[pve-devel] [PATCH firewall] improve search for local-network

[Wolfgang Bumiller]

Skip zero-prefix routes as they make no sense to be
considered (and ipset doesn't allow ::/0 to be added
anyway).

Support /128 local addresses by also checking for identical
addresses beside b-in-a overlapping.
---
This should fix:
https://forum.proxmox.com/threads/firewall-syslog-problem.30390/#post-153064

 src/PVE/Firewall.pm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index cf96564..ef74ca2 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -911,13 +911,17 @@ sub local_network {
 	    my $mask;
 	    if ($isv6) {
 		$mask = $entry->{prefix};
+		next if !$mask; # skip the default route...
 	    } else {
 		$mask = $PVE::Network::ipv4_mask_hash_localnet->{$entry->{mask}};
 		next if !defined($mask);
 	    }
 	    my $cidr = "$entry->{dest}/$mask";
 	    my $testnet = Net::IP->new($cidr);
-	    if ($testnet->overlaps($testip) == $Net::IP::IP_B_IN_A_OVERLAP) {
+	    my $overlap = $testnet->overlaps($testip);
+	    if ($overlap == $Net::IP::IP_B_IN_A_OVERLAP ||
+	        $overlap == $Net::IP::IP_IDENTICAL)
+	    {
 		$__local_network = $cidr;
 		return;
 	    }
-- 
2.1.4