projects / project / firewall4.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5f61dbf) | patch
ruleset: properly deal with wildcards in zone device selectors
authorJo-Philipp Wich <jo@mein.io>
Tue, 25 Jan 2022 22:12:20 +0000 (23:12 +0100)
committerJo-Philipp Wich <jo@mein.io>
Tue, 25 Jan 2022 22:12:20 +0000 (23:12 +0100)
commit0bc844ba02ae460d4a895878b9136ba5d8e09b37
tree6cb3b643be433106efb6eb3039c7f4161f76a0f5tree | snapshot
parent5f61dbfe219ac5f7ad7e5e04748357d0ebb3debccommit | diff
ruleset: properly deal with wildcards in zone device selectors

Translate iptables style wildcards (`name+`) to nftables ones (`name*`)
and ensure that such wildcards are not used as anonymous set items but
that they're tested by separate expressions.

Also move redundant zone device/subnet selection expressions into a common
template and include it where applicable.

Finally add a new testcase which covers various device name wildcard corner-
cases and rule permutation requirements.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
root/usr/share/firewall4/templates/ruleset.uc diff | blob | history
root/usr/share/firewall4/templates/zone-jump.uc [new file with mode: 0644] blob
root/usr/share/firewall4/templates/zone-match.uc diff | blob | history
root/usr/share/firewall4/templates/zone-mssfix.uc diff | blob | history
root/usr/share/firewall4/templates/zone-verdict.uc diff | blob | history
root/usr/share/ucode/fw4.uc diff | blob | history
tests/02_zones/04_wildcard_devices [new file with mode: 0644] blob
OpenWrt nftables firewall