From 4653a1784d853eb34cd69371c28adae5b9666aa0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 17 Apr 2019 16:57:03 -0400
Subject: [PATCH 30/73] fix: nftables: make helpers work by creating ct helper
 objects

nftables needs to create "ct helper objects" in order for rules to
successfully set the ct helper.

Fixes: #453
Fixes: b630abd8e901 ("backend: introduce nftables support")
(cherry picked from commit 9e2d1ed0c3b23a3ca4b46dad25fd57d64f4ce53e)
(cherry picked from commit f110eed882fa387342dd64f28497b8b721b692aa)
---
 src/firewall/core/nftables.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 02e2ca008157..bf41ed98a542 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -884,20 +884,25 @@ class nftables(object):
     def build_zone_helper_ports_rules(self, enable, zone, proto, port,
                                       destination, helper_name):
         add_del = { True: "add", False: "delete" }[enable]
-        target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
+        target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
                                             zone=zone)
         rule = [add_del, "rule", "inet", "%s" % TABLE_NAME,
-                "raw_%s_allow" % (target), proto]
+                "filter_%s_allow" % (target)]
         if destination:
             if check_address("ipv4", destination):
                 rule += ["ip"]
             else:
                 rule += ["ip6"]
             rule += ["daddr", destination]
-        rule += ["dport", "%s" % portStr(port, "-")]
-        rule += ["ct", "helper", helper_name]
+        rule += [proto, "dport", "%s" % portStr(port, "-")]
+        rule += ["ct", "helper", "set", "\"helper-%s-%s\"" % (helper_name, proto)]
 
-        return [rule]
+        helper_object = ["ct", "helper", "inet", TABLE_NAME,
+                         "helper-%s-%s" % (helper_name, proto),
+                         "{", "type", "\"%s\"" % (helper_name), "protocol",
+                         proto, ";", "}"]
+
+        return [helper_object, rule]
 
     def _build_zone_masquerade_nat_rules(self, enable, zone, family, rich_rule=None):
         add_del = { True: "add", False: "delete" }[enable]
-- 
2.20.1