Revert "fw4: allow family `any` for ipsets not matching IP addresses"

This reverts commit ad3cba79c19209beaff61279338b1146b343cdc1.

The proposed change does not cover all cases.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

1 files changed, 6 insertions, 7 deletions

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 5d2026d..2d77146 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2571,7 +2571,7 @@ return {
 
 			/* check if there's no AF specific bits, in this case we can do an AF agnostic rule */
 			if (!family && rule.target != "dscp" && !has_ipv4_specifics && !has_ipv6_specifics) {
-				add_rule(0, proto, [], [], sports, dports, null, null, ipset, rule);
+				add_rule(0, proto, [], [], sports, dports, null, null, null, rule);
 			}
 
 			/* we need to emit one or two AF specific rules */
@@ -3305,7 +3305,11 @@ return {
 			return;
 		}
 
-		if (!length(ipset.match)) {
+		if (ipset.family == 0) {
+			this.warn_section(data, "must not specify family 'any'");
+			return;
+		}
+		else if (!length(ipset.match)) {
 			this.warn_section(data, "has no datatypes assigned");
 			return;
 		}
@@ -3314,11 +3318,6 @@ return {
 		    types = map(ipset.match, m => m[1]),
 		    interval = false;
 
-		if (("ip" in types || "net" in types) && ipset.family == 0) {
-			this.warn_section(data, "must not specify family 'any' when matching type 'ip' or 'net'");
-			return;
-		}
-
 		if ("set" in types) {
 			this.warn_section(data, "match type 'set' is not supported");
 			return;