From 845b0d5875fc1561ea291feb38a4247523066b31 Mon Sep 17 00:00:00 2001
From: Felix Kaechele <heffer@fedoraproject.org>
Date: Sat, 23 Mar 2019 13:30:47 -0400
Subject: [PATCH 26/73] rich rules: fix Rich_Mark logic
We are looking to compare the type, not the object.
Without this fix ipXtables will only mark the very first packet of a connection.
Signed-off-by: Felix Kaechele <heffer@fedoraproject.org>
(cherry picked from commit 12e281ae870d278f2260adfe6b9f6a5f7b059b87)
(cherry picked from commit 0900bec8c1bcbe9dee444c7466b30686679c3bf1)
---
src/firewall/core/ipXtables.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 4f04ac41f6a0..c21dc47457b3 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -870,7 +870,7 @@ class ip4tables(object):
if rich_rule:
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
- if not rich_rule or rich_rule.action != Rich_Mark:
+ if not rich_rule or type(rich_rule.action) != Rich_Mark:
rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ]
rules = []
@@ -895,7 +895,7 @@ class ip4tables(object):
if rich_rule:
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
- if not rich_rule or rich_rule.action != Rich_Mark:
+ if not rich_rule or type(rich_rule.action) != Rich_Mark:
rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ]
rules = []
@@ -923,7 +923,7 @@ class ip4tables(object):
if rich_rule:
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
- if not rich_rule or rich_rule.action != Rich_Mark:
+ if not rich_rule or type(rich_rule.action) != Rich_Mark:
rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ]
rules = []
--
2.20.1