firewalld/nftables-fix-destination-checks-not-allowing-masks.patch

From b3c43ee7be2411a8d17416b98616378078f21eef Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 27 Sep 2018 08:52:22 -0400
Subject: [PATCH 009/127] nftables: fix destination checks not allowing masks

Some destination checks were using check_single_address() which make it
impossible to use a mask. This was discovered in issue #399.
---
 src/firewall/core/nftables.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 811f4e71..64191d1f 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -753,7 +753,7 @@ class nftables(object):
             return []
 
         rule_fragment = []
-        if check_single_address("ipv4", rich_dest.addr):
+        if check_address("ipv4", rich_dest.addr):
             rule_fragment += ["ip"]
         else:
             rule_fragment += ["ip6"]
@@ -803,7 +803,7 @@ class nftables(object):
         if rich_rule:
             rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
         if destination:
-            if check_single_address("ipv4", destination):
+            if check_address("ipv4", destination):
                 rule_fragment += ["ip"]
             else:
                 rule_fragment += ["ip6"]
@@ -835,7 +835,7 @@ class nftables(object):
         if rich_rule:
             rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
         if destination:
-            if check_single_address("ipv4", destination):
+            if check_address("ipv4", destination):
                 rule_fragment += ["ip"]
             else:
                 rule_fragment += ["ip6"]
@@ -869,7 +869,7 @@ class nftables(object):
         if rich_rule:
             rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
         if destination:
-            if check_single_address("ipv4", destination):
+            if check_address("ipv4", destination):
                 rule_fragment += ["ip"]
             else:
                 rule_fragment += ["ip6"]
@@ -900,7 +900,7 @@ class nftables(object):
         rule = [add_del, "rule", "inet", "%s" % TABLE_NAME,
                 "raw_%s_allow" % (target), proto]
         if destination:
-            if check_single_address("ipv4", destination):
+            if check_address("ipv4", destination):
                 rule += ["ip"]
             else:
                 rule += ["ip6"]
-- 
2.19.1
Package init 2019-09-30 10:38:52 -04:00			`From b3c43ee7be2411a8d17416b98616378078f21eef Mon Sep 17 00:00:00 2001`
			`From: Eric Garver <e@erig.me>`
			`Date: Thu, 27 Sep 2018 08:52:22 -0400`
			`Subject: [PATCH 009/127] nftables: fix destination checks not allowing masks`

			`Some destination checks were using check_single_address() which make it`
			`impossible to use a mask. This was discovered in issue #399.`
			`---`
			`src/firewall/core/nftables.py \| 10 +++++-----`
			`1 file changed, 5 insertions(+), 5 deletions(-)`

			`diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py`
			`index 811f4e71..64191d1f 100644`
			`--- a/src/firewall/core/nftables.py`
			`+++ b/src/firewall/core/nftables.py`
			`@@ -753,7 +753,7 @@ class nftables(object):`
			`return []`

			`rule_fragment = []`
			`- if check_single_address("ipv4", rich_dest.addr):`
			`+ if check_address("ipv4", rich_dest.addr):`
			`rule_fragment += ["ip"]`
			`else:`
			`rule_fragment += ["ip6"]`
			`@@ -803,7 +803,7 @@ class nftables(object):`
			`if rich_rule:`
			`rule_fragment += self._rich_rule_family_fragment(rich_rule.family)`
			`if destination:`
			`- if check_single_address("ipv4", destination):`
			`+ if check_address("ipv4", destination):`
			`rule_fragment += ["ip"]`
			`else:`
			`rule_fragment += ["ip6"]`
			`@@ -835,7 +835,7 @@ class nftables(object):`
			`if rich_rule:`
			`rule_fragment += self._rich_rule_family_fragment(rich_rule.family)`
			`if destination:`
			`- if check_single_address("ipv4", destination):`
			`+ if check_address("ipv4", destination):`
			`rule_fragment += ["ip"]`
			`else:`
			`rule_fragment += ["ip6"]`
			`@@ -869,7 +869,7 @@ class nftables(object):`
			`if rich_rule:`
			`rule_fragment += self._rich_rule_family_fragment(rich_rule.family)`
			`if destination:`
			`- if check_single_address("ipv4", destination):`
			`+ if check_address("ipv4", destination):`
			`rule_fragment += ["ip"]`
			`else:`
			`rule_fragment += ["ip6"]`
			`@@ -900,7 +900,7 @@ class nftables(object):`
			`rule = [add_del, "rule", "inet", "%s" % TABLE_NAME,`
			`"raw_%s_allow" % (target), proto]`
			`if destination:`
			`- if check_single_address("ipv4", destination):`
			`+ if check_address("ipv4", destination):`
			`rule += ["ip"]`
			`else:`
			`rule += ["ip6"]`
			`--`
			`2.19.1`