From 4653a1784d853eb34cd69371c28adae5b9666aa0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 17 Apr 2019 16:57:03 -0400
Subject: [PATCH 30/73] fix: nftables: make helpers work by creating ct helper
objects
nftables needs to create "ct helper objects" in order for rules to
successfully set the ct helper.
Fixes: #453
Fixes: b630abd8e901 ("backend: introduce nftables support")
(cherry picked from commit 9e2d1ed0c3b23a3ca4b46dad25fd57d64f4ce53e)
(cherry picked from commit f110eed882fa387342dd64f28497b8b721b692aa)
---
src/firewall/core/nftables.py | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 02e2ca008157..bf41ed98a542 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -884,20 +884,25 @@ class nftables(object):
def build_zone_helper_ports_rules(self, enable, zone, proto, port,
destination, helper_name):
add_del = { True: "add", False: "delete" }[enable]
- target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
+ target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
zone=zone)
rule = [add_del, "rule", "inet", "%s" % TABLE_NAME,
- "raw_%s_allow" % (target), proto]
+ "filter_%s_allow" % (target)]
if destination:
if check_address("ipv4", destination):
rule += ["ip"]
else:
rule += ["ip6"]
rule += ["daddr", destination]
- rule += ["dport", "%s" % portStr(port, "-")]
- rule += ["ct", "helper", helper_name]
+ rule += [proto, "dport", "%s" % portStr(port, "-")]
+ rule += ["ct", "helper", "set", "\"helper-%s-%s\"" % (helper_name, proto)]
- return [rule]
+ helper_object = ["ct", "helper", "inet", TABLE_NAME,
+ "helper-%s-%s" % (helper_name, proto),
+ "{", "type", "\"%s\"" % (helper_name), "protocol",
+ proto, ";", "}"]
+
+ return [helper_object, rule]
def _build_zone_masquerade_nat_rules(self, enable, zone, family, rich_rule=None):
add_del = { True: "add", False: "delete" }[enable]
--
2.20.1