From b1590ac89253781d127ad40baa1abb8de7731cc9 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Tue, 16 Apr 2019 10:53:48 -0400 Subject: [PATCH 27/73] fix: nftables rich rule mark not marking every packet Similar to the fix for #478, nftables needs to mark every packet, not just the first one that begins a new connection. (cherry picked from commit 9d98c11732bcbee4a74bd883cd9b6e7defb3b401) (cherry picked from commit 7538a479e100d14d248a64c8a23d81ccc9723b9e) --- src/firewall/core/nftables.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py index 50303e94ed7b..02e2ca008157 100644 --- a/src/firewall/core/nftables.py +++ b/src/firewall/core/nftables.py @@ -798,7 +798,8 @@ class nftables(object): rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rule_fragment += [proto, "dport", "%s" % portStr(port, "-")] - rule_fragment += ["ct", "state", "new,untracked"] + if not rich_rule or type(rich_rule.action) != Rich_Mark: + rule_fragment += ["ct", "state", "new,untracked"] rules = [] if rich_rule: @@ -831,7 +832,8 @@ class nftables(object): rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rule_fragment = ["meta", "l4proto", protocol] - rule_fragment += ["ct", "state", "new,untracked"] + if not rich_rule or type(rich_rule.action) != Rich_Mark: + rule_fragment += ["ct", "state", "new,untracked"] rules = [] if rich_rule: @@ -864,7 +866,8 @@ class nftables(object): rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rule_fragment += [proto, "sport", "%s" % portStr(port, "-")] - rule_fragment += ["ct", "state", "new,untracked"] + if not rich_rule or type(rich_rule.action) != Rich_Mark: + rule_fragment += ["ct", "state", "new,untracked"] rules = [] if rich_rule: -- 2.20.1