firewalld/nftables-fix-rich-rule-masquerade.patch

From aee4948e86fde6df8205b07f4da58e2a8c07377c Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 5 Dec 2018 17:16:30 -0500
Subject: [PATCH 049/127] nftables: fix rich rule masquerade

---
 src/firewall/core/nftables.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 44cd4f9e..00a02ad1 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -900,7 +900,6 @@ class nftables(object):
 
         rule_fragment = []
         if rich_rule:
-            rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
             rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
             rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
 
@@ -912,10 +911,10 @@ class nftables(object):
         # nat tables needs to use ip/ip6 family
         rules = []
         if rich_rule and (rich_rule.family and rich_rule.family == "ipv6"
-           or rich_rule.source and check_address("ipv6", rich_rule.source)):
+           or rich_rule.source and check_address("ipv6", rich_rule.source.addr)):
             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
-        if rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
-           or rich_rule.source and check_address("ipv4", rich_rule.source)):
+        elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
+           or rich_rule.source and check_address("ipv4", rich_rule.source.addr)):
             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule))
         else:
             rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
-- 
2.19.1
Package init 2019-09-30 10:38:52 -04:00			`From aee4948e86fde6df8205b07f4da58e2a8c07377c Mon Sep 17 00:00:00 2001`
			`From: Eric Garver <e@erig.me>`
			`Date: Wed, 5 Dec 2018 17:16:30 -0500`
			`Subject: [PATCH 049/127] nftables: fix rich rule masquerade`

			`---`
			`src/firewall/core/nftables.py \| 7 +++----`
			`1 file changed, 3 insertions(+), 4 deletions(-)`

			`diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py`
			`index 44cd4f9e..00a02ad1 100644`
			`--- a/src/firewall/core/nftables.py`
			`+++ b/src/firewall/core/nftables.py`
			`@@ -900,7 +900,6 @@ class nftables(object):`

			`rule_fragment = []`
			`if rich_rule:`
			`- rule_fragment += self._rich_rule_family_fragment(rich_rule.family)`
			`rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)`
			`rule_fragment += self._rich_rule_source_fragment(rich_rule.source)`

			`@@ -912,10 +911,10 @@ class nftables(object):`
			`# nat tables needs to use ip/ip6 family`
			`rules = []`
			`if rich_rule and (rich_rule.family and rich_rule.family == "ipv6"`
			`- or rich_rule.source and check_address("ipv6", rich_rule.source)):`
			`+ or rich_rule.source and check_address("ipv6", rich_rule.source.addr)):`
			`rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))`
			`- if rich_rule and (rich_rule.family and rich_rule.family == "ipv4"`
			`- or rich_rule.source and check_address("ipv4", rich_rule.source)):`
			`+ elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4"`
			`+ or rich_rule.source and check_address("ipv4", rich_rule.source.addr)):`
			`rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule))`
			`else:`
			`rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))`
			`--`
			`2.19.1`