ipfw: treat ipv6 address with zero mask as 'any'

Make the behaviour similar for both IPv4 and IPv6. Also add
the corresponding tests.

PR:             294733
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D56618

sbin/ipfw/ipfw2.c

@@ -3595,12 +3595,13 @@ fill_ip(ipfw_insn_ip *cmd, char *av, int cblen, struct tidx *tstate)
 		 * list unless it is the only item, in which case we
 		 * report an error.
 		 */
-		if (cmd->o.len & F_NOT) {	/* "not any" never matches */
-			if (av == NULL && len == 0) /* only this entry */
+		if (av == NULL && len == 0) {
+			if (cmd->o.len & F_NOT) /* "not any" never matches */
 				errx(EX_DATAERR, "not any never matches");
+			return;
 		}
 		/* else do nothing and skip this entry */
-		return;
+		continue;
 	}
 	/* A single IP can be stored in an optimized format */
 	if (d[1] == (uint32_t)~0 && av == NULL && len == 0) {

sbin/ipfw/ipv6.c

@@ -396,8 +396,6 @@ fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate)
 				n2mask(&d[1], masklen);
 		}
 
-		APPLY_MASK(d, &d[1]);   /* mask base address with mask */
-
 		av = q;
 
 		/* Check this entry */
@@ -408,11 +406,16 @@ fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate)
 			 * list unless it is the only item, in which case we
 			 * report an error.
 			 */
-			if (cmd->o.len & F_NOT && av == NULL && len == 0)
-				errx(EX_DATAERR, "not any never matches");
+			if (av == NULL && len == 0) {
+				if (cmd->o.len & F_NOT)
+					errx(EX_DATAERR, "not any never matches");
+				return (1);
+			}
 			continue;
 		}
 
+		APPLY_MASK(d, &d[1]);   /* mask base address with mask */
+
 		/*
 		 * A single IP can be stored alone
 		 */

sbin/ipfw/tests/test_add_rule.py

@@ -135,6 +135,30 @@ class TestAddRule(BaseTest):
                 },
                 id="test_rulenum",
             ),
+            pytest.param(
+                {
+                    "in": "add allow ip4 from 0.0.0.0/0 to 192.0.2.1/0",
+                    "out": {
+                        "insns": [
+                            InsnEmpty(IpFwOpcode.O_IP4),
+                            InsnEmpty(IpFwOpcode.O_ACCEPT),
+                        ],
+                    },
+                },
+                id="test_zero_addrmask4",
+            ),
+            pytest.param(
+                {
+                    "in": "add allow ip6 from ::/0 to 2001:DB8::/0",
+                    "out": {
+                        "insns": [
+                            InsnEmpty(IpFwOpcode.O_IP6),
+                            InsnEmpty(IpFwOpcode.O_ACCEPT),
+                        ],
+                    },
+                },
+                id="test_zero_addrmask6",
+            ),
             pytest.param(
                 {
                     "in": "add allow ip from { 1.2.3.4 or 2.3.4.5 } to any",

tests/atf_python/sys/netpfil/ipfw/insns.py

@@ -682,6 +682,8 @@ insn_attrs = prepare_attrs_map(
 
 
         AttrDescr(IpFwOpcode.O_NOP, InsnComment),
+        AttrDescr(IpFwOpcode.O_IP4, InsnEmpty),
+        AttrDescr(IpFwOpcode.O_IP6, InsnEmpty),
         AttrDescr(IpFwOpcode.O_PROTO, InsnProto),
         AttrDescr(IpFwOpcode.O_PROB, InsnProb),
         AttrDescr(IpFwOpcode.O_IP_DST_ME, InsnEmpty),