#17773: firewall zone subnet accept inverted subnets
-------------------------+------------------------
Reporter: i@… | Owner: developers
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: base system | Version: Trunk
Keywords: |
-------------------------+------------------------
The firewall configuration
{{{
config zone 'internet'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'internet'
option subnet '!10.0.0.0/8'
}}}
yields the unfortunate rules:
{{{
iptables -t filter -A zone_internet_src_ACCEPT -s 10.0.0.0/255.0.0.0 -j
ACCEPT
iptables -t filter -A zone_internet_dest_ACCEPT -d 10.0.0.0/255.0.0.0 -j
ACCEPT
iptables -t filter -A delegate_input -s 10.0.0.0/255.0.0.0 -j
zone_internet_input
iptables -t filter -A delegate_output -d 10.0.0.0/255.0.0.0 -j
zone_internet_output
iptables -t filter -A delegate_forward -s 10.0.0.0/255.0.0.0 -j
zone_internet_forward
}}}
As iptables happily accepts the supplied notation, is there a reason that
fw3 converts CIDR to address/netmask instead of passing through the subnet
value (perhaps after sanity checks)?
Attempting to work around this produced bug #17772.
--
Ticket URL: <https://dev.openwrt.org/ticket/17773>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
