Port forward: highlight pf using IP ranges

[gsanchietti]

When setting up a port forward, the user has the option to restrict access by specifying one or more IP addresses, CIDR networks, or an object.

Here's a scenario where the port forward stops functioning:

• The user creates a port forward, selecting a host set that includes one or more IP addresses inside Restrict access from field.
• The user then edits the host set, replacing one of the IP addresses with an IP range.
• Since port forwards do not support IP ranges, the previously created port forward is now silently ignored by the firewall.

[stephdl]

QA
version to test NethServer/nethsecurity-ui#483
artefact
no backend change
repeat the scenario above, an object with an IP range can be used in a port forward but the inactive badge and the tooltip must be displayed

[gsanchietti]

Testing image: 23.05.5-ns.1.4.1-28-g30997db51

[gsanchietti]

Not verified.
The port forward is not highlighted as inactive:

I've found the following issue:

1. the UI must highlight as inactive port forwards that uses an object with an IP range when the object is used inside the "Restrict access from" field (see above screenshot)
2. If an object with an IP range is used inside the "Restrict access from" field, nft breaks:

# fw4 reload
Section ns_b57a4e54 (pf1) does not specify a destination, assuming 'lan'
Section ns_user_include specifies unreachable path '/etc/firewall.user', ignoring section
Automatically including '/usr/share/nftables.d/chain-pre/input/20-don.nft'
Automatically including '/usr/share/nftables.d/chain-pre/srcnat/20netmap.nft'
Automatically including '/usr/share/nftables.d/chain-post/dstnat/20netmap.nft'
/dev/stdin:14:19-22: Error: syntax error, unexpected string, expecting number
			192.168.100.46/null,
			               ^^^^
/dev/stdin:15:4-17: Error: syntax error, unexpected string
			192.168.100.45/32,
			^^^^^^^^^^^^^^
/dev/stdin:42:14-14: Error: syntax error, unexpected '{', expecting string or last
	chain input {
	            ^
/dev/stdin:43:3-6: Error: syntax error, unexpected type
		type filter hook input priority filter; policy drop;
		^^^^
/dev/stdin:43:43-48: Error: syntax error, unexpected policy
		type filter hook input priority filter; policy drop;
		                                        ^^^^^^
/dev/stdin:45:3-9: Error: syntax error, unexpected iifname
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		^^^^^^^
In file included from /dev/stdin:47:3-61:
/usr/share/nftables.d/chain-pre/input/20-don.nft:1:1-7: Error: syntax error, unexpected iifname
iifname "tunDON" tcp dport {981,9090,443,19999} counter accept comment ns-allow-don
^^^^^^^
/dev/stdin:48:6-10: Error: syntax error, unexpected state, expecting timeout or expectation or helper
		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		   ^^^^^
/dev/stdin:49:3-5: Error: syntax error, unexpected tcp
		tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		^^^
/dev/stdin:50:3-9: Error: syntax error, unexpected iifname
		iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		^^^^^^^

Relevant part of firewall db:

config redirect 'ns_b57a4e54'
	option src 'wan'
	option target 'DNAT'
	option enabled '1'
	option log '0'
	option name 'pf1'
	option reflection '0'
	option src_dport '4455'
	option dest_ip '192.168.100.2'
	option ipset 'ns_b57a4e54_ipset'
	option ns_src 'objects/ns_ee2225de'
	list proto 'tcp'
	list proto 'udp'

config ipset 'ns_b57a4e54_ipset'
	option name 'ns_b57a4e54_ipset'
	option match 'src_net'
	option enabled '1'
	option ns_link 'firewall/ns_b57a4e54'
	list entry '192.168.100.46-192.168.100.50'
	list entry '192.168.100.45'

Proposal: revert current code and do not add any highlight for the port forward.
Change the implementation to: prevent adding an IP range to an object that is used inside the "Restict" field to preven nft crash.

During the QA another related issue has been found: if an object is used as destination, the UI must prevent the modification of the object with an IP range (related issue)

[gsanchietti]

Replaced by #1032