Make 0.0.0.0/0 and ::/0 not mean any address family, add any for that (#1538)

nbrownus · web-flow · commit 64f202fa171d · 2025-11-21T13:46:36.000-06:00
diff --git a/examples/config.yml b/examples/config.yml
@@ -383,8 +383,9 @@ firewall:
   #   host: `any` or a literal hostname, ie `test-host`
   #   group: `any` or a literal group name, ie `default-group`
   #   groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass
-  #   cidr: a remote CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6.
-  #   local_cidr: a local CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6. This can be used to filter destinations when using unsafe_routes.
+  #   cidr: a remote CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6. `any` means any ip family and address.
+  #   local_cidr: a local CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6. `any` means any ip family and address.
+  #     This can be used to filter destinations when using unsafe_routes.
   #     By default, this is set to only the VPN (overlay) networks assigned via the certificate networks field unless `default_local_cidr_any` is set to true.
   #     If there are unsafe_routes present in this config file, `local_cidr` should be set appropriately for the intended us case.
   #   ca_name: An issuing CA name
diff --git a/firewall.go b/firewall.go
@@ -23,7 +23,7 @@ import (
 )
 
 type FirewallInterface interface {
-	AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, addr, localAddr netip.Prefix, caName string, caSha string) error
+	AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr string, caName string, caSha string) error
 }
 
 type conn struct {
@@ -248,30 +248,19 @@ func NewFirewallFromConfig(l *logrus.Logger, cs *CertState, c *config.C) (*Firew
 }
 
 // AddRule properly creates the in memory rule structure for a firewall table.
-func (f *Firewall) AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip, localIp netip.Prefix, caName string, caSha string) error {
-	// Under gomobile, stringing a nil pointer with fmt causes an abort in debug mode for iOS
-	// https://github.com/golang/go/issues/14131
-	sIp := ""
-	if ip.IsValid() {
-		sIp = ip.String()
-	}
-	lIp := ""
-	if localIp.IsValid() {
-		lIp = localIp.String()
-	}
-
+func (f *Firewall) AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr, caName string, caSha string) error {
 	// We need this rule string because we generate a hash. Removing this will break firewall reload.
 	ruleString := fmt.Sprintf(
 		"incoming: %v, proto: %v, startPort: %v, endPort: %v, groups: %v, host: %v, ip: %v, localIp: %v, caName: %v, caSha: %s",
-		incoming, proto, startPort, endPort, groups, host, sIp, lIp, caName, caSha,
+		incoming, proto, startPort, endPort, groups, host, cidr, localCidr, caName, caSha,
 	)
 	f.rules += ruleString + "\n"
 
 	direction := "incoming"
 	if !incoming {
 		direction = "outgoing"
 	}
-	f.l.WithField("firewallRule", m{"direction": direction, "proto": proto, "startPort": startPort, "endPort": endPort, "groups": groups, "host": host, "ip": sIp, "localIp": lIp, "caName": caName, "caSha": caSha}).
+	f.l.WithField("firewallRule", m{"direction": direction, "proto": proto, "startPort": startPort, "endPort": endPort, "groups": groups, "host": host, "cidr": cidr, "localCidr": localCidr, "caName": caName, "caSha": caSha}).
 		Info("Firewall rule added")
 
 	var (
@@ -298,7 +287,7 @@ func (f *Firewall) AddRule(incoming bool, proto uint8, startPort int32, endPort
 		return fmt.Errorf("unknown protocol %v", proto)
 	}
 
-	return fp.addRule(f, startPort, endPort, groups, host, ip, localIp, caName, caSha)
+	return fp.addRule(f, startPort, endPort, groups, host, cidr, localCidr, caName, caSha)
 }
 
 // GetRuleHash returns a hash representation of all inbound and outbound rules
@@ -379,17 +368,15 @@ func AddFirewallRulesFromConfig(l *logrus.Logger, inbound bool, c *config.C, fw
 			return fmt.Errorf("%s rule #%v; proto was not understood; `%s`", table, i, r.Proto)
 		}
 
