Firewall rules: ipset reference not removed when modifying input rule

[gsanchietti]

Steps to reproduce

• Create an input rule (e.g., ssh access) with the source limited to a domain set.
• Modify the rule by limiting the source to only the IP address 1.1.1.1.
• Check the chain input_wan to see if the reference to the ipset is removed.
• The uci configuration before modification:

  firewall.ns_2cb6a34d=rule
  firewall.ns_2cb6a34d.name='allow-ssh'
  firewall.ns_2cb6a34d.src='wan'
  firewall.ns_2cb6a34d.target='ACCEPT'
  firewall.ns_2cb6a34d.ns_service='ssh'
  firewall.ns_2cb6a34d.dest_port='22'
  firewall.ns_2cb6a34d.enabled='1'
  firewall.ns_2cb6a34d.log='0'
  firewall.ns_2cb6a34d.ipset='tutto src'
  firewall.ns_2cb6a34d.src_ip='1.1.1.1'
  firewall.ns_2cb6a34d.proto='tcp' 'udp'
  

• The uci configuration after modification to hostsets:

  firewall.ns_2cb6a34d=rule
  firewall.ns_2cb6a34d.name='allow-ssh'
  firewall.ns_2cb6a34d.src='wan'
  firewall.ns_2cb6a34d.target='ACCEPT'
  firewall.ns_2cb6a34d.ns_service='ssh'
  firewall.ns_2cb6a34d.dest_port='22'
  firewall.ns_2cb6a34d.enabled='1'
  firewall.ns_2cb6a34d.log='0'
  firewall.ns_2cb6a34d.proto='tcp' 'udp'
  firewall.ns_2cb6a34d.ns_src='objects/ns_783c64b8'
  firewall.ns_2cb6a34d.src_ip='151.99.0.101' '151.99.0.100'
  

Expected behavior

• The reference to the ipset should be removed from the chain input_wan once the source is changed to a specific IP address.

Actual behavior

• The reference to the ipset remains in the chain input_wan even after changing the source to a specific IP address.
• When changing the source to 'any', the ipset reference remains as @tutto.
• Verify if the issue is present inside output and forward rules

Components
NethSecurity version: 8-23.05.5-ns.1.3.0