From ad3e325cc67120b3c159a17d7bba1b216251d30f Mon Sep 17 00:00:00 2001

From: Eric Garver <eric@garver.life>

Date: Thu, 8 Aug 2019 13:40:01 -0400

Subject: [PATCH 77/79] fix: nftables: fix zone dispatch using ipset sources in

 nat chains

If using an ipset as a zone source the rules for doing a goto to the

zone's rules were omitted. This means the zone's rules for nat

postrouting/prerouting were not having any effect. Affected features;

masquerade, forward-ports

(cherry picked from commit b363548f2ab0983d7b88dd82620c0c545e2cef39)

(cherry picked from commit 25ca77a113d895dabd0bc81463fff2db5c749f85)

---

 src/firewall/core/nftables.py | 9 +++++++--

 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py

index 05376fdd68d8..e6a4ec3518a8 100644

--- a/src/firewall/core/nftables.py

+++ b/src/firewall/core/nftables.py

@@ -542,10 +542,15 @@ class nftables(object):

         # nat tables needs to use ip/ip6 family

         if table == "nat" and family == "inet":

             rules = []

-            if check_address("ipv4", address) or check_mac(address):

+            if address.startswith("ipset:"):

+                ipset_family = self._set_get_family(address[len("ipset:"):])

+            else:

+                ipset_family = None

+

+            if check_address("ipv4", address) or check_mac(address) or ipset_family == "ip":

                 rules.extend(self.build_zone_source_address_rules(enable, zone,

                                     address, table, chain, "ip"))

-            if check_address("ipv6", address) or check_mac(address):

+            if check_address("ipv6", address) or check_mac(address) or ipset_family == "ip6":

                 rules.extend(self.build_zone_source_address_rules(enable, zone,

                                     address, table, chain, "ip6"))

             return rules

-- 

2.20.1