|
 |
136e2c |
From 2cb9ac1e34fd652e75147ca1d3f4495609448a04 Mon Sep 17 00:00:00 2001
|
|
|
136e2c |
From: Eric Garver <eric@garver.life>
|
|
|
136e2c |
Date: Fri, 23 Aug 2019 14:54:40 -0400
|
|
|
136e2c |
Subject: [PATCH 91/99] fix: --add-masquerade should only affect ipv4
|
|
|
136e2c |
|
|
|
136e2c |
As per the man page. Users should use rich rules to get IPv6
|
|
|
136e2c |
masquerading.
|
|
|
136e2c |
|
|
|
136e2c |
(cherry picked from commit 88e13653686e4b72b4964e41564c70ca0096e0a9)
|
|
|
136e2c |
(cherry picked from commit 1e95c8d2f2a7d8a4b2f1ad34be268031ab5e9ba5)
|
|
|
136e2c |
---
|
|
|
136e2c |
src/firewall/core/fw_zone.py | 13 +++++--------
|
|
|
136e2c |
src/firewall/core/nftables.py | 1 -
|
|
|
136e2c |
2 files changed, 5 insertions(+), 9 deletions(-)
|
|
|
136e2c |
|
|
|
136e2c |
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
|
136e2c |
index 1f33b5504d54..6b766d0dc3ba 100644
|
|
|
136e2c |
--- a/src/firewall/core/fw_zone.py
|
|
|
136e2c |
+++ b/src/firewall/core/fw_zone.py
|
|
|
136e2c |
@@ -1893,15 +1893,12 @@ class FirewallZone(object):
|
|
|
136e2c |
zone_transaction.add_chain("nat", "POSTROUTING")
|
|
|
136e2c |
zone_transaction.add_chain("filter", "FORWARD_OUT")
|
|
|
136e2c |
|
|
|
136e2c |
- for ipv in ["ipv4", "ipv6"]:
|
|
|
136e2c |
- zone_transaction.add_post(enable_ip_forwarding, ipv)
|
|
|
136e2c |
+ ipv = "ipv4"
|
|
|
136e2c |
+ zone_transaction.add_post(enable_ip_forwarding, ipv)
|
|
|
136e2c |
|
|
|
136e2c |
- for backend in self._fw.enabled_backends():
|
|
|
136e2c |
- if not backend.zones_supported:
|
|
|
136e2c |
- continue
|
|
|
136e2c |
-
|
|
|
136e2c |
- rules = backend.build_zone_masquerade_rules(enable, zone)
|
|
|
136e2c |
- zone_transaction.add_rules(backend, rules)
|
|
|
136e2c |
+ backend = self._fw.get_backend_by_ipv(ipv)
|
|
|
136e2c |
+ rules = backend.build_zone_masquerade_rules(enable, zone)
|
|
|
136e2c |
+ zone_transaction.add_rules(backend, rules)
|
|
|
136e2c |
|
|
|
136e2c |
def _forward_port(self, enable, zone, zone_transaction, port, protocol,
|
|
|
136e2c |
toport=None, toaddr=None, mark_id=None):
|
|
|
136e2c |
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
|
136e2c |
index e6a4ec3518a8..baa6a7f58cfb 100644
|
|
|
136e2c |
--- a/src/firewall/core/nftables.py
|
|
|
136e2c |
+++ b/src/firewall/core/nftables.py
|
|
|
136e2c |
@@ -973,7 +973,6 @@ class nftables(object):
|
|
|
136e2c |
or rich_rule.source and check_address("ipv4", rich_rule.source.addr)):
|
|
|
136e2c |
rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule))
|
|
|
136e2c |
else:
|
|
|
136e2c |
- rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
|
|
|
136e2c |
rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule))
|
|
|
136e2c |
|
|
|
136e2c |
add_del = { True: "add", False: "delete" }[enable]
|
|
|
136e2c |
--
|
|
|
136e2c |
2.20.1
|
|
|
136e2c |
|