From dc5771fe648410f8097fe68003e6449f20470d04 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 20 Dec 2018 15:55:01 -0500
Subject: [PATCH 1/8] nftables: rpfilter: collapse log and drop into same rule

(cherry picked from commit 759680552bef435ae4142a2e2bd5591e5f00ae50)
---
 src/firewall/core/nftables.py | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index d0d1f6d1610d..72f2180ec504 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1230,16 +1230,15 @@ class nftables(object):
         return rules
 
     def build_rpfilter_rules(self, log_denied=False):
+        rule_fragment = ["meta", "nfproto", "ipv6", "fib", "saddr", ".", "iif",
+                         "oif", "missing"]
+        if log_denied != "off":
+            rule_fragment += ["log", "prefix", "\"rpfilter_DROP: \""]
+        rule_fragment += ["drop"]
+
         rules = []
         rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME,
-                      "raw_%s" % "PREROUTING",
-                      "meta", "nfproto", "ipv6", "fib", "saddr", ".", "iif",
-                      "oif", "missing", "drop"])
-        if log_denied != "off":
-            rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME,
-                          "raw_%s" % "PREROUTING",
-                          "meta", "nfproto", "ipv6", "fib", "saddr", ".", "iif",
-                          "oif", "missing", "log", "prefix", "\"rpfilter_DROP: \""])
+                      "raw_%s" % "PREROUTING"] + rule_fragment)
         rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME,
                       "raw_%s" % "PREROUTING",
                       "icmpv6", "type", "{ nd-router-advert, nd-neighbor-solicit }",
-- 
2.18.0