From 845b0d5875fc1561ea291feb38a4247523066b31 Mon Sep 17 00:00:00 2001 From: Felix Kaechele Date: Sat, 23 Mar 2019 13:30:47 -0400 Subject: [PATCH 26/73] rich rules: fix Rich_Mark logic We are looking to compare the type, not the object. Without this fix ipXtables will only mark the very first packet of a connection. Signed-off-by: Felix Kaechele (cherry picked from commit 12e281ae870d278f2260adfe6b9f6a5f7b059b87) (cherry picked from commit 0900bec8c1bcbe9dee444c7466b30686679c3bf1) --- src/firewall/core/ipXtables.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py index 4f04ac41f6a0..c21dc47457b3 100644 --- a/src/firewall/core/ipXtables.py +++ b/src/firewall/core/ipXtables.py @@ -870,7 +870,7 @@ class ip4tables(object): if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) - if not rich_rule or rich_rule.action != Rich_Mark: + if not rich_rule or type(rich_rule.action) != Rich_Mark: rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ] rules = [] @@ -895,7 +895,7 @@ class ip4tables(object): if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) - if not rich_rule or rich_rule.action != Rich_Mark: + if not rich_rule or type(rich_rule.action) != Rich_Mark: rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ] rules = [] @@ -923,7 +923,7 @@ class ip4tables(object): if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) - if not rich_rule or rich_rule.action != Rich_Mark: + if not rich_rule or type(rich_rule.action) != Rich_Mark: rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ] rules = [] -- 2.20.1