Blame SOURCES/0030-fix-nftables-make-helpers-work-by-creating-ct-helper.patch

136e2c
From 4653a1784d853eb34cd69371c28adae5b9666aa0 Mon Sep 17 00:00:00 2001
136e2c
From: Eric Garver <eric@garver.life>
136e2c
Date: Wed, 17 Apr 2019 16:57:03 -0400
136e2c
Subject: [PATCH 30/73] fix: nftables: make helpers work by creating ct helper
136e2c
 objects
136e2c
136e2c
nftables needs to create "ct helper objects" in order for rules to
136e2c
successfully set the ct helper.
136e2c
136e2c
Fixes: #453
136e2c
Fixes: b630abd8e901 ("backend: introduce nftables support")
136e2c
(cherry picked from commit 9e2d1ed0c3b23a3ca4b46dad25fd57d64f4ce53e)
136e2c
(cherry picked from commit f110eed882fa387342dd64f28497b8b721b692aa)
136e2c
---
136e2c
 src/firewall/core/nftables.py | 15 ++++++++++-----
136e2c
 1 file changed, 10 insertions(+), 5 deletions(-)
136e2c
136e2c
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
136e2c
index 02e2ca008157..bf41ed98a542 100644
136e2c
--- a/src/firewall/core/nftables.py
136e2c
+++ b/src/firewall/core/nftables.py
136e2c
@@ -884,20 +884,25 @@ class nftables(object):
136e2c
     def build_zone_helper_ports_rules(self, enable, zone, proto, port,
136e2c
                                       destination, helper_name):
136e2c
         add_del = { True: "add", False: "delete" }[enable]
136e2c
-        target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
136e2c
+        target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
136e2c
                                             zone=zone)
136e2c
         rule = [add_del, "rule", "inet", "%s" % TABLE_NAME,
136e2c
-                "raw_%s_allow" % (target), proto]
136e2c
+                "filter_%s_allow" % (target)]
136e2c
         if destination:
136e2c
             if check_address("ipv4", destination):
136e2c
                 rule += ["ip"]
136e2c
             else:
136e2c
                 rule += ["ip6"]
136e2c
             rule += ["daddr", destination]
136e2c
-        rule += ["dport", "%s" % portStr(port, "-")]
136e2c
-        rule += ["ct", "helper", helper_name]
136e2c
+        rule += [proto, "dport", "%s" % portStr(port, "-")]
136e2c
+        rule += ["ct", "helper", "set", "\"helper-%s-%s\"" % (helper_name, proto)]
136e2c
 
136e2c
-        return [rule]
136e2c
+        helper_object = ["ct", "helper", "inet", TABLE_NAME,
136e2c
+                         "helper-%s-%s" % (helper_name, proto),
136e2c
+                         "{", "type", "\"%s\"" % (helper_name), "protocol",
136e2c
+                         proto, ";", "}"]
136e2c
+
136e2c
+        return [helper_object, rule]
136e2c
 
136e2c
     def _build_zone_masquerade_nat_rules(self, enable, zone, family, rich_rule=None):
136e2c
         add_del = { True: "add", False: "delete" }[enable]
136e2c
-- 
136e2c
2.20.1
136e2c