-		var cidr netip.Prefix
-		if r.Cidr != "" {
-			cidr, err = netip.ParsePrefix(r.Cidr)
+		if r.Cidr != "" && r.Cidr != "any" {
+			_, err = netip.ParsePrefix(r.Cidr)
 			if err != nil {
 				return fmt.Errorf("%s rule #%v; cidr did not parse; %s", table, i, err)
 			}
 		}
 
-		var localCidr netip.Prefix
-		if r.LocalCidr != "" {
-			localCidr, err = netip.ParsePrefix(r.LocalCidr)
+		if r.LocalCidr != "" && r.LocalCidr != "any" {
+			_, err = netip.ParsePrefix(r.LocalCidr)
 			if err != nil {
 				return fmt.Errorf("%s rule #%v; local_cidr did not parse; %s", table, i, err)
 			}
@@ -399,7 +386,7 @@ func AddFirewallRulesFromConfig(l *logrus.Logger, inbound bool, c *config.C, fw
 			l.Warnf("%s rule #%v; %s", table, i, warning)
 		}
 
-		err = fw.AddRule(inbound, proto, startPort, endPort, r.Groups, r.Host, cidr, localCidr, r.CAName, r.CASha)
+		err = fw.AddRule(inbound, proto, startPort, endPort, r.Groups, r.Host, r.Cidr, r.LocalCidr, r.CAName, r.CASha)
 		if err != nil {
 			return fmt.Errorf("%s rule #%v; `%s`", table, i, err)
 		}
@@ -646,7 +633,7 @@ func (ft *FirewallTable) match(p firewall.Packet, incoming bool, c *cert.CachedC
 	return false
 }
 
-func (fp firewallPort) addRule(f *Firewall, startPort int32, endPort int32, groups []string, host string, ip, localIp netip.Prefix, caName string, caSha string) error {
+func (fp firewallPort) addRule(f *Firewall, startPort int32, endPort int32, groups []string, host string, cidr, localCidr, caName string, caSha string) error {
 	if startPort > endPort {
 		return fmt.Errorf("start port was lower than end port")
 	}
@@ -659,7 +646,7 @@ func (fp firewallPort) addRule(f *Firewall, startPort int32, endPort int32, grou
 			}
 		}
 
-		if err := fp[i].addRule(f, groups, host, ip, localIp, caName, caSha); err != nil {
+		if err := fp[i].addRule(f, groups, host, cidr, localCidr, caName, caSha); err != nil {
 			return err
 		}
 	}
@@ -690,7 +677,7 @@ func (fp firewallPort) match(p firewall.Packet, incoming bool, c *cert.CachedCer
 	return fp[firewall.PortAny].match(p, c, caPool)
 }
 
-func (fc *FirewallCA) addRule(f *Firewall, groups []string, host string, ip, localIp netip.Prefix, caName, caSha string) error {
+func (fc *FirewallCA) addRule(f *Firewall, groups []string, host string, cidr, localCidr, caName, caSha string) error {
 	fr := func() *FirewallRule {
 		return &FirewallRule{
 			Hosts:  make(map[string]*firewallLocalCIDR),
@@ -704,14 +691,14 @@ func (fc *FirewallCA) addRule(f *Firewall, groups []string, host string, ip, loc
 			fc.Any = fr()
 		}
 
