fix issue with cidrs-with-ports in nftables

gcoxmoz · gcoxmoz · commit fdbf967e3233 · 2026-04-20T00:42:58.000Z
diff --git a/iamvpnlibrary b/iamvpnlibrary
@@ -1 +1 @@
-Subproject commit fbdb73e4070aa146a959f7e4f30a1fc59b70c1df
+Subproject commit d6ac962a81d6925a493decfd7b42f412a7f2f033
diff --git a/netfilter_openvpn.py b/netfilter_openvpn.py
@@ -460,7 +460,7 @@ def _build_firewall_rule_nftables(self, name, usersrcip, protocol, acl):
                 right_side = str(acl.address.ip)
             else:
                 # This is a rare case and we haven't tested it fully, come back later.
-                right_side = {"prefix": {"addr": str(acl.address.ip), "len": acl.prefixlen}}
+                right_side = {"prefix": {"addr": str(acl.address.ip), "len": acl.address.prefixlen}}
             rule_def = {
                 'rule': {
                     'family': 'inet',
diff --git a/test/test_netfilter_openvpn_nftables.py b/test/test_netfilter_openvpn_nftables.py
@@ -563,6 +563,31 @@ def test_30_build_fw_rule_4(self):
                     msg='_build_firewall_rule_nftables raises when a rule add fails'):
                 self.library._build_firewall_rule_nftables('10.20.30.1', '1.2.3.4', 'tcp', in_acl1)
 
+        in_acl3 = iamvpnlibrary.iamvpnbase.ParsedACL(
+            rule='rule3', address=IPNetwork('5.6.7.10/28'),
+            portstring='22', description='I HAZ COMMENT')
+        with mock.patch.object(self.library.nft, 'json_cmd') as mock_nft:
+            mock_nft.return_value = (0, '', '')
+            self.library._build_firewall_rule_nftables('10.20.30.2', '1.2.3.4', 'tcp', in_acl3)
+        mock_nft.assert_called_once_with({'nftables': [
+            {'add': {'rule': {'family': 'inet',
+                              'table': 'openvpn_netfilter',
+                              'chain': '10.20.30.2',
+                              'comment': 'bob:rule3 ACL I HAZ COMMENT',
+                              'expr': [{'match': {
+                                  'op': '==',
+                                  'left': {'payload': { 'protocol': 'ip', 'field': 'saddr'}},
+                                  'right': '1.2.3.4'}},
+                                       {'match': {
+                                  'op': '==',
+                                  'left': {'payload': { 'protocol': 'ip', 'field': 'daddr'}},
+                                  'right': {'prefix': {'addr': '5.6.7.10', 'len': 28}}}},
+                                       {'match': {
+                                  'op': '==',
+                                  'left': {'payload': { 'protocol': 'tcp', 'field': 'dport'}},
+                                  'right': {'set': [22]}}},
+                                       {'accept': None}]}}}]})
+
         in_acl2 = iamvpnlibrary.iamvpnbase.ParsedACL(
             rule='rule2', address=IPNetwork('5.6.7.9'),
             portstring='80', description='I HAZ COMMENT')
