From cc792d438d56259852b0b06bfc5bd5d7d53b3511 Mon Sep 17 00:00:00 2001
From: Christian Korber <ck@dev.tdt.de>
Date: Thu, 2 Oct 2025 12:16:15 +0200
Subject: [PATCH] firewall4: enable mac ranges for rule

nft supports handling mac ranges and therefore this commit changes fw4
to support that feature. The src_mac is now allowed to be a range of two
addresses. If no range is given, the old logic is applied.

So this is now possible:
```
option src_mac '00:11:AA:00:00:00-00:11:AA:FF:FF:FF'
```
In addition to the original:
```
option src_mac '00:11:AA:00:00:00'
```

This is done by changing the regex to parse for an additional MAC address
if '-' is matched after the first MAC address.

Negative matching using exclamation mark is supported.

Signed-off-by: Christian Korber <ck@dev.tdt.de>
---
 root/usr/share/ucode/fw4.uc | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 690deb0..8b82a7a 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -1188,15 +1188,27 @@ return {
 	},
 
 	parse_mac: function(val) {
+		let macregex = /^([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})$/i;
+		let rangeregex = /^([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})(\-?)([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})?$/i;
+
 		let mac = this.parse_invert(val);
-		let m = mac ? match(mac.val, /^([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})[:-]([0-9a-f]{1,2})$/i) : null;
+		let m = mac ? match(mac.val, macregex) : null;
+		let mrange = mac ? match(mac.val,rangeregex) : null;
 
-		if (!m)
+		if (!m && !mrange)
 			return null;
 
-		mac.mac = sprintf('%02x:%02x:%02x:%02x:%02x:%02x',
+		if ( mrange && '-' === mrange[7]) {
+			mac.mac = sprintf('%02x:%02x:%02x:%02x:%02x:%02x-%02x:%02x:%02x:%02x:%02x:%02x',
+		                  hex(mrange[1]), hex(mrange[2]), hex(mrange[3]),
+		                  hex(mrange[4]), hex(mrange[5]), hex(mrange[6]),
+		                  hex(mrange[8]), hex(mrange[9]), hex(mrange[10]),
+		                  hex(mrange[11]), hex(mrange[12]), hex(mrange[13]));
+		} else {
+			mac.mac = sprintf('%02x:%02x:%02x:%02x:%02x:%02x',
 		                  hex(m[1]), hex(m[2]), hex(m[3]),
 		                  hex(m[4]), hex(m[5]), hex(m[6]));
+		}
 
 		return mac;
 	},