The ipv4 representation was only accepting slash notation with masks
represented in 2 digits. In the ipv6 implementation several fixies were made:
The maximum value to a bitmask was 64 which is not the reality, as ipv6 can
handle 128 bits. The second change was also to enable mask representation with
more and less than 2 digits. A more general fix was added to allow the unit
tests to work even if a invalid ip/range was informed during the creation of
the "tree", now it is checking if the tree is NULL while performing the
execution of the operator. Initial problem was reported at the issue: #706.
The operators @ipMatch, @ipMatchF and @ipMatchFromFile were
added to the functions: SecReadStateLimit and SecReadStateLimit,
by using them it is possible to declare a suspicious list. When
a suspicious list is given, the {Read|Write}StateLimit will be
applied just to the IPs that belongs to that restricted list.
Note that the negative of those operators (e.g. !@ipMatch) can be
used to place a whitelist. The {Read|Write}StateLimit
restrictions will not be applied to those in the whitelist.
This current version the Sec{Read|Write}StateLimit can be used
varios times to add elements to both lists, however, the
last informed limit will be applied for the entire group. This
feature is experimental, and suggestions on how to improve it
are very welcome. For further discussion use the issue: #353.
