Fix: Firewall local/remote address IPv4 Subnetmask/CIDR validation

BornToBeRoot · BornToBeRoot · commit a56fa17b8b32 · 2026-04-26T22:58:37.000+02:00
diff --git a/Source/GlobalAssemblyInfo.cs b/Source/GlobalAssemblyInfo.cs
@@ -6,5 +6,5 @@
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 
-[assembly: AssemblyVersion("2026.3.10.0")]
-[assembly: AssemblyFileVersion("2026.3.10.0")]
+[assembly: AssemblyVersion("2026.4.26.0")]
+[assembly: AssemblyFileVersion("2026.4.26.0")]
diff --git a/Source/NETworkManager.Models/Firewall/Firewall.cs b/Source/NETworkManager.Models/Firewall/Firewall.cs
@@ -2,9 +2,12 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Management.Automation.Runspaces;
+using System.Net;
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
+using NETworkManager.Models.Network;
+using NETworkManager.Utilities;
 using SMA = System.Management.Automation;
 using log4net;
 
@@ -497,7 +500,9 @@ private static bool[] ParseProfile(string value)
 
     /// <summary>
     /// Parses a comma-separated address string (e.g. <c>"192.168.1.0/24,LocalSubnet"</c>) to a
-    /// list of address strings.
+    /// list of address strings. PowerShell returns IPv4 subnets in subnet-mask notation
+    /// (e.g. <c>10.8.0.0/255.255.0.0</c>); these are normalized back to CIDR. IPv6 subnets
+    /// are already returned in CIDR notation by PowerShell and are passed through unchanged.
     /// Returns an empty list when the value is blank or <c>"Any"</c>.
     /// </summary>
     /// <param name="value">
@@ -508,7 +513,27 @@ private static List<string> ParseAddresses(string value)
         if (string.IsNullOrWhiteSpace(value) || value.Equals("Any", StringComparison.OrdinalIgnoreCase))
             return [];
 
-        return [.. value.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)];
+        var addresses = new List<string>();
+
+        foreach (var token in value.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries))
+        {
+            var slashIndex = token.IndexOf('/');
+
+            if (slashIndex > 0)
+            {
+                var maskPart = token[(slashIndex + 1)..];
+
+                if (RegexHelper.SubnetmaskRegex().IsMatch(maskPart) && IPAddress.TryParse(maskPart, out var mask))
+                {
+                    addresses.Add($"{token[..slashIndex]}/{Subnetmask.ConvertSubnetmaskToCidr(mask)}");
+                    continue;
+                }
+            }
+
+            addresses.Add(token);
+        }
+
+        return addresses;
     }
 
     /// <summary>
diff --git a/Source/NETworkManager.Validators/EmptyOrFirewallAddressValidator.cs b/Source/NETworkManager.Validators/EmptyOrFirewallAddressValidator.cs
@@ -4,12 +4,14 @@
 using System.Net.Sockets;
 using System.Windows.Controls;
 using NETworkManager.Localization.Resources;
+using NETworkManager.Utilities;
 
 namespace NETworkManager.Validators;
 
 /// <summary>
 /// Validates that the input is empty (meaning "Any") or contains semicolon-separated
-/// valid IPv4/IPv6 addresses, CIDR subnets, or recognized Windows Firewall keywords
+/// valid IPv4/IPv6 addresses, IPv4/IPv6 CIDR subnets, IPv4 subnets in subnet-mask
+/// notation (e.g. <c>10.0.0.0/255.0.0.0</c>), or recognized Windows Firewall keywords
 /// (e.g. LocalSubnet, Internet, Intranet, DNS, DHCP, WINS, DefaultGateway).
 /// </summary>
 public class EmptyOrFirewallAddressValidator : ValidationRule
@@ -41,14 +43,18 @@ public override ValidationResult Validate(object value, CultureInfo cultureInfo)
             if (!IPAddress.TryParse(addressPart, out var ip))
                 return new ValidationResult(false, Strings.EnterValidFirewallAddress);
 
-            if (slashIndex > 0)
-            {
-                var prefixStr = token[(slashIndex + 1)..];
-                var maxPrefix = ip.AddressFamily == AddressFamily.InterNetworkV6 ? 128 : 32;
+            if (slashIndex <= 0)
+                continue;
+            
+            var suffix = token[(slashIndex + 1)..];
+
+            if (ip.AddressFamily == AddressFamily.InterNetwork && RegexHelper.SubnetmaskRegex().IsMatch(suffix))
+                continue;
 
-                if (!int.TryParse(prefixStr, out var prefix) || prefix < 0 || prefix > maxPrefix)
-                    return new ValidationResult(false, Strings.EnterValidFirewallAddress);
-            }
+            var maxPrefix = ip.AddressFamily == AddressFamily.InterNetworkV6 ? 128 : 32;
+
+            if (!int.TryParse(suffix, out var prefix) || prefix < 0 || prefix > maxPrefix)
+                return new ValidationResult(false, Strings.EnterValidFirewallAddress);
         }
 
         return ValidationResult.ValidResult;
