nftables-napi 0.4.2 → 0.4.4

package/lib/index.d.ts

@@ -31,7 +31,11 @@ export interface NftManagerOptions {
 
 /** Options for adding a single address. */
 export interface AddAddressOptions {
-    /** IPv4/IPv6 address or CIDR (e.g., "1.2.3.4", "10.0.0.0/8", "2001:db8::/32"). */
+    /**
+     * IPv4/IPv6 address or CIDR (e.g., "1.2.3.4", "10.0.0.0/8", "2001:db8::/32").
+     * Misaligned CIDR (host bits set) is auto-normalized to the network address,
+     * e.g. "10.0.0.5/24" becomes "10.0.0.0/24".
+     */
     ip: string;
     /** Target set name (must match one from constructor's ingressAddrSets or egressAddrSets). */
     set: string;
@@ -41,7 +45,11 @@ export interface AddAddressOptions {
 
 /** Options for removing a single address. */
 export interface RemoveAddressOptions {
-    /** IPv4/IPv6 address or CIDR to remove (must match exactly as added). */
+    /**
+     * IPv4/IPv6 address or CIDR to remove (must match exactly as added).
+     * Misaligned CIDR (host bits set) is auto-normalized to the network address,
+     * e.g. "10.0.0.5/24" becomes "10.0.0.0/24".
+     */
     ip: string;
     /** Target set name (must match one from constructor's ingressAddrSets or egressAddrSets). */
     set: string;
@@ -49,7 +57,7 @@ export interface RemoveAddressOptions {
 
 /** Options for bulk adding addresses. */
 export interface AddAddressesOptions {
-    /** Array of IPv4/IPv6 addresses or CIDRs. */
+    /** Array of IPv4/IPv6 addresses or CIDRs. Misaligned CIDR is auto-normalized. */
     ips: string[];
     /** Target set name (must match one from constructor's ingressAddrSets or egressAddrSets). */
     set: string;
@@ -59,7 +67,7 @@ export interface AddAddressesOptions {
 
 /** Options for bulk removing addresses. */
 export interface RemoveAddressesOptions {
-    /** Array of IPv4/IPv6 addresses or CIDRs to remove. */
+    /** Array of IPv4/IPv6 addresses or CIDRs to remove. Misaligned CIDR is auto-normalized. */
     ips: string[];
     /** Target set name (must match one from constructor's ingressAddrSets or egressAddrSets). */
     set: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nftables-napi",
-  "version": "0.4.2",
+  "version": "0.4.4",
   "description": "Native Node.js binding for nftables via libnftnl+libmnl — nftables firewall management",
   "author": {
     "name": "kastov",

package/src/netlink/set_ops.cpp

@@ -12,6 +12,7 @@ extern "C" {
 }
 
 #include <algorithm>
+#include <cstring>
 
 static_assert(nft::FAMILY_IPV4 == NFPROTO_IPV4, "nft::FAMILY_IPV4 must match NFPROTO_IPV4");
 static_assert(nft::FAMILY_IPV6 == NFPROTO_IPV6, "nft::FAMILY_IPV6 must match NFPROTO_IPV6");
@@ -19,6 +20,71 @@ static_assert(nft::PROTO_SERVICE_KEY_LEN == 8, "concatenated proto.service key m
 
 enum class SetElemAction { Add, Del };
 
