diff options
| author | Jo-Philipp Wich | 2022-05-30 17:28:12 +0000 |
|---|---|---|
| committer | Jo-Philipp Wich | 2022-05-30 17:30:38 +0000 |
| commit | c7c9c84b2fcf5c3b122e5072b9976744d6c70382 (patch) | |
| tree | a1c275c59c27f598a93f2015bfd41130621ad379 | |
| parent | c4a78edb617a7157c5aa9f61cee2e2afc3ea2099 (diff) | |
| download | firewall4-c7c9c84b2fcf5c3b122e5072b9976744d6c70382.tar.gz | |
fw4: ensure that negative bitcounts are properly translated
Set bits to `-1` after converting a negative count into an inverted mask,
in order to ensure that the resulting subnet list is properly grouped
and rendered later on.
Also add some minimal test coverage for this case.
Fixes: #9764
Fixes: c22eeef ("fw4: support negative CIDR bit notation")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
| -rw-r--r-- | root/usr/share/ucode/fw4.uc | 1 | ||||
| -rw-r--r-- | tests/03_rules/06_subnet_mask_matches | 8 |
2 files changed, 9 insertions, 0 deletions
diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index 6443950..02341cb 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -840,6 +840,7 @@ return { return null; m = to_mask(b, length(a) == 16); + b = max(-1, b); } return [{ diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches index b057e2c..89b4f7b 100644 --- a/tests/03_rules/06_subnet_mask_matches +++ b/tests/03_rules/06_subnet_mask_matches @@ -71,6 +71,13 @@ permutations of rules need to be emitted. "!::15/128", "!::16/128" ] + }, + { + ".description": "Ensure that CIDRs with negative bitcount are properly translated", + "proto": "all", + "name": "Mask rule #3", + "src_ip": "::1/-64", + "dest_ip": "!::2/-64" } ], "redirect": [ @@ -159,6 +166,7 @@ table inet fw4 { ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr { ::11, ::12 } ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" + ip6 saddr & ::ffff:ffff:ffff:ffff == ::1 ip6 daddr & ::ffff:ffff:ffff:ffff != ::2 counter comment "!fw4: Mask rule #3" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic" |