Use of both src_ip and ipset in a rule is unclear #48
Description
If I create a rule:
config rule
option name 'Brians PC and server to OPC network for SSH'
option proto 'tcp'
option dest 'opc_network'
option src 'lan'
list src_ip 'fd31:aeb1:48df:0:3b14:e643:83d8:7017'
list src_ip '2001:123:4567:0:90cc:a629:cf42:5877'
list src_ip '10.75.22.247'
list src_ip 'fd31:aeb1:48df::2'
list src_ip '2001:0123:4567::2'
option dest_port '22'
option target 'ACCEPT'
option ipset 'Brians-trusted-hosts'
I end up with an NFTables rule of:
ip saddr 10.75.22.247 tcp dport 22 ether saddr @Brians-trusted-hosts counter packets 0 bytes 0 jump accept_to_opc_network
It's unclear to me with any certainty whether that's an or or an and in NFTables, but my testing of that rule appears to make me believe it's an and because the rule does not match when either of 10.75.22.247 @Brians-trusted-hosts try to ssh to the destination. Remove the ipset from the rule and it will match when 10.75.22.247 tries to ssh to the destination.
The results of this mixing of ip_src and the ipset are ambiguous at best and surprising at worst. I have not come across any OpenWRT and/or firewall4 documentation that indicates the result of such a combination.
My feeling is that given that you can list multiple src_ips as an or'd list that adding a (i.e. source mac) ipset should also be an or and result in:
ether saddr @Brians-trusted-hosts tcp dport 22 counter packets 1 bytes 80 jump accept_to_opc_network # handle 40125
ip saddr 10.75.22.247 tcp dport 22 counter packets 1 bytes 60 jump accept_to_opc_network # handle 40124