From 5ea1b0acbd2c0ce7e1fda0197155fd2fd0ea6fa0 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Wed, 19 Feb 2020 14:03:16 +0100
Subject: [PATCH] DNS 'ANY' request uses TCP port. So allow DNS TCP requests
 for 'resolver_allowed_network_arr'.

---
 ip6t-firewall-server | 1 +
 ipt-firewall-server  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/ip6t-firewall-server b/ip6t-firewall-server
index 8f0d268..fa8295e 100755
--- a/ip6t-firewall-server
+++ b/ip6t-firewall-server
@@ -1066,6 +1066,7 @@ if [[ -n "$local_resolver_service" ]] && $local_resolver_service  ; then
    if [[ ${#resolver_allowed_network_arr[@]} -gt 0 ]] ; then
       for _net in ${resolver_allowed_network_arr[@]} ; do
          $ip6t -A INPUT -p udp -s $_net --dport $resolver_port -m conntrack --ctstate NEW -j ACCEPT
+         $ip6t -A INPUT -p tcp -s $_net --dport $resolver_port -m conntrack --ctstate NEW -j ACCEPT
       done
       echo_done
    else
diff --git a/ipt-firewall-server b/ipt-firewall-server
index e75b345..4fc5d1c 100755
--- a/ipt-firewall-server
+++ b/ipt-firewall-server
@@ -1312,6 +1312,7 @@ if [[ -n "$local_resolver_service" ]] && $local_resolver_service  ; then
    if [[ ${#resolver_allowed_network_arr[@]} -gt 0 ]] ; then
       for _net in ${resolver_allowed_network_arr[@]} ; do
          $ipt -A INPUT -p udp -s $_net --dport $resolver_port -m conntrack --ctstate NEW -j ACCEPT
+         $ipt -A INPUT -p tcp -s $_net --dport $resolver_port -m conntrack --ctstate NEW -j ACCEPT
       done
       echo_done
    else