From edfdfc6df48477e449935955d637b5f957f6c825 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Mon, 17 Mar 2025 16:49:34 +0100 Subject: [PATCH] Revert "fw4: allow family `any` for ipsets not matching IP addresses" This reverts commit ad3cba79c19209beaff61279338b1146b343cdc1. The proposed change does not cover all cases. Signed-off-by: Jo-Philipp Wich --- root/usr/share/ucode/fw4.uc | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index 5d2026d..2d77146 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -2571,7 +2571,7 @@ return { /* check if there's no AF specific bits, in this case we can do an AF agnostic rule */ if (!family && rule.target != "dscp" && !has_ipv4_specifics && !has_ipv6_specifics) { - add_rule(0, proto, [], [], sports, dports, null, null, ipset, rule); + add_rule(0, proto, [], [], sports, dports, null, null, null, rule); } /* we need to emit one or two AF specific rules */ @@ -3305,7 +3305,11 @@ return { return; } - if (!length(ipset.match)) { + if (ipset.family == 0) { + this.warn_section(data, "must not specify family 'any'"); + return; + } + else if (!length(ipset.match)) { this.warn_section(data, "has no datatypes assigned"); return; } @@ -3314,11 +3318,6 @@ return { types = map(ipset.match, m => m[1]), interval = false; - if (("ip" in types || "net" in types) && ipset.family == 0) { - this.warn_section(data, "must not specify family 'any' when matching type 'ip' or 'net'"); - return; - } - if ("set" in types) { this.warn_section(data, "match type 'set' is not supported"); return; -- 2.30.2