Fw4 errors with `option match 'dest_net'`

On 22.03.5, I'm attempting to use IP sets to allow traffic that the firewall would otherwise block, so option ipset '!name' where 'name' is the name of the IP set.

I have this working using explicit IP addresses, but I'd like to use CIDR notation, as in the example.

That would seemingly require changing from option match 'dest_ip' to option match 'dest_net'. However, when I do this I get errors:

/dev/stdin:9:6-15: Error: Could not process rule: Invalid argument
        set Backblaze4 {
            ^^^^^^^^^^
/dev/stdin:21:6-15: Error: Could not process rule: Invalid argument
        set Backblaze6 {
            ^^^^^^^^^^
The rendered ruleset contains errors, not doing firewall restart.

The full IP sets, both working (Example4 and Example6) and non-working (Backblaze4 and Backblaze6):

config ipset
        option name 'Backblaze4'
        option family 'ipv4'
        option match 'dest_net'
        list entry '206.190.208.0/21'
        list entry '104.153.232.0/21'
        list entry '149.137.128.0/20'
        list entry '45.11.36.0/22'
        option enabled '1'

config ipset
        option name 'Backblaze6'
        option family 'ipv6'
        option match 'dest_net'
        list entry '2605:72c0::/32'
        option enabled '1'

config ipset
        option name 'Example4'
        option family 'ipv4'
        option match 'dest_ip'
        list entry '93.184.216.34'
        option enabled '1'

config ipset
        option name 'Example6'
        option family 'ipv6'
        option match 'dest_ip'
        list entry '2606:2800:220:1:248:1893:25c8:1946'
        option enabled '1'

Is the documentation incorrect, or perhaps referring to release 23.05? Or do I misunderstand something?

Did you change the match option from dest_ip to dest_net on an already created set?

fw4 flush; fw4 restart

The fw4 flush before restarting the firewall made it all work. Thank you!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.