git.archive.openwrt.org Git - project/firewall3.git/commit

author	Jo-Philipp Wich <jow@openwrt.org>
	Fri, 18 Jul 2014 13:43:56 +0000 (15:43 +0200)
committer	Jo-Philipp Wich <jow@openwrt.org>
	Sat, 19 Jul 2014 09:48:39 +0000 (11:48 +0200)
commit	bba31cce0521e014109fc805671d4cff7ee9dbf6
tree	2a48c471acb221c85238f53d7266ef88ee217629	tree \| snapshot
parent	0aaf63b89efb27bfa370aabc7550de10335abbe3	commit \| diff

Use netmasks instead of prefix lengths internally

Iptables supports using non-continuous netmasks like FFFF::FFFF which would
match the first and last 16bit of an IPv6 address while ignoring the parts
in between which is useful fordeclaring rules targeting hosts on rotating
prefixes.

Instead of storing parsed netmasks as bitcount internally, use a full mask
which is passed to iptables as-is.

Also support a new shorthand notation "addr/-N" which will construct a mask
that matches the *last* N bits of an address - useful for matching the host
part only of an IPv4 address, e.g.

option dest_ip '::c23f:eff:fe7a:a094/-64'

This will convert to a netmask of "::ffff:ffff:ffff:ffff".

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

ipsets.c		diff \| blob \| history
iptables.c		diff \| blob \| history
options.c		diff \| blob \| history
options.h		diff \| blob \| history
redirects.c		diff \| blob \| history
ubus.c		diff \| blob \| history
utils.c		diff \| blob \| history
utils.h		diff \| blob \| history