From c7c9c84b2fcf5c3b122e5072b9976744d6c70382 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Mon, 30 May 2022 19:28:12 +0200 Subject: [PATCH] fw4: ensure that negative bitcounts are properly translated Set bits to `-1` after converting a negative count into an inverted mask, in order to ensure that the resulting subnet list is properly grouped and rendered later on. Also add some minimal test coverage for this case. Fixes: #9764 Fixes: c22eeef ("fw4: support negative CIDR bit notation") Signed-off-by: Jo-Philipp Wich --- root/usr/share/ucode/fw4.uc | 1 + tests/03_rules/06_subnet_mask_matches | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index 6443950..02341cb 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -840,6 +840,7 @@ return { return null; m = to_mask(b, length(a) == 16); + b = max(-1, b); } return [{ diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches index b057e2c..89b4f7b 100644 --- a/tests/03_rules/06_subnet_mask_matches +++ b/tests/03_rules/06_subnet_mask_matches @@ -71,6 +71,13 @@ permutations of rules need to be emitted. "!::15/128", "!::16/128" ] + }, + { + ".description": "Ensure that CIDRs with negative bitcount are properly translated", + "proto": "all", + "name": "Mask rule #3", + "src_ip": "::1/-64", + "dest_ip": "!::2/-64" } ], "redirect": [ @@ -159,6 +166,7 @@ table inet fw4 { ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr { ::11, ::12 } ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" + ip6 saddr & ::ffff:ffff:ffff:ffff == ::1 ip6 daddr & ::ffff:ffff:ffff:ffff != ::2 counter comment "!fw4: Mask rule #3" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic" -- 2.30.2