Modify

Opened 3 years ago

#17773 new enhancement

firewall zone subnet accept inverted subnets

Reported by: i@… Owned by: developers
Priority: normal Milestone:
Component: base system Version: Trunk
Keywords: Cc:

Description

The firewall configuration

config zone 'internet'                                                                                                  
        option input 'ACCEPT'                                                                                           
        option output 'ACCEPT'                                                                                          
        option forward 'ACCEPT'                                                                                         
        option name 'internet'                                                                                          
        option subnet '!10.0.0.0/8'                                                                                     

yields the unfortunate rules:

iptables -t filter -A zone_internet_src_ACCEPT -s 10.0.0.0/255.0.0.0 -j ACCEPT
iptables -t filter -A zone_internet_dest_ACCEPT -d 10.0.0.0/255.0.0.0 -j ACCEPT
iptables -t filter -A delegate_input -s 10.0.0.0/255.0.0.0 -j zone_internet_input
iptables -t filter -A delegate_output -d 10.0.0.0/255.0.0.0 -j zone_internet_output
iptables -t filter -A delegate_forward -s 10.0.0.0/255.0.0.0 -j zone_internet_forward

As iptables happily accepts the supplied notation, is there a reason that fw3 converts CIDR to address/netmask instead of passing through the subnet value (perhaps after sanity checks)?

Attempting to work around this produced bug #17772.

Attachments (0)

Change History (0)

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.