-		return fc.Any.addRule(f, groups, host, ip, localIp)
+		return fc.Any.addRule(f, groups, host, cidr, localCidr)
 	}
 
 	if caSha != "" {
 		if _, ok := fc.CAShas[caSha]; !ok {
 			fc.CAShas[caSha] = fr()
 		}
-		err := fc.CAShas[caSha].addRule(f, groups, host, ip, localIp)
+		err := fc.CAShas[caSha].addRule(f, groups, host, cidr, localCidr)
 		if err != nil {
 			return err
 		}
@@ -721,7 +708,7 @@ func (fc *FirewallCA) addRule(f *Firewall, groups []string, host string, ip, loc
 		if _, ok := fc.CANames[caName]; !ok {
 			fc.CANames[caName] = fr()
 		}
-		err := fc.CANames[caName].addRule(f, groups, host, ip, localIp)
+		err := fc.CANames[caName].addRule(f, groups, host, cidr, localCidr)
 		if err != nil {
 			return err
 		}
@@ -753,24 +740,24 @@ func (fc *FirewallCA) match(p firewall.Packet, c *cert.CachedCertificate, caPool
 	return fc.CANames[s.Certificate.Name()].match(p, c)
 }
 
-func (fr *FirewallRule) addRule(f *Firewall, groups []string, host string, ip, localCIDR netip.Prefix) error {
+func (fr *FirewallRule) addRule(f *Firewall, groups []string, host, cidr, localCidr string) error {
 	flc := func() *firewallLocalCIDR {
 		return &firewallLocalCIDR{
 			LocalCIDR: new(bart.Lite),
 		}
 	}
 
-	if fr.isAny(groups, host, ip) {
+	if fr.isAny(groups, host, cidr) {
 		if fr.Any == nil {
 			fr.Any = flc()
 		}
 
-		return fr.Any.addRule(f, localCIDR)
+		return fr.Any.addRule(f, localCidr)
 	}
 
 	if len(groups) > 0 {
 		nlc := flc()
-		err := nlc.addRule(f, localCIDR)
+		err := nlc.addRule(f, localCidr)
 		if err != nil {
 			return err
 		}
@@ -786,30 +773,34 @@ func (fr *FirewallRule) addRule(f *Firewall, groups []string, host string, ip, l
 		if nlc == nil {
 			nlc = flc()
 		}
-		err := nlc.addRule(f, localCIDR)
+		err := nlc.addRule(f, localCidr)
 		if err != nil {
 			return err
 		}
 		fr.Hosts[host] = nlc
 	}
 
-	if ip.IsValid() {
-		nlc, _ := fr.CIDR.Get(ip)
+	if cidr != "" {
+		c, err := netip.ParsePrefix(cidr)
+		if err != nil {
+			return err
+		}
+		nlc, _ := fr.CIDR.Get(c)
 		if nlc == nil {
 			nlc = flc()
 		}
-		err := nlc.addRule(f, localCIDR)
+		err = nlc.addRule(f, localCidr)
 		if err != nil {
 			return err
 		}
-		fr.CIDR.Insert(ip, nlc)
+		fr.CIDR.Insert(c, nlc)
 	}
 
 	return nil
 }
 
-func (fr *FirewallRule) isAny(groups []string, host string, ip netip.Prefix) bool {
-	if len(groups) == 0 && host == "" && !ip.IsValid() {
+func (fr *FirewallRule) isAny(groups []string, host string, cidr string) bool {
+	if len(groups) == 0 && host == "" && cidr == "" {
 		return true
 	}
 
@@ -823,7 +814,7 @@ func (fr *FirewallRule) isAny(groups []string, host string, ip netip.Prefix) boo
 		return true
 	}
 
-	if ip.IsValid() && ip.Bits() == 0 {
+	if cidr == "any" {
 		return true
 	}
 
@@ -875,8 +866,13 @@ func (fr *FirewallRule) match(p firewall.Packet, c *cert.CachedCertificate) bool
 	return false
 }
 
-func (flc *firewallLocalCIDR) addRule(f *Firewall, localIp netip.Prefix) error {
-	if !localIp.IsValid() {
+func (flc *firewallLocalCIDR) addRule(f *Firewall, localCidr string) error {
+	if localCidr == "any" {
+		flc.Any = true
+		return nil
+	}
+
+	if localCidr == "" {
 		if !f.hasUnsafeNetworks || f.defaultLocalCIDRAny {
 			flc.Any = true
 			return nil
@@ -887,12 +883,13 @@ func (flc *firewallLocalCIDR) addRule(f *Firewall, localIp netip.Prefix) error {
 		}
 		return nil
 
