diff options
| author | Stijn Tintel | 2021-11-06 00:29:37 +0000 |
|---|---|---|
| committer | Stijn Tintel | 2022-01-06 12:52:02 +0000 |
| commit | be5f4e33c6388935651e6a87c4e5348ade0bd714 (patch) | |
| tree | 8c33c96da1eec7b8cf76ce9bf5a25acf05f3eaa6 | |
| parent | 5e7ad3b44041d044b8221fc38588aca7d6ef066f (diff) | |
| download | firewall4-be5f4e33c6388935651e6a87c4e5348ade0bd714.tar.gz | |
fw4.uc: allow use of cidr in ipsets
Sets of type ipv4_addr or ipv6_addr support entries in CIDR notation.
However, the parse_ipsetentry ignores them. Fix this by using
parse_subnet instead of iptoarr.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
| -rw-r--r-- | root/usr/share/ucode/fw4.uc | 25 |
1 files changed, 17 insertions, 8 deletions
diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index cfbd632..bfc568e 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -1268,21 +1268,28 @@ return { for (let i, t in set.types) { switch (t) { case 'ipv4_addr': - ip = iptoarr(values[i]); + ip = filter(this.parse_subnet(values[i]), a => (a.family == 4)); - if (length(ip) != 4) - return null; + switch (length(ip)) { + case 0: return null; + case 1: break; + default: this.warn("Set entry '%s' resolves to multiple addresses, using first one", values[i]); + } - rv[i] = arrtoip(ip); + rv[i] = ("net" in set.fw4types) ? ip[0].addr + "/" + ip[0].bits : ip[0].addr; break; case 'ipv6_addr': - ip = iptoarr(values[i]); + ip = filter(this.parse_subnet(values[i]), a => (a.family == 6)); - if (length(ip) != 16) - return null; + switch(length(ip)) { + case 0: return null; + case 1: break; + case 2: this.warn("Set entry '%s' resolves to multiple addresses, using first one", values[i]); + } + + rv[i] = ("net" in set.fw4types) ? ip[0].addr + "/" + ip[0].bits : ip[0].addr; - rv[i] = arrtoip(ip); break; case 'ether_addr': @@ -2774,6 +2781,8 @@ return { let s = { ...ipset, + fw4types: types, + types: map(types, (t) => { switch (t) { case 'ip': |