From: Jo-Philipp Wich Date: Mon, 30 May 2022 17:28:12 +0000 (+0200) Subject: fw4: ensure that negative bitcounts are properly translated X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=c7c9c84b2fcf5c3b122e5072b9976744d6c70382;p=project%2Ffirewall4.git fw4: ensure that negative bitcounts are properly translated Set bits to `-1` after converting a negative count into an inverted mask, in order to ensure that the resulting subnet list is properly grouped and rendered later on. Also add some minimal test coverage for this case. Fixes: #9764 Fixes: c22eeef ("fw4: support negative CIDR bit notation") Signed-off-by: Jo-Philipp Wich --- diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index 6443950..02341cb 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -840,6 +840,7 @@ return { return null; m = to_mask(b, length(a) == 16); + b = max(-1, b); } return [{ diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches index b057e2c..89b4f7b 100644 --- a/tests/03_rules/06_subnet_mask_matches +++ b/tests/03_rules/06_subnet_mask_matches @@ -71,6 +71,13 @@ permutations of rules need to be emitted. "!::15/128", "!::16/128" ] + }, + { + ".description": "Ensure that CIDRs with negative bitcount are properly translated", + "proto": "all", + "name": "Mask rule #3", + "src_ip": "::1/-64", + "dest_ip": "!::2/-64" } ], "redirect": [ @@ -159,6 +166,7 @@ table inet fw4 { ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr { ::11, ::12 } ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" + ip6 saddr & ::ffff:ffff:ffff:ffff == ::1 ip6 daddr & ::ffff:ffff:ffff:ffff != ::2 counter comment "!fw4: Mask rule #3" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic"