From 186e578802eeba9b4d9b3892e77fbec38a0571a2 Mon Sep 17 00:00:00 2001
From: Ilia Ross <ilia@ross.gdn>
Date: Sun, 19 Jan 2025 19:30:22 +0200
Subject: [PATCH] Add validation for CIDR too

---
 firewalld/firewalld-lib.pl | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/firewalld/firewalld-lib.pl b/firewalld/firewalld-lib.pl
index beac72224..a887ca00b 100644
--- a/firewalld/firewalld-lib.pl
+++ b/firewalld/firewalld-lib.pl
@@ -420,11 +420,23 @@ my $family = delete($opts{'family'}) || 'ipv4';
 
 # Validate IP addresses, and update family if needed
 foreach my $ip_key ('source address', 'destination address') {
-	if (my $ip = $opts{$ip_key}) {
-		$ip =~ s/\/\d+$//; # Remove CIDR
-		&check_ipaddress($ip) || &check_ip6address($ip) || 
-			&error("$text{'list_rule_iperr'} ($ip_key: $ip)");
-		$family = $ip =~ /:/ ? 'ipv6' : 'ipv4';
+	if (my $full_ip = $opts{$ip_key}) {
+		# Split IP and CIDR, if present
+		my ($ip_only, $cidr) = split(/\//, $full_ip);
+
+		# Validate the IP portion
+		&check_ipaddress($ip_only) || &check_ip6address($ip_only) ||
+			&error("$text{'list_rule_iperr'} : $ip_only");
+
+		# Decide family based on presence of ':' in IP portion
+		my $family = $ip_only =~ /:/ ? 'ipv6' : 'ipv4';
+
+		# If you still want to test or store the CIDR, do it here
+		if (defined($cidr)) {
+			# Make sure CIDR is numeric and within range
+			$cidr =~ /^\d+$/ && $cidr <= ($family eq 'ipv6' ? 128 : 32) ||
+				&error("$text{'list_rule_cidrerr'} : /$cidr");
+			}
 		}
 	}