Revert "fw4: allow family `any` for ipsets not matching IP addresses"

This reverts commit ad3cba79c19209beaff61279338b1146b343cdc1.

The proposed change does not cover all cases.

Signed-off-by: Jo-Philipp Wich <[email protected]>

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 5d2026df92b54c5f9fbd7a4a297153bab1bc8ca9..2d77146809585edcb91bbf770fb1fad51f7be48b 100644 (file)
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2571,7 +2571,7 @@ return {
 
                        /* check if there's no AF specific bits, in this case we can do an AF agnostic rule */
                        if (!family && rule.target != "dscp" && !has_ipv4_specifics && !has_ipv6_specifics) {
-                               add_rule(0, proto, [], [], sports, dports, null, null, ipset, rule);
+                               add_rule(0, proto, [], [], sports, dports, null, null, null, rule);
                        }
 
                        /* we need to emit one or two AF specific rules */
@@ -3305,7 +3305,11 @@ return {
                        return;
                }
 
-               if (!length(ipset.match)) {
+               if (ipset.family == 0) {
+                       this.warn_section(data, "must not specify family 'any'");
+                       return;
+               }
+               else if (!length(ipset.match)) {
                        this.warn_section(data, "has no datatypes assigned");
                        return;
                }
@@ -3314,11 +3318,6 @@ return {
                    types = map(ipset.match, m => m[1]),
                    interval = false;
 
-               if (("ip" in types || "net" in types) && ipset.family == 0) {
-                       this.warn_section(data, "must not specify family 'any' when matching type 'ip' or 'net'");
-                       return;
-               }
-
                if ("set" in types) {
                        this.warn_section(data, "match type 'set' is not supported");
                        return;