From f250c2c507d63419a2c263f3adb47cef93613a5f Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 2 Mar 2021 09:20:44 -0500
Subject: [PATCH] fix(ipv6_filter): match fwmark

Otherwise IPv6 rpfilter will fail if using multiple routing tables.

Fixes: #603
---
 src/firewall/core/ipXtables.py | 5 +++--
 src/firewall/core/nftables.py  | 2 +-
 src/tests/regression/gh258.at  | 4 ++--
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 10d840ced..a3108448e 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -1489,10 +1489,11 @@ class ip6tables(ip4tables):
     def build_rpfilter_rules(self, log_denied=False):
         rules = []
         rules.append([ "-I", "PREROUTING", "-t", "mangle",
-                       "-m", "rpfilter", "--invert", "-j", "DROP" ])
+                       "-m", "rpfilter", "--invert", "--validmark",
+                       "-j", "DROP" ])
         if log_denied != "off":
             rules.append([ "-I", "PREROUTING", "-t", "mangle",
-                           "-m", "rpfilter", "--invert",
+                           "-m", "rpfilter", "--invert", "--validmark",
                            "-j", "LOG",
                            "--log-prefix", "rpfilter_DROP: " ])
         rules.append([ "-I", "PREROUTING", "-t", "mangle",
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 2ab6191e5..b896f3163 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1568,7 +1568,7 @@ def build_rpfilter_rules(self, log_denied=False):
         expr_fragments = [{"match": {"left": {"meta": {"key": "nfproto"}},
                                      "op": "==",
                                      "right": "ipv6"}},
-                          {"match": {"left": {"fib": {"flags": ["saddr", "iif"],
+                          {"match": {"left": {"fib": {"flags": ["saddr", "iif", "mark"],
                                                       "result": "oif"}},
                                      "op": "==",
                                      "right": False}}]
diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
index c4af357a2..8026fd229 100644
--- a/src/tests/regression/gh258.at
+++ b/src/tests/regression/gh258.at
@@ -79,7 +79,7 @@ IF_HOST_SUPPORTS_NFT_FIB([
         table inet firewalld {
             chain filter_PREROUTING {
                 icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
-                meta nfproto ipv6 fib saddr . iif oif missing drop
+                meta nfproto ipv6 fib saddr . mark . iif oif missing drop
             }
         }
     ])
@@ -295,7 +295,7 @@ IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
 IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
     ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
     ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
-    DROP all ::/0 ::/0 rpfilter invert
+    DROP all ::/0 ::/0 rpfilter validmark invert
     PREROUTING_direct all ::/0 ::/0
     PREROUTING_POLICIES_pre all ::/0 ::/0
     PREROUTING_ZONES all ::/0 ::/0