ipv6: fix ip_compress_address_call

This only takes an address and not a CIDR notation. It does
preserve the suffix but ended up compressing
fc00:0000::0000/64 to fc00::0000/64 instead of fc00::/64 and
thus caused the firewall to always show there are pending
changes when ipv6 addresses were available.

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7305d736509ea0913534e287f24c37a95972431f..1479d3b55873a6dccd646b54cb1b005d25119686 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2997,7 +2997,10 @@ sub generate_ipset_chains {
                }
                #http://backreference.org/2013/03/01/ipv6-address-normalization/
                if ($ver == 6) {
-                   $cidr = lc(Net::IP::ip_compress_address($cidr, 6));
+                   # ip_compress_address takes an address only, no CIDR
+                   my ($addr, $prefix_len) = ($cidr =~ m@^([^/]*)(/.*)?$@);
+                   $cidr = lc(Net::IP::ip_compress_address($addr, 6));
+                   $cidr .= $prefix_len if defined($prefix_len);
                    $cidr =~ s|/128$||;
                } else {
                    $cidr =~ s|/32$||;