From 7dfc240dfaee099eab04bd18369edb11dfbb5045 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 20 Feb 2014 23:29:57 +0000 Subject: [PATCH] Several ipset bugfixes - Do not consider bitmap storage for IPv6 family sets - Move ipset family parameter before any additional option - Only emit family parameter for hash sets - Do not allow IPv6 iprange for IPv4 sets and vice versa Signed-off-by: Jo-Philipp Wich --- ipsets.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/ipsets.c b/ipsets.c index 06aafb7..8f88885 100644 --- a/ipsets.c +++ b/ipsets.c @@ -107,6 +107,11 @@ check_types(struct uci_element *e, struct fw3_ipset *ipset) { for (i = 0; i < ARRAY_SIZE(ipset_types); i++) { + /* skip type for v6 if it does not support family */ + if (ipset->family != FW3_FAMILY_V4 && + !(ipset_types[i].optional & OPT_FAMILY)) + continue; + if (ipset_types[i].types == typelist) { ipset->method = ipset_types[i].method; @@ -259,6 +264,10 @@ fw3_load_ipsets(struct fw3_state *state, struct uci_package *p) { warn_elem(e, "must not have family 'any'"); } + else if (ipset->iprange.set && ipset->family != ipset->iprange.family) + { + warn_elem(e, "has iprange of wrong address family"); + } else if (list_empty(&ipset->datatypes)) { warn_elem(e, "has no datatypes assigned"); @@ -292,6 +301,9 @@ create_ipset(struct fw3_ipset *ipset, struct fw3_state *state) first = false; } + if (ipset->method == FW3_IPSET_METHOD_HASH) + fw3_pr(" family inet%s", (ipset->family == FW3_FAMILY_V4) ? "" : "6"); + if (ipset->iprange.set) { fw3_pr(" range %s", fw3_address_to_string(&ipset->iprange, false)); @@ -302,8 +314,6 @@ create_ipset(struct fw3_ipset *ipset, struct fw3_state *state) ipset->portrange.port_min, ipset->portrange.port_max); } - fw3_pr(" family inet%s", (ipset->family == FW3_FAMILY_V4) ? "" : "6"); - if (ipset->timeout > 0) fw3_pr(" timeout %u", ipset->timeout); -- 2.11.0