From b3c43ee7be2411a8d17416b98616378078f21eef Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Thu, 27 Sep 2018 08:52:22 -0400 Subject: [PATCH 009/127] nftables: fix destination checks not allowing masks Some destination checks were using check_single_address() which make it impossible to use a mask. This was discovered in issue #399. --- src/firewall/core/nftables.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py index 811f4e71..64191d1f 100644 --- a/src/firewall/core/nftables.py +++ b/src/firewall/core/nftables.py @@ -753,7 +753,7 @@ class nftables(object): return [] rule_fragment = [] - if check_single_address("ipv4", rich_dest.addr): + if check_address("ipv4", rich_dest.addr): rule_fragment += ["ip"] else: rule_fragment += ["ip6"] @@ -803,7 +803,7 @@ class nftables(object): if rich_rule: rule_fragment += self._rich_rule_family_fragment(rich_rule.family) if destination: - if check_single_address("ipv4", destination): + if check_address("ipv4", destination): rule_fragment += ["ip"] else: rule_fragment += ["ip6"] @@ -835,7 +835,7 @@ class nftables(object): if rich_rule: rule_fragment += self._rich_rule_family_fragment(rich_rule.family) if destination: - if check_single_address("ipv4", destination): + if check_address("ipv4", destination): rule_fragment += ["ip"] else: rule_fragment += ["ip6"] @@ -869,7 +869,7 @@ class nftables(object): if rich_rule: rule_fragment += self._rich_rule_family_fragment(rich_rule.family) if destination: - if check_single_address("ipv4", destination): + if check_address("ipv4", destination): rule_fragment += ["ip"] else: rule_fragment += ["ip6"] @@ -900,7 +900,7 @@ class nftables(object): rule = [add_del, "rule", "inet", "%s" % TABLE_NAME, "raw_%s_allow" % (target), proto] if destination: - if check_single_address("ipv4", destination): + if check_address("ipv4", destination): rule += ["ip"] else: rule += ["ip6"] -- 2.19.1