[4.5.1] detect and filter overlapped IP's on firewalld_ipset

[tuxmaster5000]

• Distribution: RHEL-9
• Module version: 4.5.1

How to reproduce (e.g Puppet code you use)

$foo::one =  ['1.1.1.1/32']
...
$bar::two = ['1.1.1.0/24']
...
$e= concat($foo::one, $bar::two)
firewalld_ipset { 'foo':
   type    => 'hash:net',
   entries => $e
}

What are you seeing

An error about return code 136 of "/usr/bin/firewall-cmd --permanent --ipset"

What behaviour did you expect instead

That overlapping IP's are filtered out with an warning.

Output log

firewall-cmd :
Error: INVALID_ENTRY: Entry '1.1.1.0/24' overlaps with existing entry '1.1.1.1'

Any additional information you'd like to impart

In the sample above, the module must recognize, that 1.1.1.1 are an part of 1.1.1.0/24 and ignore 1.1.1.1
The old iptables ip set simple ignores this, but firewall-cmd on RHEL-9 don't like this.

[jcpunk]

I think that is a RHEL9 thingy rather than a puppet-firewalld thingy. I'm not sure it would be wise (or possible) to implement address range mapping via puppet's DSL.

[tuxmaster5000]

I have opened an issue at RHEL. Because on classical ipsets under iptables, there will be no problem.

[jcpunk]

Sounds good.

[tuxmaster5000]

@jcpunk It looks like, it will be possible to do this with puppet.
I have found an site, which will address this problem:
https://gbe0.com/posts/networking/puppet-aggregate-resolve-validate-and-filter-ip-addresses/
Please take an look into it.
Thanks

[jcpunk]

I'm thinking that function set might be suitable for exlib or maybe stdlib?

[tuxmaster5000]

Good question. I would suggest, that you open an ticket for it by the maintainer.