File 0004-fix_rich_source_address_with_netmask.patch of Package firewalld.29803
commit 3809fef17dc779052a3f050041fe90e3599f35be
commit 9e9f94061b129e22e8c6fc2f8985d782bfe09689
commit e635bdffa630c827ff0ed2fc2bb201d560631be0
Author: Eric Garver <eric@garver.life>
Date: Wed Sep 15 14:38:28 2021 -0400
fix(nftables): rich: source address with netmask
test(rich): source address with netmask
test(zone): source with netmask
---
src/firewall/core/nftables.py | 5 +++--
src/tests/cli/firewall-cmd.at | 1 +
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1917766.at | 25 +++++++++++++++++++++++++
4 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index ff077ad..f3b50c0 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -22,6 +22,7 @@ from __future__ import absolute_import
import copy
import json
+import ipaddress
from firewall.core.logger import log
from firewall.functions import check_mac, getPortRange, normalizeIP6, \
@@ -1213,8 +1214,8 @@ class nftables(object):
family = "ip"
elif check_address("ipv4", address):
family = "ip"
- addr_len = address.split("/")
- address = {"prefix": {"addr": addr_len[0], "len": int(addr_len[1])}}
+ normalized_address = ipaddress.IPv4Network(address, strict=False)
+ address = {"prefix": {"addr": normalized_address.network_address.compressed, "len": normalized_address.prefixlen}}
elif check_single_address("ipv6", address):
family = "ip6"
address = normalizeIP6(address)
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
index 67af8a1..059fc98 100644
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -214,6 +214,7 @@ sources: $1
check_zone_source([1.2.3.4])
check_zone_source([192.168.1.0/24])
+ check_zone_source([192.168.1.1/255.255.255.0])
IF_HOST_SUPPORTS_IPV6_RULES([
check_zone_source([3ffe:501:ffff::/64])
check_zone_source([dead:beef::babe])
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index a90fc37..2fee7ce 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -38,3 +38,4 @@ m4_include([regression/rhbz1855140.at])
m4_include([regression/rhbz1871298.at])
m4_include([regression/rhbz1596304.at])
m4_include([regression/gh703.at])
+m4_include([regression/rhbz1917766.at])
diff --git a/src/tests/regression/rhbz1917766.at b/src/tests/regression/rhbz1917766.at
new file mode 100644
index 0000000..961d514
--- /dev/null
+++ b/src/tests/regression/rhbz1917766.at
@@ -0,0 +1,25 @@
+FWD_START_TEST([rich rule source with netmask])
+AT_KEYWORDS(rich rhbz1917766)
+
+dnl Note: IPv6 only supports CIDR notation. It does not support address/netmask
+dnl notation.
+
+FWD_CHECK([ --zone public --add-rich-rule='rule family=ipv4 source address="192.168.1.0/255.255.255.0" accept'], 0, [ignore])
+FWD_CHECK([--permanent --zone public --add-rich-rule='rule family=ipv4 source address="192.168.1.0/255.255.255.0" accept'], 0, [ignore])
+
+AT_DATA([./zones/foobar.xml], [dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+ <short>foobar</short>
+ <description>foobar</description>
+ <rule family="ipv4">
+ <source address="192.168.0.1/255.255.255.240"/>
+ <accept/>
+ </rule>
+</zone>
+])
+FWD_RELOAD()
+FWD_CHECK([--zone foobar --add-interface foobar0], 0, [ignore])
+
+FWD_END_TEST()
+~
