vyatta-cfg-firewall: update network-group check to allow "this" network

Update the check for network-groups to allow zero net addresses as they
are accepted by the current version of ipset used in VyOS, rejecting
only the 0.0.0.0/0 address.  This allows the "this" network (0.0.0.0/8)
to be used in network-groups.

Bug #628 http://bugzilla.vyos.net/show_bug.cgi?id=628

2 files changed, 4 insertions, 6 deletions

diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm
index 37bbb37..ea9bc8d 100755
--- a/lib/Vyatta/IpTables/IpSet.pm
+++ b/lib/Vyatta/IpTables/IpSet.pm
@@ -361,10 +361,10 @@ sub check_member {
         }
         if ($member =~ /([\d.]+)\/(\d+)/) {
             my ($net, $mask) = ($1, $2);
-            return "Error: zero net invalid in network-group\n"
-                if $net eq '0.0.0.0';
+            return "Error: 0.0.0.0/0 invalid in network-group\n"
+                if (($net eq '0.0.0.0') and ($mask == 0));
             return "Error: invalid mask [$mask] - must be between 1-31\n"
-                if $mask < 1 or $mask > 31;
+                if (($mask < 1) or ($mask > 31));
         } else {
             return "Error: Invalid network group [$member]\n";
         }
diff --git a/templates/firewall/group/network-group/node.tag/network/node.def b/templates/firewall/group/network-group/node.tag/network/node.def
index b3e0c18..d08b39d 100644
--- a/templates/firewall/group/network-group/node.tag/network/node.def
+++ b/templates/firewall/group/network-group/node.tag/network/node.def
@@ -5,6 +5,4 @@ val_help: ipv4net; IPv4 Subnet to match
 
 syntax:expression: exec "/opt/vyatta/sbin/ipset-check-member network $VAR(@)"
 
-syntax:expression: exec "                                 \
-          /opt/vyatta/sbin/check_prefix_boundary $VAR(@)" \
-
+syntax:expression: exec "/opt/vyatta/sbin/check_prefix_boundary $VAR(@)"