summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStijn Tintel2021-11-06 00:29:37 +0000
committerStijn Tintel2022-01-06 12:52:02 +0000
commitbe5f4e33c6388935651e6a87c4e5348ade0bd714 (patch)
tree8c33c96da1eec7b8cf76ce9bf5a25acf05f3eaa6
parent5e7ad3b44041d044b8221fc38588aca7d6ef066f (diff)
downloadfirewall4-be5f4e33c6388935651e6a87c4e5348ade0bd714.tar.gz
fw4.uc: allow use of cidr in ipsets
Sets of type ipv4_addr or ipv6_addr support entries in CIDR notation. However, the parse_ipsetentry ignores them. Fix this by using parse_subnet instead of iptoarr. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Reviewed-by: Jo-Philipp Wich <jo@mein.io>
-rw-r--r--root/usr/share/ucode/fw4.uc25
1 files changed, 17 insertions, 8 deletions
diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index cfbd632..bfc568e 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -1268,21 +1268,28 @@ return {
for (let i, t in set.types) {
switch (t) {
case 'ipv4_addr':
- ip = iptoarr(values[i]);
+ ip = filter(this.parse_subnet(values[i]), a => (a.family == 4));
- if (length(ip) != 4)
- return null;
+ switch (length(ip)) {
+ case 0: return null;
+ case 1: break;
+ default: this.warn("Set entry '%s' resolves to multiple addresses, using first one", values[i]);
+ }
- rv[i] = arrtoip(ip);
+ rv[i] = ("net" in set.fw4types) ? ip[0].addr + "/" + ip[0].bits : ip[0].addr;
break;
case 'ipv6_addr':
- ip = iptoarr(values[i]);
+ ip = filter(this.parse_subnet(values[i]), a => (a.family == 6));
- if (length(ip) != 16)
- return null;
+ switch(length(ip)) {
+ case 0: return null;
+ case 1: break;
+ case 2: this.warn("Set entry '%s' resolves to multiple addresses, using first one", values[i]);
+ }
+
+ rv[i] = ("net" in set.fw4types) ? ip[0].addr + "/" + ip[0].bits : ip[0].addr;
- rv[i] = arrtoip(ip);
break;
case 'ether_addr':
@@ -2774,6 +2781,8 @@ return {
let s = {
...ipset,
+ fw4types: types,
+
types: map(types, (t) => {
switch (t) {
case 'ip':