From: Jo-Philipp Wich Date: Mon, 17 Mar 2025 15:49:34 +0000 (+0100) Subject: Revert "fw4: allow family `any` for ipsets not matching IP addresses" X-Git-Url: http://git.openwrt.org/%22https:/collectd.org//%22http:/www.crowdsec.net/%22/%22https:/collectd.org/%22http:/www.crowdsec.net/%22?a=commitdiff_plain;h=edfdfc6df48477e449935955d637b5f957f6c825;p=project%2Ffirewall4.git Revert "fw4: allow family `any` for ipsets not matching IP addresses" This reverts commit ad3cba79c19209beaff61279338b1146b343cdc1. The proposed change does not cover all cases. Signed-off-by: Jo-Philipp Wich --- diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index 5d2026d..2d77146 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -2571,7 +2571,7 @@ return { /* check if there's no AF specific bits, in this case we can do an AF agnostic rule */ if (!family && rule.target != "dscp" && !has_ipv4_specifics && !has_ipv6_specifics) { - add_rule(0, proto, [], [], sports, dports, null, null, ipset, rule); + add_rule(0, proto, [], [], sports, dports, null, null, null, rule); } /* we need to emit one or two AF specific rules */ @@ -3305,7 +3305,11 @@ return { return; } - if (!length(ipset.match)) { + if (ipset.family == 0) { + this.warn_section(data, "must not specify family 'any'"); + return; + } + else if (!length(ipset.match)) { this.warn_section(data, "has no datatypes assigned"); return; } @@ -3314,11 +3318,6 @@ return { types = map(ipset.match, m => m[1]), interval = false; - if (("ip" in types || "net" in types) && ipset.family == 0) { - this.warn_section(data, "must not specify family 'any' when matching type 'ip' or 'net'"); - return; - } - if ("set" in types) { this.warn_section(data, "match type 'set' is not supported"); return;