From 681ca12830d89c8b2f527c7ffee7e75ce83f1abc Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 5 Dec 2018 17:16:30 -0500
Subject: [PATCH 06/23] nftables: fix rich rule masquerade

(cherry picked from commit aee4948e86fde6df8205b07f4da58e2a8c07377c)
---
 src/firewall/core/nftables.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 44cd4f9e1752..00a02ad149e5 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -900,7 +900,6 @@ class nftables(object):
 
         rule_fragment = []
         if rich_rule:
-            rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
             rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
             rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
 
@@ -912,10 +911,10 @@ class nftables(object):
         # nat tables needs to use ip/ip6 family
         rules = []
         if rich_rule and (rich_rule.family and rich_rule.family == "ipv6"
-           or rich_rule.source and check_address("ipv6", rich_rule.source)):
+           or rich_rule.source and check_address("ipv6", rich_rule.source.addr)):
             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
-        if rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
-           or rich_rule.source and check_address("ipv4", rich_rule.source)):
+        elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
+           or rich_rule.source and check_address("ipv4", rich_rule.source.addr)):
             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule))
         else:
             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
-- 
2.20.1