From a9abba630333970cc59d5fdcb1e92968b38f5eaa Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Thu, 11 Oct 2018 11:58:22 -0400 Subject: [PATCH 020/127] nftables: fix reject statement in "block" zone Also add test coverage. Fixes: #406 --- src/firewall/core/nftables.py | 3 ++- src/tests/firewall-cmd.at | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py index 8a305539..3c871069 100644 --- a/src/firewall/core/nftables.py +++ b/src/firewall/core/nftables.py @@ -619,7 +619,8 @@ class nftables(object): target in ["ACCEPT", "REJECT", "%%REJECT%%", "DROP"] and \ chain in ["INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT"]: rules.append(["add", "rule", family, "%s" % TABLE_NAME, - "%s_%s" % (table, _zone), target.lower()]) + "%s_%s" % (table, _zone), + target.lower() if target != "%%REJECT%%" else "%%REJECT%%"]) return rules diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at index ef45110c..b7ec3816 100644 --- a/src/tests/firewall-cmd.at +++ b/src/tests/firewall-cmd.at @@ -69,6 +69,8 @@ FWD_START_TEST([zone interfaces]) FWD_CHECK([--zone=public --change-interface=dummy], 0, ignore) FWD_CHECK([--get-zone-of-interface=dummy], 0, [public ]) + FWD_CHECK([--zone=block --add-interface=dummy1], 0, ignore) + FWD_CHECK([--zone=block --remove-interface=dummy1], 0, ignore) FWD_CHECK([--zone=dmz --change-zone=dummy], 0, ignore) FWD_CHECK([--get-zone-of-interface=dummy], 0, [dmz -- 2.19.1