|
|
c8bceb |
From 845b0d5875fc1561ea291feb38a4247523066b31 Mon Sep 17 00:00:00 2001
|
|
|
c8bceb |
From: Felix Kaechele <heffer@fedoraproject.org>
|
|
|
c8bceb |
Date: Sat, 23 Mar 2019 13:30:47 -0400
|
|
|
c8bceb |
Subject: [PATCH 26/73] rich rules: fix Rich_Mark logic
|
|
|
c8bceb |
|
|
|
c8bceb |
We are looking to compare the type, not the object.
|
|
|
c8bceb |
Without this fix ipXtables will only mark the very first packet of a connection.
|
|
|
c8bceb |
|
|
|
c8bceb |
Signed-off-by: Felix Kaechele <heffer@fedoraproject.org>
|
|
|
c8bceb |
(cherry picked from commit 12e281ae870d278f2260adfe6b9f6a5f7b059b87)
|
|
|
c8bceb |
(cherry picked from commit 0900bec8c1bcbe9dee444c7466b30686679c3bf1)
|
|
|
c8bceb |
---
|
|
|
c8bceb |
src/firewall/core/ipXtables.py | 6 +++---
|
|
|
c8bceb |
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
c8bceb |
|
|
|
c8bceb |
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
|
|
|
c8bceb |
index 4f04ac41f6a0..c21dc47457b3 100644
|
|
|
c8bceb |
--- a/src/firewall/core/ipXtables.py
|
|
|
c8bceb |
+++ b/src/firewall/core/ipXtables.py
|
|
|
c8bceb |
@@ -870,7 +870,7 @@ class ip4tables(object):
|
|
|
c8bceb |
if rich_rule:
|
|
|
c8bceb |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
|
c8bceb |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
|
c8bceb |
- if not rich_rule or rich_rule.action != Rich_Mark:
|
|
|
c8bceb |
+ if not rich_rule or type(rich_rule.action) != Rich_Mark:
|
|
|
c8bceb |
rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ]
|
|
|
c8bceb |
|
|
|
c8bceb |
rules = []
|
|
|
c8bceb |
@@ -895,7 +895,7 @@ class ip4tables(object):
|
|
|
c8bceb |
if rich_rule:
|
|
|
c8bceb |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
|
c8bceb |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
|
c8bceb |
- if not rich_rule or rich_rule.action != Rich_Mark:
|
|
|
c8bceb |
+ if not rich_rule or type(rich_rule.action) != Rich_Mark:
|
|
|
c8bceb |
rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ]
|
|
|
c8bceb |
|
|
|
c8bceb |
rules = []
|
|
|
c8bceb |
@@ -923,7 +923,7 @@ class ip4tables(object):
|
|
|
c8bceb |
if rich_rule:
|
|
|
c8bceb |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
|
c8bceb |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
|
c8bceb |
- if not rich_rule or rich_rule.action != Rich_Mark:
|
|
|
c8bceb |
+ if not rich_rule or type(rich_rule.action) != Rich_Mark:
|
|
|
c8bceb |
rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ]
|
|
|
c8bceb |
|
|
|
c8bceb |
rules = []
|
|
|
c8bceb |
--
|
|
|
c8bceb |
2.20.1
|
|
|
c8bceb |
|