-	} else if localIp.Bits() == 0 {
-		flc.Any = true
-		return nil
 	}
 
-	flc.LocalCIDR.Insert(localIp)
+	c, err := netip.ParsePrefix(localCidr)
+	if err != nil {
+		return err
+	}
+	flc.LocalCIDR.Insert(c)
 	return nil
 }
 
diff --git a/firewall_test.go b/firewall_test.go

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ import (`
`23`	`23`	`)`
`24`	`24`
`25`	`25`	`type FirewallInterface interface {`
`26`		`- AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, addr, localAddr netip.Prefix, caName string, caSha string) error`
	`26`	`+ AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr string, caName string, caSha string) error`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`type conn struct {`
`@@ -248,30 +248,19 @@ func NewFirewallFromConfig(l logrus.Logger, cs CertState, c config.C) (Firew`
`248`	`248`	`}`
`249`	`249`
`250`	`250`	`// AddRule properly creates the in memory rule structure for a firewall table.`
`251`		`-func (f *Firewall) AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip, localIp netip.Prefix, caName string, caSha string) error {`
`252`		`- // Under gomobile, stringing a nil pointer with fmt causes an abort in debug mode for iOS`
`253`		`- // https://github.com/golang/go/issues/14131`
`254`		`- sIp := ""`
`255`		`- if ip.IsValid() {`
`256`		`- sIp = ip.String()`
`257`		`- }`
`258`		`- lIp := ""`
`259`		`- if localIp.IsValid() {`
`260`		`- lIp = localIp.String()`
`261`		`- }`
`262`		`-`
	`251`	`+func (f *Firewall) AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr, caName string, caSha string) error {`
`263`	`252`	`// We need this rule string because we generate a hash. Removing this will break firewall reload.`
`264`	`253`	`ruleString := fmt.Sprintf(`
`265`	`254`	`"incoming: %v, proto: %v, startPort: %v, endPort: %v, groups: %v, host: %v, ip: %v, localIp: %v, caName: %v, caSha: %s",`
`266`		`- incoming, proto, startPort, endPort, groups, host, sIp, lIp, caName, caSha,`
	`255`	`+ incoming, proto, startPort, endPort, groups, host, cidr, localCidr, caName, caSha,`
`267`	`256`	`)`
`268`	`257`	`f.rules += ruleString + "\n"`
`269`	`258`
`270`	`259`	`direction := "incoming"`
`271`	`260`	`if !incoming {`
`272`	`261`	`direction = "outgoing"`
`273`	`262`	`}`
`274`		`- f.l.WithField("firewallRule", m{"direction": direction, "proto": proto, "startPort": startPort, "endPort": endPort, "groups": groups, "host": host, "ip": sIp, "localIp": lIp, "caName": caName, "caSha": caSha}).`
	`263`	`+ f.l.WithField("firewallRule", m{"direction": direction, "proto": proto, "startPort": startPort, "endPort": endPort, "groups": groups, "host": host, "cidr": cidr, "localCidr": localCidr, "caName": caName, "caSha": caSha}).`
`275`	`264`	`Info("Firewall rule added")`
`276`	`265`
`277`	`266`	`var (`
`@@ -298,7 +287,7 @@ func (f *Firewall) AddRule(incoming bool, proto uint8, startPort int32, endPort`
