improve search for local-network

Skip zero-prefix routes as they make no sense to be
considered (and ipset doesn't allow ::/0 to be added
anyway).

Support /128 local addresses by also checking for identical
addresses beside b-in-a overlapping.

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index cf965645955fec3eb4a81856dc3c957f44093c15..ef74ca2fae597a882ea30e778c49cee8cfc5ff77 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -911,13 +911,17 @@ sub local_network {
            my $mask;
            if ($isv6) {
                $mask = $entry->{prefix};
            my $mask;
            if ($isv6) {
                $mask = $entry->{prefix};

+               next if !$mask; # skip the default route...

            } else {
                $mask = $PVE::Network::ipv4_mask_hash_localnet->{$entry->{mask}};
                next if !defined($mask);
            }
            my $cidr = "$entry->{dest}/$mask";
            my $testnet = Net::IP->new($cidr);
            } else {
                $mask = $PVE::Network::ipv4_mask_hash_localnet->{$entry->{mask}};
                next if !defined($mask);
            }
            my $cidr = "$entry->{dest}/$mask";
            my $testnet = Net::IP->new($cidr);

-           if ($testnet->overlaps($testip) == $Net::IP::IP_B_IN_A_OVERLAP) {
+           my $overlap = $testnet->overlaps($testip);
+           if ($overlap == $Net::IP::IP_B_IN_A_OVERLAP ||
+               $overlap == $Net::IP::IP_IDENTICAL)
+           {

                $__local_network = $cidr;
                return;
            }
                $__local_network = $cidr;
                return;
            }