File 0001-fix-nftables-set-correctly-match-iifname-oifname.patch of Package firewalld.36786
From 445f0b81cb5de8c536e8e225c668b7159a1b1976 Mon Sep 17 00:00:00 2001
From: Peter Turner <pturner@uwalumni.com>
Date: Thu, 17 Oct 2024 13:26:16 -0500
Subject: [PATCH 1/2] fix(nftables): set: correctly match iifname/oifname
For sets that match iface, the match for iifname/oifname was backwards.
https://github.com/firewalld/firewalld/issues/1399#issuecomment-2420036920
---
src/firewall/core/nftables.py | 2 +-
src/tests/cli/firewall-cmd.at | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1647,7 +1647,7 @@ class nftables(object):
fragments.append({"payload": {"protocol": self._set_get_family(name),
"field": "daddr" if match_dest else "saddr"}})
elif format == "iface":
- fragments.append({"meta": {"key": "iifname" if match_dest else "oifname"}})
+ fragments.append({"meta": {"key": "oifname" if match_dest else "iifname"}})
elif format == "mark":
fragments.append({"meta": {"key": "mark"}})
else:
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -1031,9 +1031,9 @@ FWD_START_TEST([ipset])
NFT_LIST_RULES([inet], [filter_INPUT_POLICIES], 0, [dnl
table inet firewalld {
chain filter_INPUT_POLICIES {
- ip saddr . oifname @foobar jump filter_IN_policy_allow-host-ipv6
- ip saddr . oifname @foobar jump filter_IN_internal
- ip saddr . oifname @foobar reject with icmpx admin-prohibited
+ ip saddr . iifname @foobar jump filter_IN_policy_allow-host-ipv6
+ ip saddr . iifname @foobar jump filter_IN_internal
+ ip saddr . iifname @foobar reject with icmpx admin-prohibited
jump filter_IN_policy_allow-host-ipv6
jump filter_IN_public
reject with icmpx admin-prohibited