`298`	`287`	`return fmt.Errorf("unknown protocol %v", proto)`
`299`	`288`	`}`
`300`	`289`
`301`		`- return fp.addRule(f, startPort, endPort, groups, host, ip, localIp, caName, caSha)`
	`290`	`+ return fp.addRule(f, startPort, endPort, groups, host, cidr, localCidr, caName, caSha)`
`302`	`291`	`}`
`303`	`292`
`304`	`293`	`// GetRuleHash returns a hash representation of all inbound and outbound rules`
`@@ -379,17 +368,15 @@ func AddFirewallRulesFromConfig(l logrus.Logger, inbound bool, c config.C, fw`
`379`	`368`	return fmt.Errorf("%s rule #%v; proto was not understood; `%s`", table, i, r.Proto)
`380`	`369`	`}`
`381`	`370`
`382`		`- var cidr netip.Prefix`
`383`		`- if r.Cidr != "" {`
`384`		`- cidr, err = netip.ParsePrefix(r.Cidr)`
	`371`	`+ if r.Cidr != "" && r.Cidr != "any" {`
	`372`	`+ _, err = netip.ParsePrefix(r.Cidr)`
`385`	`373`	`if err != nil {`
`386`	`374`	`return fmt.Errorf("%s rule #%v; cidr did not parse; %s", table, i, err)`
`387`	`375`	`}`
`388`	`376`	`}`
`389`	`377`
`390`		`- var localCidr netip.Prefix`
`391`		`- if r.LocalCidr != "" {`
`392`		`- localCidr, err = netip.ParsePrefix(r.LocalCidr)`
	`378`	`+ if r.LocalCidr != "" && r.LocalCidr != "any" {`
	`379`	`+ _, err = netip.ParsePrefix(r.LocalCidr)`
`393`	`380`	`if err != nil {`
`394`	`381`	`return fmt.Errorf("%s rule #%v; local_cidr did not parse; %s", table, i, err)`
`395`	`382`	`}`
`@@ -399,7 +386,7 @@ func AddFirewallRulesFromConfig(l logrus.Logger, inbound bool, c config.C, fw`
`399`	`386`	`l.Warnf("%s rule #%v; %s", table, i, warning)`
`400`	`387`	`}`
`401`	`388`
`402`		`- err = fw.AddRule(inbound, proto, startPort, endPort, r.Groups, r.Host, cidr, localCidr, r.CAName, r.CASha)`
	`389`	`+ err = fw.AddRule(inbound, proto, startPort, endPort, r.Groups, r.Host, r.Cidr, r.LocalCidr, r.CAName, r.CASha)`
`403`	`390`	`if err != nil {`
`404`	`391`	return fmt.Errorf("%s rule #%v; `%s`", table, i, err)
`405`	`392`	`}`
`@@ -646,7 +633,7 @@ func (ft FirewallTable) match(p firewall.Packet, incoming bool, c cert.CachedC`
`646`	`633`	`return false`
`647`	`634`	`}`
`648`	`635`
`649`		`-func (fp firewallPort) addRule(f *Firewall, startPort int32, endPort int32, groups []string, host string, ip, localIp netip.Prefix, caName string, caSha string) error {`
	`636`	`+func (fp firewallPort) addRule(f *Firewall, startPort int32, endPort int32, groups []string, host string, cidr, localCidr, caName string, caSha string) error {`
`650`	`637`	`if startPort > endPort {`
`651`	`638`	`return fmt.Errorf("start port was lower than end port")`
`652`	`639`	`}`
`@@ -659,7 +646,7 @@ func (fp firewallPort) addRule(f *Firewall, startPort int32, endPort int32, grou`
`659`	`646`	`}`
`660`	`647`	`}`
`661`	`648`
`662`		`- if err := fp[i].addRule(f, groups, host, ip, localIp, caName, caSha); err != nil {`
	`649`	`+ if err := fp[i].addRule(f, groups, host, cidr, localCidr, caName, caSha); err != nil {`
