Several ipset bugfixes

	- Do not consider bitmap storage for IPv6 family sets
	- Move ipset family parameter before any additional option
	- Only emit family parameter for hash sets
	- Do not allow IPv6 iprange for IPv4 sets and vice versa

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

diff --git a/ipsets.c b/ipsets.c
index 06aafb77ecab50be9b5ffbdb8f917183e9b176b9..8f88885546c68bb16f124294c51b073d10be68a2 100644 (file)
--- a/ipsets.c
+++ b/ipsets.c
@@ -107,6 +107,11 @@ check_types(struct uci_element *e, struct fw3_ipset *ipset)
        {
                for (i = 0; i < ARRAY_SIZE(ipset_types); i++)
                {
+                       /* skip type for v6 if it does not support family */
+                       if (ipset->family != FW3_FAMILY_V4 &&
+                           !(ipset_types[i].optional & OPT_FAMILY))
+                               continue;
+
                        if (ipset_types[i].types == typelist)
                        {
                                ipset->method = ipset_types[i].method;
@@ -259,6 +264,10 @@ fw3_load_ipsets(struct fw3_state *state, struct uci_package *p)
                {
                        warn_elem(e, "must not have family 'any'");
                }
+               else if (ipset->iprange.set && ipset->family != ipset->iprange.family)
+               {
+                       warn_elem(e, "has iprange of wrong address family");
+               }
                else if (list_empty(&ipset->datatypes))
                {
                        warn_elem(e, "has no datatypes assigned");
@@ -292,6 +301,9 @@ create_ipset(struct fw3_ipset *ipset, struct fw3_state *state)
                first = false;
        }
 
+       if (ipset->method == FW3_IPSET_METHOD_HASH)
+               fw3_pr(" family inet%s", (ipset->family == FW3_FAMILY_V4) ? "" : "6");
+
        if (ipset->iprange.set)
        {
                fw3_pr(" range %s", fw3_address_to_string(&ipset->iprange, false));
@@ -302,8 +314,6 @@ create_ipset(struct fw3_ipset *ipset, struct fw3_state *state)
                       ipset->portrange.port_min, ipset->portrange.port_max);
        }
 
-       fw3_pr(" family inet%s", (ipset->family == FW3_FAMILY_V4) ? "" : "6");
-
        if (ipset->timeout > 0)
                fw3_pr(" timeout %u", ipset->timeout);