firewall-lib.pl: Return custom host/neworks groups as sets to match

against

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index b7d3ff95857d3a8572a92df3597baedc2e968047..1e5a92c25f24e30daed5e374f2fb711be0e1de0c 100644 (file)
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -311,17 +311,7 @@ sub get_addresses
                $value = $$hash{$key}[6];
        }
 
-       if ($addr_type ~~ ["cust_grp_src", "cust_grp_tgt"]) {
-               foreach my $grp (sort {$a <=> $b} keys %customgrp) {
-                       if ($customgrp{$grp}[0] eq $value) {
-                               my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);
-                               next if ($address[0][0] eq 'none');
-                               if (@address) {
-                                       push(@addresses, @address);
-                               }
-                       }
-               }
-       }elsif ($addr_type ~~ ["cust_location_src", "cust_location_tgt"] && $value =~ "group:") {
+       if ($addr_type ~~ ["cust_location_src", "cust_location_tgt"] && $value =~ "group:") {
                $value=substr($value,6);
                foreach my $grp (sort {$a <=> $b} keys %customlocationgrp) {
                        if ($customlocationgrp{$grp}[0] eq $value) {
@@ -479,6 +469,14 @@ sub get_address
                        push(@ret, ["-m set --match-set $value dst", "$external_interface"]);
                }
 
+       # Handle rule option with a custom source group.
+       } elsif ($key eq "cust_grp_src") {
+               push(@ret, ["-m set --match-set $value src", ""]);
+
+       # Handle rule option with a custom destination group.
+       } elsif ($key eq "cust_grp_dst") {
+               push(@ret, ["-m set --match-set $value dst", ""]);
+
        # If nothing was selected, we assume "any".
        } else {
                push(@ret, ["0/0", ""]);