fw4: ensure that negative bitcounts are properly translated

Set bits to `-1` after converting a negative count into an inverted mask,
in order to ensure that the resulting subnet list is properly grouped
and rendered later on.

Also add some minimal test coverage for this case.

Fixes: #9764
Fixes: c22eeef ("fw4: support negative CIDR bit notation")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 64439504be49a33566fa43fc49f38a49d9acdbb8..02341cb5af68aaffeea6a6e09071a803447a7ba4 100644 (file)
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -840,6 +840,7 @@ return {
                                        return null;
 
                                m = to_mask(b, length(a) == 16);
+                               b = max(-1, b);
                        }
 
                        return [{

diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches
index b057e2ca76a947639abf53128bfbb1ffe73111c3..89b4f7b15221a282af7d37bfefef75c70f3d40a8 100644 (file)
--- a/tests/03_rules/06_subnet_mask_matches
+++ b/tests/03_rules/06_subnet_mask_matches
@@ -71,6 +71,13 @@ permutations of rules need to be emitted.
                                "!::15/128",
                                "!::16/128"
                        ]
+               },
+               {
+                       ".description": "Ensure that CIDRs with negative bitcount are properly translated",
+                       "proto": "all",
+                       "name": "Mask rule #3",
+                       "src_ip": "::1/-64",
+                       "dest_ip": "!::2/-64"
                }
        ],
        "redirect": [
@@ -159,6 +166,7 @@ table inet fw4 {
                ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2"
                ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2"
                ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr { ::11, ::12 } ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2"
+               ip6 saddr & ::ffff:ffff:ffff:ffff == ::1 ip6 daddr & ::ffff:ffff:ffff:ffff != ::2 counter comment "!fw4: Mask rule #3"
                oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic"