From 15c800003e921cfd627ef0b6213b9ff09fe3d8c8 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 23 Nov 2016 10:23:36 +0100
Subject: [PATCH] improve search for local-network

Skip zero-prefix routes as they make no sense to be
considered (and ipset doesn't allow ::/0 to be added
anyway).

Support /128 local addresses by also checking for identical
addresses beside b-in-a overlapping.
---
 src/PVE/Firewall.pm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index cf96564..ef74ca2 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -911,13 +911,17 @@ sub local_network {
 	    my $mask;
 	    if ($isv6) {
 		$mask = $entry->{prefix};
+		next if !$mask; # skip the default route...
 	    } else {
 		$mask = $PVE::Network::ipv4_mask_hash_localnet->{$entry->{mask}};
 		next if !defined($mask);
 	    }
 	    my $cidr = "$entry->{dest}/$mask";
 	    my $testnet = Net::IP->new($cidr);
-	    if ($testnet->overlaps($testip) == $Net::IP::IP_B_IN_A_OVERLAP) {
+	    my $overlap = $testnet->overlaps($testip);
+	    if ($overlap == $Net::IP::IP_B_IN_A_OVERLAP ||
+	        $overlap == $Net::IP::IP_IDENTICAL)
+	    {
 		$__local_network = $cidr;
 		return;
 	    }
-- 
2.39.2