+// Merge overlapping or adjacent intervals per family. Required because
+// rbtree-backed interval sets reject inserts that overlap an existing range,
+// and adjacent ranges produce duplicate boundary keys (start of one == end
+// marker of another). Result is sorted, disjoint by family.
+//
+// Wraparound intervals (end_bytes <= bytes lexicographically — e.g. a /32 of
+// 255.255.255.255 whose exclusive end overflows to 0.0.0.0) are not merged:
+// lex-comparison breaks down across the address-space wrap, and naive merge
+// would silently drop the entry. They are passed through as-is.
+static std::vector<ParsedAddr> merge_intervals(std::vector<ParsedAddr> addrs) {
+    if (addrs.size() < 2) return addrs;
+
+    std::sort(addrs.begin(), addrs.end(), [](const ParsedAddr& a, const ParsedAddr& b) {
+        if (a.family != b.family) return a.family < b.family;
+        return std::memcmp(a.bytes, b.bytes, a.len) < 0;
+    });
+
+    auto is_wrapped = [](const ParsedAddr& p) {
+        return std::memcmp(p.end_bytes, p.bytes, p.len) <= 0;
+    };
+
+    std::vector<ParsedAddr> merged;
+    merged.reserve(addrs.size());
+    merged.push_back(addrs[0]);
+
+    for (size_t i = 1; i < addrs.size(); ++i) {
+        ParsedAddr& last = merged.back();
+        const ParsedAddr& cur = addrs[i];
+
+        if (cur.family != last.family || is_wrapped(cur) || is_wrapped(last)) {
+            merged.push_back(cur);
+            continue;
+        }
+
+        // Overlap or adjacency: cur.start <= last.end (end is exclusive).
+        if (std::memcmp(cur.bytes, last.end_bytes, cur.len) <= 0) {
+            // Extend end if cur reaches further.
+            if (std::memcmp(cur.end_bytes, last.end_bytes, cur.len) > 0) {
+                std::memcpy(last.end_bytes, cur.end_bytes, cur.len);
+            }
+        } else {
+            merged.push_back(cur);
+        }
+    }
+
+    return merged;
+}
+
+// Drop duplicate (proto, port) pairs. Concat sets reject duplicates inside
+// a single batch with EEXIST.
+static std::vector<PortElem> dedup_port_elems(std::vector<PortElem> elems) {
+    if (elems.size() < 2) return elems;
+
+    std::sort(elems.begin(), elems.end(), [](const PortElem& a, const PortElem& b) {
+        if (a.proto != b.proto) return a.proto < b.proto;
+        return a.port < b.port;
+    });
+    elems.erase(std::unique(elems.begin(), elems.end(),
+                            [](const PortElem& a, const PortElem& b) {
+                                return a.proto == b.proto && a.port == b.port;
+                            }),
+                elems.end());
+    return elems;
+}
+
 static NlResult bulk_set_elem_op(
     const std::vector<ParsedAddr>& addrs,
     NlSocket& sock,
@@ -107,7 +173,8 @@ BulkAddSetElemOp::BulkAddSetElemOp(std::vector<ParsedAddr> addrs, uint64_t timeo
       cfg_(std::move(config)), set_idx_(set_idx) {}
 
 NlResult BulkAddSetElemOp::execute(NlSocket& sock) {
-    return bulk_set_elem_op(addrs_, sock, SetElemAction::Add, *cfg_, set_idx_, timeout_ms_);
+    auto merged = merge_intervals(std::move(addrs_));
+    return bulk_set_elem_op(merged, sock, SetElemAction::Add, *cfg_, set_idx_, timeout_ms_);
 }
 
 BulkDelSetElemOp::BulkDelSetElemOp(std::vector<ParsedAddr> addrs,
@@ -194,7 +261,8 @@ BulkAddPortElemOp::BulkAddPortElemOp(std::vector<PortElem> elems, uint64_t timeo
       cfg_(std::move(config)), set_idx_(set_idx) {}
 
 NlResult BulkAddPortElemOp::execute(NlSocket& sock) {
-    return bulk_port_elem_op(elems_, sock, SetElemAction::Add, *cfg_, set_idx_, timeout_ms_);
+    auto deduped = dedup_port_elems(std::move(elems_));
+    return bulk_port_elem_op(deduped, sock, SetElemAction::Add, *cfg_, set_idx_, timeout_ms_);
 }
 
