From 572cb102d7ccedbd6a15ca5483cedcac0e7eb7cf Mon Sep 17 00:00:00 2001
From: Domingo Dirutigliano <me@domy.sh>
Date: Fri, 22 Sep 2023 20:56:58 +0200
Subject: [PATCH] fix reject action on output

---
 backend/modules/firewall/nftables.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/backend/modules/firewall/nftables.py b/backend/modules/firewall/nftables.py
index 6acf10a..a5b3c37 100644
--- a/backend/modules/firewall/nftables.py
+++ b/backend/modules/firewall/nftables.py
@@ -84,5 +84,7 @@ class FiregexTables(NFTableManager):
             "expr": [
                     {'match': {'left': {'payload': {'protocol': ip_family(srv.ip_src), 'field': 'saddr'}}, 'op': '==', 'right': nftables_int_to_json(srv.ip_src)}},
                     {'match': {'left': {'payload': {'protocol': ip_family(srv.ip_dst), 'field': 'daddr'}}, 'op': '==', 'right': nftables_int_to_json(srv.ip_dst)}},
-                ] + port_filters + [{'accept': None} if srv.action == "accept" else {'reject': {}} if srv.action == "reject" else {'drop': None}]
+                ] + port_filters +
+            [{'accept': None} if srv.action == "accept" else {'reject': {}} if (srv.action == "reject" and not srv.output_mode) else {'drop': None}]
+            #If srv.output_mode is True, then the rule is in the output chain, so the reject action is not allowed
         }}})
\ No newline at end of file