From d8706caef27c98487e32cb70b093b4ad4f4f26fa Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Thu, 15 Jul 2021 08:45:27 +0200 Subject: [PATCH] firewall/nftables: only configure "ip" address familiar for masquerading nftables' "inet" family is both for IPv4 and IPv6, while we only want to configure rules for IPv4. https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/760 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/928 (cherry picked from commit b49a168935865789589105ca134bd0762285c822) --- src/core/nm-firewall-utils.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c index 3f2251569f..a2446553b7 100644 --- a/src/core/nm-firewall-utils.c +++ b/src/core/nm-firewall-utils.c @@ -613,17 +613,17 @@ _fw_nft_set(gboolean add, const char *ip_iface, in_addr_t addr, guint8 plen) #define _append(p_strbuf, fmt, ...) nm_str_buf_append_printf((p_strbuf), "" fmt "\n", ##__VA_ARGS__) - _append(&strbuf, "add table inet %s", table_name); - _append(&strbuf, "%s table inet %s", add ? "flush" : "delete", table_name); + _append(&strbuf, "add table ip %s", table_name); + _append(&strbuf, "%s table ip %s", add ? "flush" : "delete", table_name); if (add) { _append(&strbuf, - "add chain inet %s nat_postrouting {" + "add chain ip %s nat_postrouting {" " type nat hook postrouting priority 100; policy accept; " "};", table_name); _append(&strbuf, - "add rule inet %s nat_postrouting ip saddr %s ip daddr != %s masquerade;", + "add rule ip %s nat_postrouting ip saddr %s ip daddr != %s masquerade;", table_name, str_subnet, str_subnet); @@ -634,41 +634,41 @@ _fw_nft_set(gboolean add, const char *ip_iface, in_addr_t addr, guint8 plen) */ /* _append(&strbuf, - "add chain inet %s filter_input {" + "add chain ip %s filter_input {" " type filter hook input priority 0; policy accept; " "};", table_name); - _append(&strbuf, "add rule inet %s filter_input tcp dport { 67, 53 } accept;", table_name); - _append(&strbuf, "add rule inet %s filter_input udp dport { 67, 53 } accept;", table_name); + _append(&strbuf, "add rule ip %s filter_input tcp dport { 67, 53 } accept;", table_name); + _append(&strbuf, "add rule ip %s filter_input udp dport { 67, 53 } accept;", table_name); */ _append(&strbuf, - "add chain inet %s filter_forward {" + "add chain ip %s filter_forward {" " type filter hook forward priority 0; policy accept; " "};", table_name); _append(&strbuf, - "add rule inet %s filter_forward ip daddr %s oifname \"%s\" " + "add rule ip %s filter_forward ip daddr %s oifname \"%s\" " " ct state { established, related } accept;", table_name, str_subnet, ip_iface); _append(&strbuf, - "add rule inet %s filter_forward ip saddr %s iifname \"%s\" accept;", + "add rule ip %s filter_forward ip saddr %s iifname \"%s\" accept;", table_name, str_subnet, ip_iface); _append(&strbuf, - "add rule inet %s filter_forward iifname \"%s\" oifname \"%s\" accept;", + "add rule ip %s filter_forward iifname \"%s\" oifname \"%s\" accept;", table_name, ip_iface, ip_iface); _append(&strbuf, - "add rule inet %s filter_forward iifname \"%s\" reject;", + "add rule ip %s filter_forward iifname \"%s\" reject;", table_name, ip_iface); _append(&strbuf, - "add rule inet %s filter_forward oifname \"%s\" reject;", + "add rule ip %s filter_forward oifname \"%s\" reject;", table_name, ip_iface); }