From 2cb9ac1e34fd652e75147ca1d3f4495609448a04 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 23 Aug 2019 14:54:40 -0400
Subject: [PATCH 91/99] fix: --add-masquerade should only affect ipv4

As per the man page. Users should use rich rules to get IPv6
masquerading.

(cherry picked from commit 88e13653686e4b72b4964e41564c70ca0096e0a9)
(cherry picked from commit 1e95c8d2f2a7d8a4b2f1ad34be268031ab5e9ba5)
---
 src/firewall/core/fw_zone.py  | 13 +++++--------
 src/firewall/core/nftables.py |  1 -
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 1f33b5504d54..6b766d0dc3ba 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1893,15 +1893,12 @@ class FirewallZone(object):
             zone_transaction.add_chain("nat", "POSTROUTING")
             zone_transaction.add_chain("filter", "FORWARD_OUT")
 
-        for ipv in ["ipv4", "ipv6"]:
-            zone_transaction.add_post(enable_ip_forwarding, ipv)
+        ipv = "ipv4"
+        zone_transaction.add_post(enable_ip_forwarding, ipv)
 
-        for backend in self._fw.enabled_backends():
-            if not backend.zones_supported:
-                continue
-
-            rules = backend.build_zone_masquerade_rules(enable, zone)
-            zone_transaction.add_rules(backend, rules)
+        backend = self._fw.get_backend_by_ipv(ipv)
+        rules = backend.build_zone_masquerade_rules(enable, zone)
+        zone_transaction.add_rules(backend, rules)
 
     def _forward_port(self, enable, zone, zone_transaction, port, protocol,
                        toport=None, toaddr=None, mark_id=None):
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index e6a4ec3518a8..baa6a7f58cfb 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -973,7 +973,6 @@ class nftables(object):
            or rich_rule.source and check_address("ipv4", rich_rule.source.addr)):
             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule))
         else:
-            rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule))
 
         add_del = { True: "add", False: "delete" }[enable]
-- 
2.20.1