firewall-util: refuse IPv6 firewall rules when kernel does not support IPv6

diff --git a/src/shared/firewall-util-nft.c b/src/shared/firewall-util-nft.c
index 1c6a25c4c0c27e8092d1b6ef6facc8b3fd01e1b1..ecabc5fc4042b8a8e2084bd4ca1778f40ef623d3 100644 (file)
--- a/src/shared/firewall-util-nft.c
+++ b/src/shared/firewall-util-nft.c
@@ -756,9 +756,11 @@ int fw_nftables_init(FirewallContext *ctx) {
         if (r < 0)
                 return r;
 
-        r = fw_nftables_init_family(nfnl, AF_INET6);
-        if (r < 0)
-                log_debug_errno(r, "Failed to init ipv6 NAT: %m");
+        if (socket_ipv6_is_supported()) {
+                r = fw_nftables_init_family(nfnl, AF_INET6);
+                if (r < 0)
+                        log_debug_errno(r, "Failed to init ipv6 NAT: %m");
+        }
 
         ctx->nfnl = TAKE_PTR(nfnl);
         return 0;
@@ -902,6 +904,9 @@ int fw_nftables_add_masquerade(
 
         int r;
 
+        if (!socket_ipv6_is_supported() && af == AF_INET6)
+                return -EOPNOTSUPP;
+
         r = fw_nftables_add_masquerade_internal(ctx, add, af, source, source_prefixlen);
         if (r != -ENOENT)
                 return r;
@@ -1048,6 +1053,9 @@ int fw_nftables_add_local_dnat(
 
         int r;
 
+        if (!socket_ipv6_is_supported() && af == AF_INET6)
+                return -EOPNOTSUPP;
+
         r = fw_nftables_add_local_dnat_internal(ctx, add, af, protocol, local_port, remote, remote_port, previous_remote);
         if (r != -ENOENT)
                 return r;