From ad3cba79c19209beaff61279338b1146b343cdc1 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Sat, 27 Jul 2024 21:36:52 +0800 Subject: [PATCH] fw4: allow family `any` for ipsets not matching IP addresses When filtering by MAC address, it is usually necessary to filter both IPv4 and IPv6. If it is not allowed to set the family of ipset to any, it will be necessary to create a separate, identical ipset for both IPv4 and IPv6. Fixes: https://github.com/openwrt/firewall4/issues/16 Suggested-by: zsien [reword commit subject, rewrap commit message] Signed-off-by: Jo-Philipp Wich --- root/usr/share/ucode/fw4.uc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index 2d77146..5d2026d 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -2571,7 +2571,7 @@ return { /* check if there's no AF specific bits, in this case we can do an AF agnostic rule */ if (!family && rule.target != "dscp" && !has_ipv4_specifics && !has_ipv6_specifics) { - add_rule(0, proto, [], [], sports, dports, null, null, null, rule); + add_rule(0, proto, [], [], sports, dports, null, null, ipset, rule); } /* we need to emit one or two AF specific rules */ @@ -3305,11 +3305,7 @@ return { return; } - if (ipset.family == 0) { - this.warn_section(data, "must not specify family 'any'"); - return; - } - else if (!length(ipset.match)) { + if (!length(ipset.match)) { this.warn_section(data, "has no datatypes assigned"); return; } @@ -3318,6 +3314,11 @@ return { types = map(ipset.match, m => m[1]), interval = false; + if (("ip" in types || "net" in types) && ipset.family == 0) { + this.warn_section(data, "must not specify family 'any' when matching type 'ip' or 'net'"); + return; + } + if ("set" in types) { this.warn_section(data, "match type 'set' is not supported"); return; -- 2.30.2