From: Mike Yuan <me@yhndnzj.com>
Date: Sun, 18 Jan 2026 21:58:45 +0000 (+0100)
Subject: firewall-util: drop fallback for kernel < 5.8
X-Git-Tag: v260-rc1~363^2~10
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=58fb46ecd5f2e1bcdca2f51c27a1512b37af525b;p=thirdparty%2Fsystemd.git

firewall-util: drop fallback for kernel < 5.8
---

diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c
index 8032e131f7e..93eef4eecf5 100644
--- a/src/shared/firewall-util.c
+++ b/src/shared/firewall-util.c
@@ -1060,7 +1060,6 @@ static int fw_nftables_add_local_dnat_internal(
 
         sd_netlink_message *messages[3] = {};
         _unused_ _cleanup_(netlink_message_unref_manyp) sd_netlink_message **unref = messages;
-        static bool ipv6_supported = true;
         uint32_t data[5], key[2], dlen;
         size_t msgcnt = 0;
         int r;
@@ -1069,9 +1068,6 @@ static int fw_nftables_add_local_dnat_internal(
         assert(add || !previous_remote);
         assert(IN_SET(af, AF_INET, AF_INET6));
 
-        if (!ipv6_supported && af == AF_INET6)
-                return -EOPNOTSUPP;
-
         if (!IN_SET(protocol, IPPROTO_TCP, IPPROTO_UDP))
                 return -EPROTONOSUPPORT;
 
@@ -1125,14 +1121,6 @@ static int fw_nftables_add_local_dnat_internal(
 
         assert(msgcnt < ELEMENTSOF(messages));
         r = sd_nfnl_call_batch(nfnl, messages, msgcnt, NFNL_DEFAULT_TIMEOUT_USECS);
-        if (r == -EOVERFLOW && af == AF_INET6) {
-                /* The current implementation of DNAT in systemd requires kernel's
-                 * fdb9c405e35bdc6e305b9b4e20ebc141ed14fc81 (v5.8), and the older kernel returns
-                 * -EOVERFLOW. Let's treat the error as -EOPNOTSUPP. */
-                log_debug_errno(r, "The current implementation of IPv6 DNAT in systemd requires kernel 5.8 or newer, ignoring: %m");
-                ipv6_supported = false;
-                return -EOPNOTSUPP;
-        }
         if (r < 0)
                 return r;