}
# ipset names are limited to 31 characters,
-# and we use '-v4' or '-v6' to indicate IP versions,
-# and we use '_swap' suffix for atomic update,
+# and we use '-v4' or '-v6' to indicate IP versions,
+# and we use '_swap' suffix for atomic update,
# for example PVEFW-${VMID}-${ipset_name}_swap
my $max_iptables_ipset_name_length = 31 - length("PVEFW-") - length("_swap");
}
if ($rule->{source}) {
- eval {
+ eval {
my $source_ipversion = parse_address_list($rule->{source});
&$set_ip_version($source_ipversion);
};
}
if ($rule->{dest}) {
- eval {
- my $dest_ipversion = parse_address_list($rule->{dest});
+ eval {
+ my $dest_ipversion = parse_address_list($rule->{dest});
&$set_ip_version($dest_ipversion);
};
&$add_error('dest', $@) if $@;
if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
if ($ipversion == 4) {
if ($direction eq 'OUT') {
- ruleset_generate_rule($ruleset, $chain, $ipversion,
+ ruleset_generate_rule($ruleset, $chain, $ipversion,
{ action => 'PVEFW-SET-ACCEPT-MARK',
proto => 'udp', sport => 68, dport => 67 });
} else {
my ($cidr) = @_;
my $ipversion;
-
+
if ($cidr =~ m!^(?:$IPV6RE)(/(\d+))?$!) {
$cidr =~ s|/128$||;
$ipversion = 6;
warn "$prefix: $err";
next;
}
-
+
$res->{$section}->{$group} = [];
$res->{group_comments}->{$group} = decode('utf8', $comment)
if $comment;
$section = 'ipset';
$group = lc($1);
my $comment = $2;
- eval {
+ eval {
die "ipset name too long\n" if length($group) > $max_ipset_name_length;
die "invalid ipset name '$group'\n" if $group !~ m/^${ipset_name_pattern}$/;
};
$errors->{nomatch} = "nomatch not supported by kernel";
}
- eval {
+ eval {
if ($cidr =~ m/^${ip_alias_pattern}$/) {
resolve_alias($cluster_conf, $res, $cidr); # make sure alias exists
} else {
my $format_ipsets = sub {
my ($fw_conf) = @_;
-
+
my $raw = '';
foreach my $ipset (sort keys %{$fw_conf->{ipset}}) {
foreach my $vmid (keys %{$vmdata->{qemu}}) {
my $vmfw_conf = load_vmfw_conf($cluster_conf, 'vm', $vmid, $dir);
- next if !$vmfw_conf->{options}; # skip if file does not exists
+ next if !$vmfw_conf->{options}; # skip if file does not exist
$vmfw_configs->{$vmid} = $vmfw_conf;
}
foreach my $vmid (keys %{$vmdata->{lxc}}) {
my $vmfw_conf = load_vmfw_conf($cluster_conf, 'ct', $vmid, $dir);
- next if !$vmfw_conf->{options}; # skip if file does not exists
+ next if !$vmfw_conf->{options}; # skip if file does not exist
$vmfw_configs->{$vmid} = $vmfw_conf;
}
$raw .= &$format_aliases($aliases) if $aliases && scalar(keys %$aliases);
$raw .= &$format_ipsets($cluster_conf) if $cluster_conf->{ipset};
-
+
my $rules = $cluster_conf->{rules};
if ($rules && scalar(@$rules)) {
$raw .= "[RULES]\n\n";
my $localnet_ver;
($localnet, $localnet_ver) = parse_ip_or_cidr(local_network() || '127.0.0.0/8');
- $cluster_conf->{aliases}->{local_network} = {
+ $cluster_conf->{aliases}->{local_network} = {
name => 'local_network', cidr => $localnet, ipversion => $localnet_ver };
}
my $ipset_chains = ipset_get_chains();
my $cmdlist = "";
-
+
foreach my $chain (keys %$ipset_chains) {
$cmdlist .= "flush $chain\n";
$cmdlist .= "destroy $chain\n";
projects / pve-firewall.git / blobdiff