Add check for combining network-group and address-group.

1 files changed, 6 insertions, 0 deletions

diff --git a/lib/Vyatta/IpTables/AddressFilter.pm b/lib/Vyatta/IpTables/AddressFilter.pm
index a0abb3e..01c2795 100755
--- a/lib/Vyatta/IpTables/AddressFilter.pm
+++ b/lib/Vyatta/IpTables/AddressFilter.pm
@@ -229,9 +229,11 @@ sub rule {
   # Handle groups last so we can check $group_ok
   if ($self->{_ip_version} eq "ipv4") {
     # so far ipset only supports IPv4
+    my %group_used = ('address' => 0, 'network' => 0);
     foreach my $group_type ('address', 'network', 'port') {
       my $var_name = '_' . $group_type . '_group';
       if (defined($self->{$var_name})) {
+        $group_used{$group_type} = 1;
         my $name = $self->{$var_name};
         if (! $group_ok{$group_type}) {
           return (undef, "Can't mix $self->{_srcdst} $group_type group " .
@@ -242,6 +244,10 @@ sub rule {
         return ($err_str, ) if ! defined $set_rule;
         $rule .= $set_rule;
       }
+    } 
+    if ($group_used{address} and $group_used{network}) {
+      return (undef, 
+              "Can't combine network and address group for $self->{_srcdst}\n");
     }
   }