Feature request: a more intelligent `@resolve` (support CIDR notation)

[tst2005]

I take whitelist IPs from a plaintext file. I'm trying to resolv entries, but some of them are already IP or IP-range (CIDR).

I would like to have:

@def $whitelist = `grep '^[^#]\+' /etc/friends`;

domain (ip ip6) table filter chain INPUT {
        saddr @ipfilter( ( @resolve( $whitelist ) ) ACCEPT;
}

There is my current code that split the file content:

@def $whitelist_to_resolve = `grep '^[^#]\+' /etc/friends| grep -v '^[0-9:./]*$'`;
@def $whitelist_direct    = `grep '^[^#]\+' /etc/friends | grep '^[0-9:./]*$'`;

domain (ip ip6) table filter chain INPUT {
        saddr @ipfilter( ( @resolve( $whitelist_to_resolve ) $whitelist_direct ) ) ACCEPT;
}

The code to test can be:

@def $whitelist_to_resolve = `echo github.com; echo testmyipv6.com`;
@def $whitelist_direct    = `echo 1.2.3.4; echo 1:2:3:4:5:6:0/64`;

domain (ip ip6) table filter chain INPUT {
        saddr @ipfilter( ( @resolve( $whitelist_to_resolve ) $whitelist_direct ) ) ACCEPT;
}

I dreams a more intelligent @resolve function that is not tryting to resolve IP/IP-range.

I think @resolv() can avoid resolution of entries that match ^[0-9:./]$.

[MaxKellermann]

You mean like 562c810c8ce400378b4c2edd2dee6e7beb6757d6 ?

[tst2005]

Exactly !

[tst2005]

In fact, not exactly. It is better but it only support IP. It does not support CIDR notation like:

• 1:2:3:4:5:6/64
• ::1/128
• 127.0.0.1/32
• 127.0.0.1/255.255.255.255
• 127.0.0.0/8
• 127.0.0.0/255.0.0.0
• 127/8 (not always supported)
• 0/0
• 0.0.0.0/0.0.0.0

if you need more stupid sample I can provide them ! :D

[tst2005]

There is something strange ... You show me an (old) commit for ferm 2.3.1 but I'm using ferm 2.4 and it does not resolve IP ? if 2,.4 is after 2.3.1 then I was suppose to be able to resolve IP at least. It becomes unclear for me...

[MaxKellermann]

Maybe you shouldn't use ferm 2.4, because it's more than three years old.

[tst2005]

Debian stable use old and stable things ;-) I can easily update it to 2.5 (or newer version manualy) if necessary.

I just don't understand https://github.com/MaxKellermann/ferm/commit/562c810c8ce400378b4c2edd2dee6e7beb6757d6 the commit was done in 2016 in 2.3.1, exact ? Why my current 2.4 version didn't include it ? I just try to understand...

[MaxKellermann]

It is included, but look at the regular expression - it doesn't cover all the cases you cited.

[tst2005]

Are you open to work together to extend those regular expression to cover CIDR notation ? it seems not a so hard work:

for A: /^\d+\.\d+\.\d+\.\d+(|\/\d+|\/\d+\.\d+.\d+\.\d+)$/ for AAAA: /^[0-9a-fA-F:]*:[0-9a-fA-F:]*(|\/\d+)$/

Do you prefer PR ? if yes, a PR based on which tag ? (master? 2.4 ? 2.3.1 ?)

[MaxKellermann]

Yes, yes.