[pve-devel] applied: [PATCH proxmox-firewall v3 3/3] fix #6336: fix ipfilter matching logic
Thomas Lamprecht
t.lamprecht at proxmox.com
Sat Oct 4 14:58:47 CEST 2025
On Wed, 01 Oct 2025 18:28:16 +0200, Stefan Hanreich wrote:
> Matching on ipsets in the firewall generally works by matching on two
> sets (one for match, one for nomatch):
>
> ip saddr @ipfilter ip saddr != @ipfilter-nomatch <verdict>
>
> Ipfilters were created with the comparison operators simply inverted,
> which leads to ipfilters with empty nomatch sets never working, since
> the second expression always evaluates to false on empty sets:
>
> [...]
Applied, thanks!
[3/3] fix #6336: fix ipfilter matching logic
commit: 9b7295a311b71cfed50f716dd834f58693ed1dff
More information about the pve-devel
mailing list