projects / project / firewall4.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 18fc0ea)
fw4: allow family `any` for ipsets not matching IP addresses
authorJo-Philipp Wich <[email protected]>
Sat, 27 Jul 2024 13:36:52 +0000 (21:36 +0800)
committerJo-Philipp Wich <[email protected]>
Mon, 17 Mar 2025 15:41:09 +0000 (16:41 +0100)
When filtering by MAC address, it is usually necessary to filter both IPv4
and IPv6.

If it is not allowed to set the family of ipset to any, it will be necessary
to create a separate, identical ipset for both IPv4 and IPv6.

Fixes: https://github.com/openwrt/firewall4/issues/16
Suggested-by: zsien <[email protected]>
[reword commit subject, rewrap commit message]
Signed-off-by: Jo-Philipp Wich <[email protected]>
root/usr/share/ucode/fw4.uc patch | blob | history

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 2d77146809585edcb91bbf770fb1fad51f7be48b..5d2026df92b54c5f9fbd7a4a297153bab1bc8ca9 100644 (file)
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2571,7 +2571,7 @@ return {
 
                        /* check if there's no AF specific bits, in this case we can do an AF agnostic rule */
                        if (!family && rule.target != "dscp" && !has_ipv4_specifics && !has_ipv6_specifics) {
-                               add_rule(0, proto, [], [], sports, dports, null, null, null, rule);
+                               add_rule(0, proto, [], [], sports, dports, null, null, ipset, rule);
                        }
 
                        /* we need to emit one or two AF specific rules */
@@ -3305,11 +3305,7 @@ return {
                        return;
                }
 
-               if (ipset.family == 0) {
-                       this.warn_section(data, "must not specify family 'any'");
-                       return;
-               }
-               else if (!length(ipset.match)) {
+               if (!length(ipset.match)) {
                        this.warn_section(data, "has no datatypes assigned");
                        return;
                }
@@ -3318,6 +3314,11 @@ return {
                    types = map(ipset.match, m => m[1]),
                    interval = false;
 
+               if (("ip" in types || "net" in types) && ipset.family == 0) {
+                       this.warn_section(data, "must not specify family 'any' when matching type 'ip' or 'net'");
+                       return;
+               }
+
                if ("set" in types) {
                        this.warn_section(data, "match type 'set' is not supported");
                        return;
OpenWrt nftables firewall