From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 23 Mar 2021 03:02:54 +0000 (+0900)
Subject: firewall-util: refuse IPv6 firewall rules when kernel does not support IPv6
X-Git-Tag: v248-2~23^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0c4363a0052ffaafc7d7571d148cb77dd795ebd3;p=thirdparty%2Fsystemd.git

firewall-util: refuse IPv6 firewall rules when kernel does not support IPv6
---

diff --git a/src/shared/firewall-util-nft.c b/src/shared/firewall-util-nft.c
index 1c6a25c4c0c..ecabc5fc404 100644
--- a/src/shared/firewall-util-nft.c
+++ b/src/shared/firewall-util-nft.c
@@ -756,9 +756,11 @@ int fw_nftables_init(FirewallContext *ctx) {
         if (r < 0)
                 return r;
 
-        r = fw_nftables_init_family(nfnl, AF_INET6);
-        if (r < 0)
-                log_debug_errno(r, "Failed to init ipv6 NAT: %m");
+        if (socket_ipv6_is_supported()) {
+                r = fw_nftables_init_family(nfnl, AF_INET6);
+                if (r < 0)
+                        log_debug_errno(r, "Failed to init ipv6 NAT: %m");
+        }
 
         ctx->nfnl = TAKE_PTR(nfnl);
         return 0;
@@ -902,6 +904,9 @@ int fw_nftables_add_masquerade(
 
         int r;
 
+        if (!socket_ipv6_is_supported() && af == AF_INET6)
+                return -EOPNOTSUPP;
+
         r = fw_nftables_add_masquerade_internal(ctx, add, af, source, source_prefixlen);
         if (r != -ENOENT)
                 return r;
@@ -1048,6 +1053,9 @@ int fw_nftables_add_local_dnat(
 
         int r;
 
+        if (!socket_ipv6_is_supported() && af == AF_INET6)
+                return -EOPNOTSUPP;
+
         r = fw_nftables_add_local_dnat_internal(ctx, add, af, protocol, local_port, remote, remote_port, previous_remote);
         if (r != -ENOENT)
                 return r;