`663`	`650`	`return err`
`664`	`651`	`}`
`665`	`652`	`}`
`@@ -690,7 +677,7 @@ func (fp firewallPort) match(p firewall.Packet, incoming bool, c *cert.CachedCer`
`690`	`677`	`return fp[firewall.PortAny].match(p, c, caPool)`
`691`	`678`	`}`
`692`	`679`
`693`		`-func (fc FirewallCA) addRule(f Firewall, groups []string, host string, ip, localIp netip.Prefix, caName, caSha string) error {`
	`680`	`+func (fc FirewallCA) addRule(f Firewall, groups []string, host string, cidr, localCidr, caName, caSha string) error {`
`694`	`681`	`fr := func() *FirewallRule {`
`695`	`682`	`return &FirewallRule{`
`696`	`683`	`Hosts: make(map[string]*firewallLocalCIDR),`
`@@ -704,14 +691,14 @@ func (fc FirewallCA) addRule(f Firewall, groups []string, host string, ip, loc`
`704`	`691`	`fc.Any = fr()`
`705`	`692`	`}`
`706`	`693`
`707`		`- return fc.Any.addRule(f, groups, host, ip, localIp)`
	`694`	`+ return fc.Any.addRule(f, groups, host, cidr, localCidr)`
`708`	`695`	`}`
`709`	`696`
`710`	`697`	`if caSha != "" {`
`711`	`698`	`if _, ok := fc.CAShas[caSha]; !ok {`
`712`	`699`	`fc.CAShas[caSha] = fr()`
`713`	`700`	`}`
`714`		`- err := fc.CAShas[caSha].addRule(f, groups, host, ip, localIp)`
	`701`	`+ err := fc.CAShas[caSha].addRule(f, groups, host, cidr, localCidr)`
`715`	`702`	`if err != nil {`
`716`	`703`	`return err`
`717`	`704`	`}`
`@@ -721,7 +708,7 @@ func (fc FirewallCA) addRule(f Firewall, groups []string, host string, ip, loc`
`721`	`708`	`if _, ok := fc.CANames[caName]; !ok {`
`722`	`709`	`fc.CANames[caName] = fr()`
`723`	`710`	`}`
`724`		`- err := fc.CANames[caName].addRule(f, groups, host, ip, localIp)`
	`711`	`+ err := fc.CANames[caName].addRule(f, groups, host, cidr, localCidr)`
`725`	`712`	`if err != nil {`
`726`	`713`	`return err`
`727`	`714`	`}`
`@@ -753,24 +740,24 @@ func (fc FirewallCA) match(p firewall.Packet, c cert.CachedCertificate, caPool`
`753`	`740`	`return fc.CANames[s.Certificate.Name()].match(p, c)`
`754`	`741`	`}`
`755`	`742`
`756`		`-func (fr FirewallRule) addRule(f Firewall, groups []string, host string, ip, localCIDR netip.Prefix) error {`
	`743`	`+func (fr FirewallRule) addRule(f Firewall, groups []string, host, cidr, localCidr string) error {`
`757`	`744`	`flc := func() *firewallLocalCIDR {`
`758`	`745`	`return &firewallLocalCIDR{`
`759`	`746`	`LocalCIDR: new(bart.Lite),`
`760`	`747`	`}`
`761`	`748`	`}`
`762`	`749`
`763`		`- if fr.isAny(groups, host, ip) {`
	`750`	`+ if fr.isAny(groups, host, cidr) {`
`764`	`751`	`if fr.Any == nil {`
`765`	`752`	`fr.Any = flc()`
`766`	`753`	`}`
`767`	`754`
`768`		`- return fr.Any.addRule(f, localCIDR)`
	`755`	`+ return fr.Any.addRule(f, localCidr)`
`769`	`756`	`}`
`770`	`757`
`771`	`758`	`if len(groups) > 0 {`
`772`	`759`	`nlc := flc()`
`773`		`- err := nlc.addRule(f, localCIDR)`
	`760`	`+ err := nlc.addRule(f, localCidr)`
`774`	`761`	`if err != nil {`
