|
 |
c8bceb |
From 4653a1784d853eb34cd69371c28adae5b9666aa0 Mon Sep 17 00:00:00 2001
|
|
|
c8bceb |
From: Eric Garver <eric@garver.life>
|
|
|
c8bceb |
Date: Wed, 17 Apr 2019 16:57:03 -0400
|
|
|
c8bceb |
Subject: [PATCH 30/73] fix: nftables: make helpers work by creating ct helper
|
|
|
c8bceb |
objects
|
|
|
c8bceb |
|
|
|
c8bceb |
nftables needs to create "ct helper objects" in order for rules to
|
|
|
c8bceb |
successfully set the ct helper.
|
|
|
c8bceb |
|
|
|
c8bceb |
Fixes: #453
|
|
|
c8bceb |
Fixes: b630abd8e901 ("backend: introduce nftables support")
|
|
|
c8bceb |
(cherry picked from commit 9e2d1ed0c3b23a3ca4b46dad25fd57d64f4ce53e)
|
|
|
c8bceb |
(cherry picked from commit f110eed882fa387342dd64f28497b8b721b692aa)
|
|
|
c8bceb |
---
|
|
|
c8bceb |
src/firewall/core/nftables.py | 15 ++++++++++-----
|
|
|
c8bceb |
1 file changed, 10 insertions(+), 5 deletions(-)
|
|
|
c8bceb |
|
|
|
c8bceb |
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
|
c8bceb |
index 02e2ca008157..bf41ed98a542 100644
|
|
|
c8bceb |
--- a/src/firewall/core/nftables.py
|
|
|
c8bceb |
+++ b/src/firewall/core/nftables.py
|
|
|
c8bceb |
@@ -884,20 +884,25 @@ class nftables(object):
|
|
|
c8bceb |
def build_zone_helper_ports_rules(self, enable, zone, proto, port,
|
|
|
c8bceb |
destination, helper_name):
|
|
|
c8bceb |
add_del = { True: "add", False: "delete" }[enable]
|
|
|
c8bceb |
- target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
|
|
|
c8bceb |
+ target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
|
|
|
c8bceb |
zone=zone)
|
|
|
c8bceb |
rule = [add_del, "rule", "inet", "%s" % TABLE_NAME,
|
|
|
c8bceb |
- "raw_%s_allow" % (target), proto]
|
|
|
c8bceb |
+ "filter_%s_allow" % (target)]
|
|
|
c8bceb |
if destination:
|
|
|
c8bceb |
if check_address("ipv4", destination):
|
|
|
c8bceb |
rule += ["ip"]
|
|
|
c8bceb |
else:
|
|
|
c8bceb |
rule += ["ip6"]
|
|
|
c8bceb |
rule += ["daddr", destination]
|
|
|
c8bceb |
- rule += ["dport", "%s" % portStr(port, "-")]
|
|
|
c8bceb |
- rule += ["ct", "helper", helper_name]
|
|
|
c8bceb |
+ rule += [proto, "dport", "%s" % portStr(port, "-")]
|
|
|
c8bceb |
+ rule += ["ct", "helper", "set", "\"helper-%s-%s\"" % (helper_name, proto)]
|
|
|
c8bceb |
|
|
|
c8bceb |
- return [rule]
|
|
|
c8bceb |
+ helper_object = ["ct", "helper", "inet", TABLE_NAME,
|
|
|
c8bceb |
+ "helper-%s-%s" % (helper_name, proto),
|
|
|
c8bceb |
+ "{", "type", "\"%s\"" % (helper_name), "protocol",
|
|
|
c8bceb |
+ proto, ";", "}"]
|
|
|
c8bceb |
+
|
|
|
c8bceb |
+ return [helper_object, rule]
|
|
|
c8bceb |
|
|
|
c8bceb |
def _build_zone_masquerade_nat_rules(self, enable, zone, family, rich_rule=None):
|
|
|
c8bceb |
add_del = { True: "add", False: "delete" }[enable]
|
|
|
c8bceb |
--
|
|
|
c8bceb |
2.20.1
|
|
|
c8bceb |
|