In my firewall I use an ipset as a geographical blacklist.
A single addresses can be entered into the blacklist using CIDR notation or not, i.e.
111.222.111.222/32 OR 111.222.111.222
while a block of IP addresses can be entered using CIDR notation:
111.222.111.0/24
Both the ipset and firewall-cmd commands have ways to ask if an address has already been entered into the blacklist. The basic syntax is
ipset test <blacklist> <ip_addr>
firewall-cmd --ipset=<blacklist> --query-entry=<ip_addr>
With ipset I can test a single address using CIDR or not regardless of how it was entered. If the entry was a block of addresses, any address within the block is reported as "in the ipset".
firewall-cmd responds differently. If I entered "111.222.111.222/32" (i.e. using CIDR) into the list, firewall-cmd reports the address as "NOT entered" if I query the simple form "111.222.111.222" even though they are the same single address. Conversely, if the original entry was simple, the CIDR form is reported as "NOT entered".
With block entries like 111.222.111.0/24, any address within the block is reported as "NOT entered"! Only the actual string entered, 111.222.111.0/24, is considered "entered".
I use these types of queries to decided whether an ip address is already being blocked. Clearly relying the firewall-cmd query would lead to unnecessary entries.
What do you think, Should I consider this simply a poor design decision or a reportable "bug"?