`775`	`762`	`return err`
`776`	`763`	`}`
`@@ -786,30 +773,34 @@ func (fr FirewallRule) addRule(f Firewall, groups []string, host string, ip, l`
`786`	`773`	`if nlc == nil {`
`787`	`774`	`nlc = flc()`
`788`	`775`	`}`
`789`		`- err := nlc.addRule(f, localCIDR)`
	`776`	`+ err := nlc.addRule(f, localCidr)`
`790`	`777`	`if err != nil {`
`791`	`778`	`return err`
`792`	`779`	`}`
`793`	`780`	`fr.Hosts[host] = nlc`
`794`	`781`	`}`
`795`	`782`
`796`		`- if ip.IsValid() {`
`797`		`- nlc, _ := fr.CIDR.Get(ip)`
	`783`	`+ if cidr != "" {`
	`784`	`+ c, err := netip.ParsePrefix(cidr)`
	`785`	`+ if err != nil {`
	`786`	`+ return err`
	`787`	`+ }`
	`788`	`+ nlc, _ := fr.CIDR.Get(c)`
`798`	`789`	`if nlc == nil {`
`799`	`790`	`nlc = flc()`
`800`	`791`	`}`
`801`		`- err := nlc.addRule(f, localCIDR)`
	`792`	`+ err = nlc.addRule(f, localCidr)`
`802`	`793`	`if err != nil {`
`803`	`794`	`return err`
`804`	`795`	`}`
`805`		`- fr.CIDR.Insert(ip, nlc)`
	`796`	`+ fr.CIDR.Insert(c, nlc)`
`806`	`797`	`}`
`807`	`798`
`808`	`799`	`return nil`
`809`	`800`	`}`
`810`	`801`
`811`		`-func (fr *FirewallRule) isAny(groups []string, host string, ip netip.Prefix) bool {`
`812`		`- if len(groups) == 0 && host == "" && !ip.IsValid() {`
	`802`	`+func (fr *FirewallRule) isAny(groups []string, host string, cidr string) bool {`
	`803`	`+ if len(groups) == 0 && host == "" && cidr == "" {`
`813`	`804`	`return true`
`814`	`805`	`}`
`815`	`806`
`@@ -823,7 +814,7 @@ func (fr *FirewallRule) isAny(groups []string, host string, ip netip.Prefix) boo`
`823`	`814`	`return true`
`824`	`815`	`}`
`825`	`816`
`826`		`- if ip.IsValid() && ip.Bits() == 0 {`
	`817`	`+ if cidr == "any" {`
`827`	`818`	`return true`
`828`	`819`	`}`
`829`	`820`
`@@ -875,8 +866,13 @@ func (fr FirewallRule) match(p firewall.Packet, c cert.CachedCertificate) bool`
`875`	`866`	`return false`
`876`	`867`	`}`
`877`	`868`
`878`		`-func (flc firewallLocalCIDR) addRule(f Firewall, localIp netip.Prefix) error {`
`879`		`- if !localIp.IsValid() {`
	`869`	`+func (flc firewallLocalCIDR) addRule(f Firewall, localCidr string) error {`
	`870`	`+ if localCidr == "any" {`
	`871`	`+ flc.Any = true`
	`872`	`+ return nil`
	`873`	`+ }`
	`874`	`+`
	`875`	`+ if localCidr == "" {`
`880`	`876`	`if !f.hasUnsafeNetworks \|\| f.defaultLocalCIDRAny {`
`881`	`877`	`flc.Any = true`
`882`	`878`	`return nil`
`@@ -887,12 +883,13 @@ func (flc firewallLocalCIDR) addRule(f Firewall, localIp netip.Prefix) error {`
`887`	`883`	`}`
`888`	`884`	`return nil`
`889`	`885`
`890`		`- } else if localIp.Bits() == 0 {`
`891`		`- flc.Any = true`
`892`		`- return nil`
`893`	`886`	`}`
`894`	`887`
`895`		`- flc.LocalCIDR.Insert(localIp)`
	`888`	`+ c, err := netip.ParsePrefix(localCidr)`
	`889`	`+ if err != nil {`
	`890`	`+ return err`
	`891`	`+ }`
	`892`	`+ flc.LocalCIDR.Insert(c)`
`896`	`893`	`return nil`
`897`	`894`	`}`
`898`	`895`