules)
 
                 target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
@@ -1624,6 +1630,9 @@ class FirewallZone(object):
                 modules = [ ]
                 for helper in helpers:
                     modules.append(helper.module)
+                    nat_module = helper.module.replace("conntrack", "nat")
+                    if nat_module in self._fw.nf_nat_helpers:
+                        modules.append(nat_module)
                 zone_transaction.add_modules(modules)
             zone_transaction.add_chain("filter", "INPUT")
 
@@ -1641,6 +1650,9 @@ class FirewallZone(object):
                         raise FirewallError(
                             errors.INVALID_HELPER,
                             "'%s' is not available in kernel" % module)
+                    nat_module = helper.module.replace("conntrack", "nat")
+                    if nat_module in self._fw.nf_nat_helpers:
+                        zone_transaction.add_module(nat_module)
                     if helper.family != "" and helper.family != ipv:
                         # no support for family ipv, continue
                         continue
-- 
2.12.0