 BulkDelPortElemOp::BulkDelPortElemOp(std::vector<PortElem> elems,

package/src/netlink/set_ops.h

@@ -7,6 +7,7 @@
 #include <memory>
 #include <vector>
 
+// One-shot Op: execute() consumes addrs_ via move; do not call twice.
 class BulkAddSetElemOp final : public NlOperation {
 public:
     BulkAddSetElemOp(std::vector<ParsedAddr> addrs, uint64_t timeout_ms,
@@ -37,6 +38,7 @@ struct PortElem {
     uint16_t port;
 };
 
+// One-shot Op: execute() consumes elems_ via move; do not call twice.
 class BulkAddPortElemOp final : public NlOperation {
 public:
     BulkAddPortElemOp(std::vector<PortElem> elems, uint64_t timeout_ms,

package/src/validation.cpp

@@ -155,24 +155,19 @@ CidrAddr parse_ip_or_cidr(const std::string& input) {
 
     auto prefix_len = static_cast<uint8_t>(prefix);
 
-    // Verify host bits are zero
+    // Mask off host bits silently — input like "10.0.0.5/24" becomes
+    // "10.0.0.0/24", matching `ip route` and Python ipaddress(strict=False).
     uint32_t full_bytes = prefix_len / 8;
     uint32_t remainder_bits = prefix_len % 8;
 
-    // Check boundary byte: host bits must be zero
     if (remainder_bits > 0 && full_bytes < ip.len) {
-        uint8_t mask = static_cast<uint8_t>(0xFF >> remainder_bits);
-        if ((ip.bytes[full_bytes] & mask) != 0) {
-            return result; // host bits set in boundary byte
-        }
+        uint8_t mask = static_cast<uint8_t>(0xFF << (8 - remainder_bits));
+        ip.bytes[full_bytes] &= mask;
     }
 
-    // Check all bytes after the prefix boundary must be zero
-    uint32_t start_check = full_bytes + (remainder_bits > 0 ? 1 : 0);
-    for (uint32_t i = start_check; i < ip.len; ++i) {
-        if (ip.bytes[i] != 0) {
-            return result; // host bits set
-        }
+    uint32_t start_zero = full_bytes + (remainder_bits > 0 ? 1 : 0);
+    for (uint32_t i = start_zero; i < ip.len; ++i) {
+        ip.bytes[i] = 0;
     }
 
     result.network = ip;

package/src/validation.h

@@ -22,11 +22,17 @@ struct CidrAddr {
 };
 
 // Parse IP string or CIDR notation. Accepts:
-//   "1.2.3.4"       -> CidrAddr{network=1.2.3.4, end=1.2.3.5}
-//   "10.0.0.0/8"    -> CidrAddr{network=10.0.0.0, end=11.0.0.0}
-//   "2001:db8::/32" -> CidrAddr{network=2001:db8::, end=2001:db9::}
+//   "1.2.3.4"          -> CidrAddr{network=1.2.3.4, end=1.2.3.5}
+//   "10.0.0.0/8"       -> CidrAddr{network=10.0.0.0, end=11.0.0.0}
+//   "2001:db8::/32"    -> CidrAddr{network=2001:db8::, end=2001:db9::}
+//   "198.19.0.0/15"    -> CidrAddr{network=198.18.0.0, end=198.20.0.0}
+//                         (host bits silently masked off — see below)
+//
+// Misaligned CIDR (host bits set) is auto-normalized: host bits are
+// masked off to obtain the network address. Matches `ip route` and
+// Python ipaddress.ip_network(strict=False). Rejects only:
+// /0 (too dangerous), prefix > family bits, malformed input.
 // Returns CidrAddr with network.family=Invalid on failure.
-// Rejects: host bits set (192.168.1.1/24), prefix > 32/128, /0 (too dangerous).
 [[nodiscard]] CidrAddr parse_ip_or_cidr(const std::string& input);
 
 struct PortVal {