From ad3e325cc67120b3c159a17d7bba1b216251d30f Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 8 Aug 2019 13:40:01 -0400
Subject: [PATCH 77/79] fix: nftables: fix zone dispatch using ipset sources in
 nat chains

If using an ipset as a zone source the rules for doing a goto to the
zone's rules were omitted. This means the zone's rules for nat
postrouting/prerouting were not having any effect. Affected features;
masquerade, forward-ports

(cherry picked from commit b363548f2ab0983d7b88dd82620c0c545e2cef39)
(cherry picked from commit 25ca77a113d895dabd0bc81463fff2db5c749f85)
---
 src/firewall/core/nftables.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 05376fdd68d8..e6a4ec3518a8 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -542,10 +542,15 @@ class nftables(object):
         # nat tables needs to use ip/ip6 family
         if table == "nat" and family == "inet":
             rules = []
-            if check_address("ipv4", address) or check_mac(address):
+            if address.startswith("ipset:"):
+                ipset_family = self._set_get_family(address[len("ipset:"):])
+            else:
+                ipset_family = None
+
+            if check_address("ipv4", address) or check_mac(address) or ipset_family == "ip":
                 rules.extend(self.build_zone_source_address_rules(enable, zone,
                                     address, table, chain, "ip"))
-            if check_address("ipv6", address) or check_mac(address):
+            if check_address("ipv6", address) or check_mac(address) or ipset_family == "ip6":
                 rules.extend(self.build_zone_source_address_rules(enable, zone,
                                     address, table, chain, "ip6"))
             return rules
-- 
2.20.1