projects / project / firewall4.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ca88fcd) | patch
ruleset: support non-contiguous address masks
authorJo-Philipp Wich <jo@mein.io>
Wed, 26 Jan 2022 11:05:39 +0000 (12:05 +0100)
committerJo-Philipp Wich <jo@mein.io>
Thu, 27 Jan 2022 15:22:15 +0000 (16:22 +0100)
commite60bb4b47ff9aad6806afc0468f4217a344a7cf0
tree864ea118f710faecd5537461f847be54af945e3ctree | snapshot
parentca88fcdfd1d3adfff965a2547e9c417a2950df24commit | diff
ruleset: support non-contiguous address masks

Support non-contiguous address masks (such as `::1234/::ffff`) for zone
subnet and rule src_ip / dest_ip options and translate them into appropriate
bitwise & expressions internally.

Add appropriate logic to calculate permutations of inverted, non-inverted,
contiguous and non-contiguous address matches since bitwise calculation
expressions can not appear within sets which means that any non-inverted,
non-contiguous mask addresses must be put into separate rules while the
remaining addresses (if any) may be grouped into a common set.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
root/usr/share/firewall4/templates/redirect.uc diff | blob | history
root/usr/share/firewall4/templates/rule.uc diff | blob | history
root/usr/share/firewall4/templates/ruleset.uc diff | blob | history
root/usr/share/firewall4/templates/zone-masq.uc [new file with mode: 0644] blob
root/usr/share/firewall4/templates/zone-match.uc diff | blob | history
root/usr/share/ucode/fw4.uc diff | blob | history
tests/02_zones/05_subnet_mask_matches [new file with mode: 0644] blob
tests/03_rules/06_subnet_mask_matches [new file with mode: 0644] blob
OpenWrt nftables firewall