[management] Fix invalid port range sync (#3571)

We should not send port range when a port is set or when protocol is all or icmp
2026-04-18 00:06:38 +00:00 · 2025-03-24 00:56:51 +01:00
parent bd8f0c1ef3
commit 9cbcf7531f
1 changed files with 11 additions and 2 deletions
--- a/management/server/policy.go
+++ b/management/server/policy.go
@@ -255,15 +255,24 @@ func toProtocolFirewallRules(rules []*types.FirewallRule) []*proto.FirewallRule
 	for i := range rules {
 		rule := rules[i]

-		result[i] = &proto.FirewallRule{
+		fwRule := &proto.FirewallRule{
 			PolicyID:  []byte(rule.PolicyID),
 			PeerIP:    rule.PeerIP,
 			Direction: getProtoDirection(rule.Direction),
 			Action:    getProtoAction(rule.Action),
 			Protocol:  getProtoProtocol(rule.Protocol),
 			Port:      rule.Port,
-			PortInfo:  rule.PortRange.ToProto(),
 		}
+
+		if shouldUsePortRange(fwRule) {
+			fwRule.PortInfo = rule.PortRange.ToProto()
+		}
+
+		result[i] = fwRule
 	}
 	return result
 }
+
+func shouldUsePortRange(rule *proto.FirewallRule) bool {
+	return rule.Port == "" && (rule.Protocol == proto.RuleProtocol_UDP || rule.Protocol == proto.RuleProtocol_TCP)
+}