Fix 5917: FW: Max characters exceeded for ipset rule when using "set firewall group address-group" command

(cherry picked from commit 37638769fdaf40c5882eef3614e02f0aadbb1bba)

2 files changed, 10 insertions, 2 deletions

diff --git a/templates/firewall/group/address-group/node.tag/address/node.def b/templates/firewall/group/address-group/node.tag/address/node.def
index c62f4dd..389a057 100644
--- a/templates/firewall/group/address-group/node.tag/address/node.def
+++ b/templates/firewall/group/address-group/node.tag/address/node.def
@@ -11,7 +11,11 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \
                            --member=\"$VAR(@)\"; "
 
 create: tmpgrp=$VAR(../@)-$PPID
-        tmpfile="/tmp/$VAR(../@)-$PPID";
+        len=${#tmpgrp}
+        if [ "$len" -gt 31 ]; then
+           tmpgrp=${tmpgrp: -31};
+        fi
+        tmpfile="/tmp/$tmpgrp";
 
         if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \
            [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
diff --git a/templates/firewall/group/port-group/node.tag/port/node.def b/templates/firewall/group/port-group/node.tag/port/node.def
index c6f3173..de73950 100644
--- a/templates/firewall/group/port-group/node.tag/port/node.def
+++ b/templates/firewall/group/port-group/node.tag/port/node.def
@@ -13,7 +13,11 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \
                            --member=\"$VAR(@)\"; "
 
 create: tmpgrp=$VAR(../@)-$PPID
-        tmpfile="/tmp/$VAR(../@)-$PPID";
+        len=${#tmpgrp}
+        if [ "$len" -gt 31 ]; then
+           tmpgrp=${tmpgrp: -31};
+        fi
+        tmpfile="/tmp/$tmpgrp";
 
         if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \
            [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then