From 0c4363a0052ffaafc7d7571d148cb77dd795ebd3 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 23 Mar 2021 12:02:54 +0900
Subject: [PATCH] firewall-util: refuse IPv6 firewall rules when kernel does
 not support IPv6

---
 src/shared/firewall-util-nft.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/shared/firewall-util-nft.c b/src/shared/firewall-util-nft.c
index 1c6a25c4c0..ecabc5fc40 100644
--- a/src/shared/firewall-util-nft.c
+++ b/src/shared/firewall-util-nft.c
@@ -756,9 +756,11 @@ int fw_nftables_init(FirewallContext *ctx) {
         if (r < 0)
                 return r;
 
-        r = fw_nftables_init_family(nfnl, AF_INET6);
-        if (r < 0)
-                log_debug_errno(r, "Failed to init ipv6 NAT: %m");
+        if (socket_ipv6_is_supported()) {
+                r = fw_nftables_init_family(nfnl, AF_INET6);
+                if (r < 0)
+                        log_debug_errno(r, "Failed to init ipv6 NAT: %m");
+        }
 
         ctx->nfnl = TAKE_PTR(nfnl);
         return 0;
@@ -902,6 +904,9 @@ int fw_nftables_add_masquerade(
 
         int r;
 
+        if (!socket_ipv6_is_supported() && af == AF_INET6)
+                return -EOPNOTSUPP;
+
         r = fw_nftables_add_masquerade_internal(ctx, add, af, source, source_prefixlen);
         if (r != -ENOENT)
                 return r;
@@ -1048,6 +1053,9 @@ int fw_nftables_add_local_dnat(
 
         int r;
 
+        if (!socket_ipv6_is_supported() && af == AF_INET6)
+                return -EOPNOTSUPP;
+
         r = fw_nftables_add_local_dnat_internal(ctx, add, af, protocol, local_port, remote, remote_port, previous_remote);
         if (r != -ENOENT)
                 return r;