bundles/nftables: add support for restricting to "all ipv6" and "all ipv4"

2021-12-14 12:40:54 +01:00 · 2021-12-14 12:40:54 +01:00 · c6c5d40084
parent d2f1bb406d
commit c6c5d40084
1 changed files with 5 additions and 1 deletions
--- a/bundles/nftables/metadata.py
+++ b/bundles/nftables/metadata.py
@ -58,7 +58,7 @@ def port_rules_to_nftables(metadata):
            if port == '*' and target == '*':
                raise BundleError('firewall/port_rules: setting both port and target to * is unsupported')

-            comment = f'# port_rules {target}'
+            comment = f'comment "port_rules {target}"'

            if port != '*':
                if ':' in port:
@ -73,6 +73,10 @@ def port_rules_to_nftables(metadata):

            if target == '*':
                ruleset.add(f'{prefix}{proto} {port_str}accept {comment}')
+            elif target == 'ipv4':
+                ruleset.add(f'{prefix}{proto} {port_str}ip version 4 accept {comment}')
+            elif target == 'ipv6':
+                ruleset.add(f'{prefix}{proto} {port_str}ip6 version 6 accept {comment}')
            else:
                resolved = repo.libs.tools.resolve_identifier(repo, target)