diff options
author | zsdc <taras@vyos.io> | 2022-12-09 17:10:10 +0200 |
---|---|---|
committer | zsdc <taras@vyos.io> | 2022-12-09 17:19:30 +0200 |
commit | 1636db20ee4b3d388a25b62e86bea1de52fcc339 (patch) | |
tree | a2c189dc38a632fbaafdc8972a0412ea4f6fa73f /lib | |
parent | 2bc88186b952e32bcf26419af2563c6f1bd7daac (diff) | |
download | vyatta-cfg-firewall-1636db20ee4b3d388a25b62e86bea1de52fcc339.tar.gz vyatta-cfg-firewall-1636db20ee4b3d388a25b62e86bea1de52fcc339.zip |
network-groups: T4869: Fixed operations with /32 and /128 netmasks
When the configuration script performs operations with network-group items
received from CLI, it gets them in the format fixed by CLI restrictions - always
with netmasks. But inside ipset networks with netmasks /32 for IPv4 and
/128 for IPv6 for some reason represented as items without netmask. This breaks
comparison logic in the configuration script that relies on a direct match
between items.
This commit adds extra normalization for data received from ipset - an
appropriate netmask is added to networks with /32 and /128 netmasks while
preparing a hash with items. This allows using hash keys for matching as it is
intended to be.
Diffstat (limited to 'lib')
-rwxr-xr-x | lib/Vyatta/IpTables/IpSet.pm | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index be50472..a7fccb7 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -420,7 +420,19 @@ sub members_list { } # parse the output otherwise my $parsed_out = XML::LibXML->load_xml(string => $ipset_output); + my $set_type = $parsed_out->findvalue('/ipsets/ipset/type'); + my $set_family = $parsed_out->findvalue('/ipsets/ipset/header/family'); foreach my $node ($parsed_out->findnodes('/ipsets/ipset/members/member/elem/text()')) { + # modify networks with /32 and /128 netmasks to match CLI items later + # an example: '192.0.2.0' -> '192.0.2.0/32', '2001:db8::' -> '2001:db8::/128' + if ($set_type eq 'hash:net') { + if (($set_family eq 'inet') and ($node !~ /.*\/\d+/ )) { + $node = "${node}/32"; + } + if (($set_family eq 'inet6') and ($node !~ /.*\/\d+/ )) { + $node = "${node}/128"; + } + } $elements_list{$node} = undef; } |