ipv6: fix ipv6 address normalization

inet_ntop only takes an addres, not a CIDR notation. Since
the normalized address should just be a compressed
lower-case address, Net::IP::ip_compress_address should be
sufficient.

inet_ntop didn't succeed before, the result of which was
that ipsets weren't generated at all for ipv6 address ranges.

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 0d9a7793f92faabe7531d109e9f6939d3b8ef40e..956ccc4d22a251caaae1f5027f47c25b75defcf5 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2985,8 +2985,10 @@ sub generate_ipset_chains {
                }
                #http://backreference.org/2013/03/01/ipv6-address-normalization/
                if ($ver == 6) {
-                   my $ipv6 = inet_pton(AF_INET6, lc($cidr));
-                   $cidr = inet_ntop(AF_INET6, $ipv6);
+                   # ip_compress_address takes an address only, no CIDR
+                   my ($addr, $prefix_len) = ($cidr =~ m@^([^/]*)(/.*)?$@);
+                   $cidr = lc(Net::IP::ip_compress_address($addr, 6));
+                   $cidr .= $prefix_len if defined($prefix_len);
                    $cidr =~ s|/128$||;
                } else {
                    $cidr =~ s|/32$||;