Feature request: a more intelligent `@resolve` (support CIDR notation)

Question

Feature request: a more intelligent `@resolve` (support CIDR notation)

tst2005 opened this issue 5 years ago · 9 comments

tst2005 commented 5 years ago

I take whitelist IPs from a plaintext file.
I'm trying to resolv entries, but some of them are already IP or IP-range (CIDR).

I would like to have:

@def $whitelist = `grep '^[^#]\+' /etc/friends`;

domain (ip ip6) table filter chain INPUT {
        saddr @ipfilter( ( @resolve( $whitelist ) ) ACCEPT;
}

There is my current code that split the file content:

@def $whitelist_to_resolve = `grep '^[^#]\+' /etc/friends| grep -v '^[0-9:./]*$'`;
@def $whitelist_direct    = `grep '^[^#]\+' /etc/friends | grep '^[0-9:./]*$'`;

domain (ip ip6) table filter chain INPUT {
        saddr @ipfilter( ( @resolve( $whitelist_to_resolve ) $whitelist_direct ) ) ACCEPT;
}

The code to test can be:

@def $whitelist_to_resolve = `echo github.com; echo testmyipv6.com`;
@def $whitelist_direct    = `echo 1.2.3.4; echo 1:2:3:4:5:6:0/64`;

domain (ip ip6) table filter chain INPUT {
        saddr @ipfilter( ( @resolve( $whitelist_to_resolve ) $whitelist_direct ) ) ACCEPT;
}

I dreams a more intelligent @resolve function that is not tryting to resolve IP/IP-range.

I think @resolv() can avoid resolution of entries that match ^[0-9:./]$.

tst2005 commented 4 years ago

Exactly !

MaxKellermann commented 4 years ago

Yes, yes.

Answer 1 · 2021-01-30T12:00:45.000Z

You mean like 562c810
?

Answer 2 · 2021-02-02T10:40:26.000Z

In fact, not exactly.
It is better but it only support IP.
It does not support CIDR notation like:

1:2:3:4:5:6/64
::1/128
127.0.0.1/32
127.0.0.1/255.255.255.255
127.0.0.0/8
127.0.0.0/255.0.0.0
127/8 (not always supported)
0/0
0.0.0.0/0.0.0.0

if you need more stupid sample I can provide them ! :D

Answer 3 · 2021-02-02T10:50:40.000Z

There is something strange ... You show me an (old) commit for ferm 2.3.1 but I'm using ferm 2.4 and it does not resolve IP ?
if 2,.4 is after 2.3.1 then I was suppose to be able to resolve IP at least.
It becomes unclear for me...

Answer 4 · 2021-02-03T12:39:48.000Z

Maybe you shouldn't use ferm 2.4, because it's more than three years old.

Answer 5 · 2021-02-03T13:30:59.000Z

Debian stable use old and stable things ;-)
I can easily update it to 2.5 (or newer version manualy) if necessary.

I just don't understand 562c810
the commit was done in 2016 in 2.3.1, exact ?
Why my current 2.4 version didn't include it ?
I just try to understand...

Answer 6 · 2021-02-03T13:34:38.000Z

It is included, but look at the regular expression - it doesn't cover all the cases you cited.

Answer 7 · 2021-02-08T12:36:57.000Z

Are you open to work together to extend those regular expression to cover CIDR notation ?
it seems not a so hard work:

for A: /^\d+\.\d+\.\d+\.\d+(|\/\d+|\/\d+\.\d+.\d+\.\d+)$/
for AAAA: /^[0-9a-fA-F:]*:[0-9a-fA-F:]*(|\/\d+)$/

Do you prefer PR ?
if yes, a PR based on which tag ? (master? 2.4 ? 2.3.1 ?)