From dc5771fe648410f8097fe68003e6449f20470d04 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 20 Dec 2018 15:55:01 -0500
Subject: [PATCH 1/8] nftables: rpfilter: collapse log and drop into same rule
(cherry picked from commit 759680552bef435ae4142a2e2bd5591e5f00ae50)
---
src/firewall/core/nftables.py | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index d0d1f6d1610d..72f2180ec504 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1230,16 +1230,15 @@ class nftables(object):
return rules
def build_rpfilter_rules(self, log_denied=False):
+ rule_fragment = ["meta", "nfproto", "ipv6", "fib", "saddr", ".", "iif",
+ "oif", "missing"]
+ if log_denied != "off":
+ rule_fragment += ["log", "prefix", "\"rpfilter_DROP: \""]
+ rule_fragment += ["drop"]
+
rules = []
rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME,
- "raw_%s" % "PREROUTING",
- "meta", "nfproto", "ipv6", "fib", "saddr", ".", "iif",
- "oif", "missing", "drop"])
- if log_denied != "off":
- rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME,
- "raw_%s" % "PREROUTING",
- "meta", "nfproto", "ipv6", "fib", "saddr", ".", "iif",
- "oif", "missing", "log", "prefix", "\"rpfilter_DROP: \""])
+ "raw_%s" % "PREROUTING"] + rule_fragment)
rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME,
"raw_%s" % "PREROUTING",
"icmpv6", "type", "{ nd-router-advert, nd-neighbor-solicit }",
--
2.18.0