firewalld/nftables-fix-destination-checks-not-allowing-masks.patch

From b3c43ee7be2411a8d17416b98616378078f21eef Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 27 Sep 2018 08:52:22 -0400
Subject: [PATCH 009/127] nftables: fix destination checks not allowing masks

Some destination checks were using check_single_address() which make it
impossible to use a mask. This was discovered in issue #399.
---
 src/firewall/core/nftables.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 811f4e71..64191d1f 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -753,7 +753,7 @@ class nftables(object):
             return []
 
         rule_fragment = []
-        if check_single_address("ipv4", rich_dest.addr):
+        if check_address("ipv4", rich_dest.addr):
             rule_fragment += ["ip"]
         else:
             rule_fragment += ["ip6"]
@@ -803,7 +803,7 @@ class nftables(object):
         if rich_rule:
             rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
         if destination:
-            if check_single_address("ipv4", destination):
+            if check_address("ipv4", destination):
                 rule_fragment += ["ip"]
             else:
                 rule_fragment += ["ip6"]
@@ -835,7 +835,7 @@ class nftables(object):
         if rich_rule:
             rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
         if destination:
-            if check_single_address("ipv4", destination):
+            if check_address("ipv4", destination):
                 rule_fragment += ["ip"]
             else:
                 rule_fragment += ["ip6"]
@@ -869,7 +869,7 @@ class nftables(object):
         if rich_rule:
             rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
         if destination:
-            if check_single_address("ipv4", destination):
+            if check_address("ipv4", destination):
                 rule_fragment += ["ip"]
             else:
                 rule_fragment += ["ip6"]
@@ -900,7 +900,7 @@ class nftables(object):
         rule = [add_del, "rule", "inet", "%s" % TABLE_NAME,
                 "raw_%s_allow" % (target), proto]
         if destination:
-            if check_single_address("ipv4", destination):
+            if check_address("ipv4", destination):
                 rule += ["ip"]
             else:
                 rule += ["ip6"]
-- 
2.19.1