rpms / firewalld

Clone
Source Code
GIT

Blame SOURCES/0027-fix-nftables-rich-rule-mark-not-marking-every-packet.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   c7-beta
  2.   SOURCES
  3.   0027-fix-nftables-rich-rule-mark-not-marking-every-packet.patch
Blob History Raw
c8bceb 
From b1590ac89253781d127ad40baa1abb8de7731cc9 Mon Sep 17 00:00:00 2001
c8bceb 
From: Eric Garver <eric@garver.life>
c8bceb 
Date: Tue, 16 Apr 2019 10:53:48 -0400
c8bceb 
Subject: [PATCH 27/73] fix: nftables rich rule mark not marking every packet
c8bceb
c8bceb 
Similar to the fix for #478, nftables needs to mark every packet, not
c8bceb 
just the first one that begins a new connection.
c8bceb
c8bceb 
(cherry picked from commit 9d98c11732bcbee4a74bd883cd9b6e7defb3b401)
c8bceb 
(cherry picked from commit 7538a479e100d14d248a64c8a23d81ccc9723b9e)
c8bceb 
---
c8bceb 
 src/firewall/core/nftables.py | 9 ++++++---
c8bceb 
 1 file changed, 6 insertions(+), 3 deletions(-)
c8bceb
c8bceb 
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
c8bceb 
index 50303e94ed7b..02e2ca008157 100644
c8bceb 
--- a/src/firewall/core/nftables.py
c8bceb 
+++ b/src/firewall/core/nftables.py
c8bceb 
@@ -798,7 +798,8 @@ class nftables(object):
c8bceb 
             rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
c8bceb 
             rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
c8bceb 
         rule_fragment += [proto, "dport", "%s" % portStr(port, "-")]
c8bceb 
-        rule_fragment += ["ct", "state", "new,untracked"]
c8bceb 
+        if not rich_rule or type(rich_rule.action) != Rich_Mark:
c8bceb 
+            rule_fragment += ["ct", "state", "new,untracked"]
c8bceb
c8bceb 
         rules = []
c8bceb 
         if rich_rule:
c8bceb 
@@ -831,7 +832,8 @@ class nftables(object):
c8bceb 
             rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
c8bceb 
             rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
c8bceb 
         rule_fragment = ["meta", "l4proto", protocol]
c8bceb 
-        rule_fragment += ["ct", "state", "new,untracked"]
c8bceb 
+        if not rich_rule or type(rich_rule.action) != Rich_Mark:
c8bceb 
+            rule_fragment += ["ct", "state", "new,untracked"]
c8bceb
c8bceb 
         rules = []
c8bceb 
         if rich_rule:
c8bceb 
@@ -864,7 +866,8 @@ class nftables(object):
c8bceb 
             rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
c8bceb 
             rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
c8bceb 
         rule_fragment += [proto, "sport", "%s" % portStr(port, "-")]
c8bceb 
-        rule_fragment += ["ct", "state", "new,untracked"]
c8bceb 
+        if not rich_rule or type(rich_rule.action) != Rich_Mark:
c8bceb 
+            rule_fragment += ["ct", "state", "new,untracked"]
c8bceb
c8bceb 
         rules = []
c8bceb 
         if rich_rule:
c8bceb 
--
c8bceb 
2.20.1
c8bceb

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation