Firewall / Aliases: add support for network exclusions in network alias type. for https://github.com/opnsense/core/issues/4318

2026-03-14 16:44:39 +00:00 · 2020-09-05 15:40:02 +02:00 · 2020-09-05 15:40:02 +02:00 · fe25f69a07
commit fe25f69a07
parent 4c9e7ea5cb
2 changed files with 9 additions and 3 deletions
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/AliasContentField.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/AliasContentField.php
@ -196,7 +196,12 @@ class AliasContentField extends BaseField
                    $domain_alias_count++;
                }
            }
-            if (
+            if (strpos($network, "!") === 0 &&
+                  (Util::isIpAddress(substr($network, 1)) || Util::isSubnet(substr($network, 1)))
+            ) {
+                // exclude address or network (https://www.freebsd.org/doc/handbook/firewalls-pf.html 30.3.2.4)
+                continue;
+            } elseif (
                !Util::isAlias($network) && !Util::isIpAddress($network) && !Util::isSubnet($network) &&
                    !($ipaddr_count == 2 && $domain_alias_count == 0)
            ) {
--- a/src/opnsense/scripts/filter/lib/alias.py
+++ b/src/opnsense/scripts/filter/lib/alias.py
@ -94,7 +94,7 @@ class Alias(object):
        if address.find('/') > -1:
            # provided address could be a network
            try:
-                ipaddress.ip_network(str(address), strict=False)
+                ipaddress.ip_network(str(address.lstrip('!')), strict=False)
                yield address
                return
            except (ipaddress.AddressValueError, ValueError):
@ -103,13 +103,14 @@ class Alias(object):
            # check if address is an ipv4/6 address or range
            try:
                tmp = str(address).split('-')
-                addr1 = ipaddress.ip_address(tmp[0])
                if len(tmp) > 1:
+                    addr1 = ipaddress.ip_address(tmp[0])
                    # address range (from-to)
                    addr2 = ipaddress.ip_address(tmp[1])
                    for addr in ipaddress.summarize_address_range(addr1, addr2):
                        yield str(addr)
                else:
+                    ipaddress.ip_address(tmp[0].lstrip('!'))
                    yield address
                return
            except (ipaddress.AddressValueError, ValueError):