Skip to content

fix IP address merging when generating firewall config from ACLs #1259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wojcik91 merged 13 commits into from
Jun 24, 2025
Merged

fix IP address merging when generating firewall config from ACLs #1259

wojcik91 merged 13 commits into from
Jun 24, 2025

Conversation

@wojcik91
Copy link
Contributor

@wojcik91 wojcik91 commented Jun 22, 2025

When preparing destination addrs for firewall rules we combine all the IPs, networks and IP ranges into non-overlapping IP ranges to avoid nftables errors since nftables don't accept overlapping elements.

Initially this meant that all networks got converted into ranges which caused issues with BSD packet filter which generates a separate rule for each IP in range. As a workaround we skipped converting networks into ranges, but this meant that we could no longer guarantee generated elements to be non-overlapping.

This PR introduces the ability to extract all possible subnets from generated ranges, thus resolving both of the above issues (networks are not needlessly turned into ranges and elements no longer overlap).

@wojcik91 wojcik91 requested a review from moubctez June 22, 2025 21:43
@wojcik91 wojcik91 self-assigned this Jun 22, 2025
@wojcik91 wojcik91 changed the title fix IP address merging when generating firewall config from ACLs WIP: fix IP address merging when generating firewall config from ACLs Jun 22, 2025
moubctez
moubctez reviewed Jun 23, 2025
View reviewed changes
moubctez
moubctez reviewed Jun 23, 2025
View reviewed changes
moubctez
moubctez reviewed Jun 23, 2025
View reviewed changes
moubctez
moubctez reviewed Jun 23, 2025
View reviewed changes
@moubctez moubctez changed the base branch from release/1.4-alpha to release/1.4 June 23, 2025 11:47
@wojcik91 wojcik91 marked this pull request as ready for review June 24, 2025 09:58
@wojcik91 wojcik91 force-pushed the fix_addrs_merging branch from eec437a to d03cf4b Compare June 24, 2025 09:59
@wojcik91 wojcik91 changed the title WIP: fix IP address merging when generating firewall config from ACLs fix IP address merging when generating firewall config from ACLs Jun 24, 2025
@wojcik91
Copy link
Contributor Author

wojcik91 commented Jun 24, 2025

resolves #1255

@wojcik91 wojcik91 merged commit f0b0c16 into release/1.4 Jun 24, 2025
1 check passed
@wojcik91 wojcik91 deleted the fix_addrs_merging branch June 24, 2025 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moubctez moubctez moubctez left review comments

@j-chmielewski j-chmielewski j-chmielewski approved these changes

Assignees

@wojcik91 wojcik91

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@wojcik91 @j-chmielewski @moubctez