From 12b83f9c9381e60496a63082343512e62b03de5f Mon Sep 17 00:00:00 2001

From: Eric Garver <eric@garver.life>

Date: Mon, 22 Feb 2021 15:11:21 -0500

Subject: [PATCH 20/22] fix(ipset): nftables: use interval flag for "ip" types

This is to be compatible with ipset. ipset allows adding to a non-mask

type, e.g. "ip", by using a mask. ipset translates this into many

entries. Support it in nftables simply by using intervals.

(cherry picked from commit faaf3ac649a347f0bccae800fd0e4daeebbd1539)

(cherry picked from commit c9d1c88e91c84561af0dbfb5999f722a3b6bb397)

---

 src/firewall/core/nftables.py       | 2 +-

 src/tests/cli/firewall-cmd.at       | 1 +

 src/tests/regression/gh330.at       | 6 ++++++

 src/tests/regression/rhbz1734765.at | 2 ++

 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py

index ff077aded340..e6907421e111 100644

--- a/src/firewall/core/nftables.py

+++ b/src/firewall/core/nftables.py

@@ -1767,7 +1767,7 @@ class nftables(object):

         # Some types need the interval flag

         for t in type.split(":")[1].split(","):

-            if t in ["net", "port"]:

+            if t in ["ip", "net", "port"]:

                 set_dict["flags"] = ["interval"]

                 break

diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at

index 67af8a19c072..450737776a9f 100644

--- a/src/tests/cli/firewall-cmd.at

+++ b/src/tests/cli/firewall-cmd.at

@@ -974,6 +974,7 @@ FWD_START_TEST([ipset])

         table inet firewalld {

             set foobar {

                 type ipv4_addr . mark

+                flags interval

                 elements = { 10.10.10.10 . 0x00000100,

                              20.20.20.20 . 0x00000200 }

             }

diff --git a/src/tests/regression/gh330.at b/src/tests/regression/gh330.at

index fd8d2f8d2dd8..0564501aa18d 100644

--- a/src/tests/regression/gh330.at

+++ b/src/tests/regression/gh330.at

@@ -17,6 +17,7 @@ NFT_LIST_SET([foobar], 0, [dnl

     table inet firewalld {

         set foobar {

             type ipv4_addr

+            flags interval

             elements = { 1.2.3.4 }

         }

     }

@@ -43,6 +44,7 @@ NFT_LIST_SET([foobar], 0, [dnl

     table inet firewalld {

         set foobar {

             type ipv4_addr

+            flags interval

             elements = { 1.2.3.4, 10.10.10.10 }

         }

     }

@@ -60,6 +62,7 @@ NFT_LIST_SET([foobar], 0, [dnl

     table inet firewalld {

         set foobar {

             type ipv4_addr

+            flags interval

             elements = { 1.2.3.4, 10.10.10.10 }

         }

     }

@@ -80,6 +83,7 @@ NFT_LIST_SET([foobar], 0, [dnl

     table inet firewalld {

         set foobar {

             type ipv4_addr

+            flags interval

             elements = { 1.2.3.4, 4.3.2.1,

                          10.10.10.10 }

         }

@@ -104,6 +108,7 @@ NFT_LIST_SET([foobar], 0, [dnl

     table inet firewalld {

         set foobar {

             type ipv4_addr

+            flags interval

             elements = { 1.2.3.4, 4.3.2.1,

                          6.6.6.6, 10.10.10.10 }

         }

@@ -129,6 +134,7 @@ NFT_LIST_SET([foobar], 0, [dnl

     table inet firewalld {

         set foobar {

             type ipv4_addr

+            flags interval

             elements = { 1.2.3.4 }

         }

     }

diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at

index b9f6aa5d49a1..b5023a058a55 100644

--- a/src/tests/regression/rhbz1734765.at

+++ b/src/tests/regression/rhbz1734765.at

@@ -47,6 +47,7 @@ NFT_LIST_SET([ipsetv4], 0, [dnl

     table inet firewalld {

         set ipsetv4 {

             type ipv4_addr

+            flags interval

             elements = { 192.0.2.12 }

         }

     }

@@ -55,6 +56,7 @@ NFT_LIST_SET([ipsetv6], 0, [dnl

     table inet firewalld {

         set ipsetv6 {

             type ipv6_addr

+            flags interval

             elements = { ::2 }

         }

     }

-- 

2.27.0