firewall4: enable mac ranges for rule

nft supports handling mac ranges and therefore this commit changes fw4
to support that feature. The src_mac is now allowed to be a range of two
addresses. If no range is given, the old logic is applied.

So this is now possible:
```
option src_mac '00:11:AA:00:00:00-00:11:AA:FF:FF:FF'
```

This is done by changing the regex to parse for an additional MAC address
if '-' is matched after the first MAC address.

Also negation with '!' at the beginning to block every MAC not in the
range is possible.

Signed-off-by: Christian Korber <ck@dev.tdt.de>

Author: Christian Korber

root/usr/share/ucode/fw4.uc

@@ -1189,14 +1189,22 @@ return {
 
 	parse_mac: function(val) {
 		let mac = this.parse_invert(val);
-		let m = mac ? match(mac.val, /^([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})$/i) : null;
+		let m = mac ? match(mac.val, /^([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})(\-?([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2}))?$/i) : null;
 
 		if (!m)
 			return null;
 
-		mac.mac = sprintf('%02x:%02x:%02x:%02x:%02x:%02x',
+		if ('-' === m[7]) {
+			mac.mac = sprintf('%02x:%02x:%02x:%02x:%02x:%02x-%02x:%02x:%02x:%02x:%02x:%02x',
+		                  hex(m[1]), hex(m[2]), hex(m[3]),
+		                  hex(m[4]), hex(m[5]), hex(m[6]),
+		                  hex(m[8]), hex(m[9]), hex(m[10]),
+		                  hex(m[11]), hex(m[12]), hex(m[13]));
+		} else {
+			mac.mac = sprintf('%02x:%02x:%02x:%02x:%02x:%02x',
 		                  hex(m[1]), hex(m[2]), hex(m[3]),
 		                  hex(m[4]), hex(m[5]), hex(m[6]));
+		}
 
 		return mac;
 	},