From 6c779d426173f0a35fa7ed1a2c2fde802c5eee1d Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Mon, 3 Dec 2018 12:40:41 -0500
Subject: [PATCH 08/34] nftables: fix panic mode not filtering output packets

This simplifies policy in the nftables backend by filtering only on the
prerouting and output hooks. The others hooks are unnecessary since
we're using a higher precedence.

Also fixes an issue when re-enabling panic mode multiple times. Due to
rule de-duplication the policy drop rule was not being re-added.

Fixes: rhbz 1579740
Fixes: a0f683dfef2c ("nftables: fix policy")
(cherry picked from commit 2f5608b4897ff99afbb1c2425a94df035031c1a2)
(cherry picked from commit 2b31106c5cb8ed299821f7978968c7fed6d23b37)
---
 src/firewall/core/nftables.py | 36 +++++++++--------------------------
 1 file changed, 9 insertions(+), 27 deletions(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 69236a9600c2..44cd4f9e1752 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -314,38 +314,20 @@ class nftables(object):
         # packets while initially starting and for panic mode. As such, using
         # hooks with a higher priority than our base chains is sufficient.
         #
-        table_chains = []
-        for table in list(IPTABLES_TO_NFT_HOOK.keys()):
-            for chain in IPTABLES_TO_NFT_HOOK[table]:
-                table_chains.append((table, chain))
-
         table_name = TABLE_NAME + "_" + "policy_drop"
 
-        def _policy_drop_helper(table, chain, family, rules):
-            _chain = "%s_%s" % (table, chain)
-            _hook = IPTABLES_TO_NFT_HOOK[table][chain][0]
-            # add hooks with priority -1, only contain drop rule
-            _priority = IPTABLES_TO_NFT_HOOK[table][chain][1] - 1
-            _add_chain = "add chain %s %s %s '{ type filter hook %s priority %d ; }'" % \
-                         (family, table_name, _chain, _hook, _priority)
-            rules.append(splitArgs(_add_chain))
-            rules.append(["add", "rule", family, table_name, _chain, "drop"])
-
         rules = []
         if policy == "DROP":
-            for family in ["inet", "ip", "ip6"]:
-                rules.append(["add", "table", family, table_name])
-
-            for table,chain in table_chains:
-                if table == "nat":
-                    # nat requires two families
-                    for family in ["ip", "ip6"]:
-                        _policy_drop_helper(table, chain, family, rules)
-                else:
-                    _policy_drop_helper(table, chain, "inet", rules)
+            rules.append(["add", "table", "inet", table_name])
+
+            # To drop everything we need to use the "raw" priority. These occur
+            # before conntrack, mangle, nat, etc
+            for hook in ["prerouting", "output"]:
+                _add_chain = "add chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'" % \
+                             (table_name, "raw", hook, hook, -300 + NFT_HOOK_OFFSET - 1)
+                rules.append(splitArgs(_add_chain))
         elif policy == "ACCEPT":
-            for family in ["inet", "ip", "ip6"]:
-                rules.append(["delete", "table", family, table_name])
+            rules.append(["delete", "table", "inet", table_name])
         else:
             FirewallError(UNKNOWN_ERROR, "not implemented")
 
-- 
2.18.0