Opened 3 years ago

#17773 new enhancement

firewall zone subnet accept inverted subnets

Reported by: i@… Owned by: developers
Priority: normal Milestone:
Component: base system Version: Trunk
Keywords: Cc:


The firewall configuration

config zone 'internet'                                                                                                  
        option input 'ACCEPT'                                                                                           
        option output 'ACCEPT'                                                                                          
        option forward 'ACCEPT'                                                                                         
        option name 'internet'                                                                                          
        option subnet '!'                                                                                     

yields the unfortunate rules:

iptables -t filter -A zone_internet_src_ACCEPT -s -j ACCEPT
iptables -t filter -A zone_internet_dest_ACCEPT -d -j ACCEPT
iptables -t filter -A delegate_input -s -j zone_internet_input
iptables -t filter -A delegate_output -d -j zone_internet_output
iptables -t filter -A delegate_forward -s -j zone_internet_forward

As iptables happily accepts the supplied notation, is there a reason that fw3 converts CIDR to address/netmask instead of passing through the subnet value (perhaps after sanity checks)?

Attempting to work around this produced bug #17772.

Attachments (0)

Change History (0)

Add Comment

Modify Ticket

as new .

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.