fix(nftables): set: correctly match iifname/oifname

For sets that match iface, the match for iifname/oifname was backwards. firewalld#1399 (comment)
okapia · Oct 31, 2024 · 9089bdb · 9089bdb
1 parent d155cd3
commit 9089bdb
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
@@ -2819,7 +2819,7 @@ def _set_match_fragment(self, name, match_dest, invert=False):
                 )
             elif format == "iface":
                 fragments.append(
-                    {"meta": {"key": "iifname" if match_dest else "oifname"}}
+                    {"meta": {"key": "oifname" if match_dest else "iifname"}}
                 )
             elif format == "mark":
                 fragments.append({"meta": {"key": "mark"}})

diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
@@ -1031,9 +1031,9 @@ FWD_START_TEST([ipset])
     NFT_LIST_RULES([inet], [filter_INPUT_POLICIES], 0, [dnl
         table inet firewalld {
             chain filter_INPUT_POLICIES {
-                ip saddr . oifname @foobar jump filter_IN_policy_allow-host-ipv6
-                ip saddr . oifname @foobar jump filter_IN_internal
-                ip saddr . oifname @foobar reject with icmpx admin-prohibited
+                ip saddr . iifname @foobar jump filter_IN_policy_allow-host-ipv6
+                ip saddr . iifname @foobar jump filter_IN_internal
+                ip saddr . iifname @foobar reject with icmpx admin-prohibited
                 jump filter_IN_policy_allow-host-ipv6
                 jump filter_IN_public
                 reject with icmpx admin-prohibited