From 12b83f9c9381e60496a63082343512e62b03de5f Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Mon, 22 Feb 2021 15:11:21 -0500 Subject: [PATCH 20/22] fix(ipset): nftables: use interval flag for "ip" types This is to be compatible with ipset. ipset allows adding to a non-mask type, e.g. "ip", by using a mask. ipset translates this into many entries. Support it in nftables simply by using intervals. (cherry picked from commit faaf3ac649a347f0bccae800fd0e4daeebbd1539) (cherry picked from commit c9d1c88e91c84561af0dbfb5999f722a3b6bb397) --- src/firewall/core/nftables.py | 2 +- src/tests/cli/firewall-cmd.at | 1 + src/tests/regression/gh330.at | 6 ++++++ src/tests/regression/rhbz1734765.at | 2 ++ 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py index ff077aded340..e6907421e111 100644 --- a/src/firewall/core/nftables.py +++ b/src/firewall/core/nftables.py @@ -1767,7 +1767,7 @@ class nftables(object): # Some types need the interval flag for t in type.split(":")[1].split(","): - if t in ["net", "port"]: + if t in ["ip", "net", "port"]: set_dict["flags"] = ["interval"] break diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at index 67af8a19c072..450737776a9f 100644 --- a/src/tests/cli/firewall-cmd.at +++ b/src/tests/cli/firewall-cmd.at @@ -974,6 +974,7 @@ FWD_START_TEST([ipset]) table inet firewalld { set foobar { type ipv4_addr . mark + flags interval elements = { 10.10.10.10 . 0x00000100, 20.20.20.20 . 0x00000200 } } diff --git a/src/tests/regression/gh330.at b/src/tests/regression/gh330.at index fd8d2f8d2dd8..0564501aa18d 100644 --- a/src/tests/regression/gh330.at +++ b/src/tests/regression/gh330.at @@ -17,6 +17,7 @@ NFT_LIST_SET([foobar], 0, [dnl table inet firewalld { set foobar { type ipv4_addr + flags interval elements = { 1.2.3.4 } } } @@ -43,6 +44,7 @@ NFT_LIST_SET([foobar], 0, [dnl table inet firewalld { set foobar { type ipv4_addr + flags interval elements = { 1.2.3.4, 10.10.10.10 } } } @@ -60,6 +62,7 @@ NFT_LIST_SET([foobar], 0, [dnl table inet firewalld { set foobar { type ipv4_addr + flags interval elements = { 1.2.3.4, 10.10.10.10 } } } @@ -80,6 +83,7 @@ NFT_LIST_SET([foobar], 0, [dnl table inet firewalld { set foobar { type ipv4_addr + flags interval elements = { 1.2.3.4, 4.3.2.1, 10.10.10.10 } } @@ -104,6 +108,7 @@ NFT_LIST_SET([foobar], 0, [dnl table inet firewalld { set foobar { type ipv4_addr + flags interval elements = { 1.2.3.4, 4.3.2.1, 6.6.6.6, 10.10.10.10 } } @@ -129,6 +134,7 @@ NFT_LIST_SET([foobar], 0, [dnl table inet firewalld { set foobar { type ipv4_addr + flags interval elements = { 1.2.3.4 } } } diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at index b9f6aa5d49a1..b5023a058a55 100644 --- a/src/tests/regression/rhbz1734765.at +++ b/src/tests/regression/rhbz1734765.at @@ -47,6 +47,7 @@ NFT_LIST_SET([ipsetv4], 0, [dnl table inet firewalld { set ipsetv4 { type ipv4_addr + flags interval elements = { 192.0.2.12 } } } @@ -55,6 +56,7 @@ NFT_LIST_SET([ipsetv6], 0, [dnl table inet firewalld { set ipsetv6 { type ipv6_addr + flags interval elements = { ::2 } } } -- 2.27.0