From fe25f69a07ec8175048640f880c7f5dfa5e2e45a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 5 Sep 2020 15:40:02 +0200
Subject: [PATCH] Firewall / Aliases: add support for network exclusions in
 network alias type. for https://github.com/opnsense/core/issues/4318

---
 .../OPNsense/Firewall/FieldTypes/AliasContentField.php     | 7 ++++++-
 src/opnsense/scripts/filter/lib/alias.py                   | 5 +++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/AliasContentField.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/AliasContentField.php
index aaa6c1e7c..30bf9e22f 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/AliasContentField.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/AliasContentField.php
@@ -196,7 +196,12 @@ class AliasContentField extends BaseField
                     $domain_alias_count++;
                 }
             }
-            if (
+            if (strpos($network, "!") === 0 &&
+                  (Util::isIpAddress(substr($network, 1)) || Util::isSubnet(substr($network, 1)))
+            ) {
+                // exclude address or network (https://www.freebsd.org/doc/handbook/firewalls-pf.html 30.3.2.4)
+                continue;
+            } elseif (
                 !Util::isAlias($network) && !Util::isIpAddress($network) && !Util::isSubnet($network) &&
                     !($ipaddr_count == 2 && $domain_alias_count == 0)
             ) {
diff --git a/src/opnsense/scripts/filter/lib/alias.py b/src/opnsense/scripts/filter/lib/alias.py
index c81c40f14..1ec10e20c 100755
--- a/src/opnsense/scripts/filter/lib/alias.py
+++ b/src/opnsense/scripts/filter/lib/alias.py
@@ -94,7 +94,7 @@ class Alias(object):
         if address.find('/') > -1:
             # provided address could be a network
             try:
-                ipaddress.ip_network(str(address), strict=False)
+                ipaddress.ip_network(str(address.lstrip('!')), strict=False)
                 yield address
                 return
             except (ipaddress.AddressValueError, ValueError):
@@ -103,13 +103,14 @@ class Alias(object):
             # check if address is an ipv4/6 address or range
             try:
                 tmp = str(address).split('-')
-                addr1 = ipaddress.ip_address(tmp[0])
                 if len(tmp) > 1:
+                    addr1 = ipaddress.ip_address(tmp[0])
                     # address range (from-to)
                     addr2 = ipaddress.ip_address(tmp[1])
                     for addr in ipaddress.summarize_address_range(addr1, addr2):
                         yield str(addr)
                 else:
+                    ipaddress.ip_address(tmp[0].lstrip('!'))
                     yield address
                 return
             except (ipaddress.AddressValueError, ValueError):