From 93a281423cd0041fc4c5061fdced9cadb1e785a1 Mon Sep 17 00:00:00 2001

From: Eric Garver <e@erig.me>

Date: Wed, 5 Dec 2018 17:16:30 -0500

Subject: [PATCH 11/34] nftables: fix rich rule masquerade

(cherry picked from commit aee4948e86fde6df8205b07f4da58e2a8c07377c)

(cherry picked from commit d7b9c1c646c07c24dd44e9e2792d0c6471d54c1b)

---

 src/firewall/core/nftables.py | 7 +++----

 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py

index 44cd4f9e1752..00a02ad149e5 100644

--- a/src/firewall/core/nftables.py

+++ b/src/firewall/core/nftables.py

@@ -900,7 +900,6 @@ class nftables(object):

         rule_fragment = []

         if rich_rule:

-            rule_fragment += self._rich_rule_family_fragment(rich_rule.family)

             rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)

             rule_fragment += self._rich_rule_source_fragment(rich_rule.source)

@@ -912,10 +911,10 @@ class nftables(object):

         # nat tables needs to use ip/ip6 family

         rules = []

         if rich_rule and (rich_rule.family and rich_rule.family == "ipv6"

-           or rich_rule.source and check_address("ipv6", rich_rule.source)):

+           or rich_rule.source and check_address("ipv6", rich_rule.source.addr)):

             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))

-        if rich_rule and (rich_rule.family and rich_rule.family == "ipv4"

-           or rich_rule.source and check_address("ipv4", rich_rule.source)):

+        elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4"

+           or rich_rule.source and check_address("ipv4", rich_rule.source.addr)):

             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule))

         else:

             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))

-- 

2.18.0