From be5f4e33c6388935651e6a87c4e5348ade0bd714 Mon Sep 17 00:00:00 2001
From: Stijn Tintel <stijn@linux-ipv6.be>
Date: Sat, 6 Nov 2021 02:29:37 +0200
Subject: [PATCH] fw4.uc: allow use of cidr in ipsets

Sets of type ipv4_addr or ipv6_addr support entries in CIDR notation.
However, the parse_ipsetentry ignores them. Fix this by using
parse_subnet instead of iptoarr.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
---
 root/usr/share/ucode/fw4.uc | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index cfbd632..bfc568e 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -1268,21 +1268,28 @@ return {
 		for (let i, t in set.types) {
 			switch (t) {
 			case 'ipv4_addr':
-				ip = iptoarr(values[i]);
+				ip = filter(this.parse_subnet(values[i]), a => (a.family == 4));
 
-				if (length(ip) != 4)
-					return null;
+				switch (length(ip)) {
+				case 0: return null;
+				case 1: break;
+				default: this.warn("Set entry '%s' resolves to multiple addresses, using first one", values[i]);
+				}
 
-				rv[i] = arrtoip(ip);
+				rv[i] = ("net" in set.fw4types) ? ip[0].addr + "/" + ip[0].bits : ip[0].addr;
 				break;
 
 			case 'ipv6_addr':
-				ip = iptoarr(values[i]);
+				ip = filter(this.parse_subnet(values[i]), a => (a.family == 6));
 
-				if (length(ip) != 16)
-					return null;
+				switch(length(ip)) {
+				case 0: return null;
+				case 1: break;
+				case 2: this.warn("Set entry '%s' resolves to multiple addresses, using first one", values[i]);
+				}
+
+				rv[i] = ("net" in set.fw4types) ? ip[0].addr + "/" + ip[0].bits : ip[0].addr;
 
-				rv[i] = arrtoip(ip);
 				break;
 
 			case 'ether_addr':
@@ -2774,6 +2781,8 @@ return {
 		let s = {
 			...ipset,
 
+			fw4types: types,
+
 			types: map(types, (t) => {
 				switch (t) {
 				case 'ip':
-- 
2.30.2