rpms / firewalld

Clone
Source Code
GIT

Blame SOURCES/0027-fix-nftables-fix-zone-dispatch-using-ipset-sources-i.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   0871947511292cee277dbafd87bacebf0cc29f5c
  2.   SOURCES
  3.   0027-fix-nftables-fix-zone-dispatch-using-ipset-sources-i.patch
Blob History Raw
8a3219 
From ec38f84551e7488ca42ce06d028138d40539e47c Mon Sep 17 00:00:00 2001
8a3219 
From: Eric Garver <eric@garver.life>
8a3219 
Date: Thu, 8 Aug 2019 13:40:01 -0400
8a3219 
Subject: [PATCH 27/28] fix: nftables: fix zone dispatch using ipset sources in
8a3219 
 nat chains
8a3219
8a3219 
If using an ipset as a zone source the rules for doing a goto to the
8a3219 
zone's rules were omitted. This means the zone's rules for nat
8a3219 
postrouting/prerouting were not having any effect. Affected features;
8a3219 
masquerade, forward-ports
8a3219
8a3219 
(cherry picked from commit b363548f2ab0983d7b88dd82620c0c545e2cef39)
8a3219 
---
8a3219 
 src/firewall/core/nftables.py | 9 +++++++--
8a3219 
 1 file changed, 7 insertions(+), 2 deletions(-)
8a3219
8a3219 
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
8a3219 
index c0b48f1501fd..33a170a76a98 100644
8a3219 
--- a/src/firewall/core/nftables.py
8a3219 
+++ b/src/firewall/core/nftables.py
8a3219 
@@ -610,10 +610,15 @@ class nftables(object):
8a3219 
         # nat tables needs to use ip/ip6 family
8a3219 
         if table == "nat" and family == "inet":
8a3219 
             rules = []
8a3219 
-            if check_address("ipv4", address) or check_mac(address):
8a3219 
+            if address.startswith("ipset:"):
8a3219 
+                ipset_family = self._set_get_family(address[len("ipset:"):])
8a3219 
+            else:
8a3219 
+                ipset_family = None
8a3219 
+
8a3219 
+            if check_address("ipv4", address) or check_mac(address) or ipset_family == "ip":
8a3219 
                 rules.extend(self.build_zone_source_address_rules(enable, zone,
8a3219 
                                     address, table, chain, "ip"))
8a3219 
-            if check_address("ipv6", address) or check_mac(address):
8a3219 
+            if check_address("ipv6", address) or check_mac(address) or ipset_family == "ip6":
8a3219 
                 rules.extend(self.build_zone_source_address_rules(enable, zone,
8a3219 
                                     address, table, chain, "ip6"))
8a3219 
             return rules
8a3219 
--
8a3219 
2.20.1
8a3219

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation