});
my $security_group_name_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
+my $ipset_name_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
my $ip_alias_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
+my $max_alias_name_length = 64;
+my $max_ipset_name_length = 64;
+
+
PVE::JSONSchema::register_standard_option('pve-security-group-name', {
description => "Security Group name.",
type => 'string',
return $__local_network;
}
-my $max_ipset_name_length = 27;
+my $max_iptables_ipset_name_length = 27;
sub compute_ipset_chain_name {
my ($vmid, $ipset_name) = @_;
my $id = "$vmid-${ipset_name}";
- if ((length($id) + 6) > $max_ipset_name_length) {
+ if ((length($id) + 6) > $max_iptables_ipset_name_length) {
$id = PVE::Tools::fnv31a_hex($id);
}
sub parse_address_list {
my ($str) = @_;
- return if $str =~ m/^(\+)(\S+)$/; # ipset ref
- return if $str =~ m/^${ip_alias_pattern}$/;
+ if ($str =~ m/^(\+)(\S+)$/) { # ipset ref
+ die "ipset name too long\n" if length($str) > ($max_ipset_name_length + 1);
+ return;
+ }
+
+ if ($str =~ m/^${ip_alias_pattern}$/) {
+ die "alias name too long\n" if length($str) > $max_alias_name_length;
+ return;
+ }
my $count = 0;
my $iprange = 0;
if (my $value = $rule->{$name}) {
if ($value =~ m/^\+/) {
- if ($value =~ m/^\+(${security_group_name_pattern})$/) {
+ if ($value =~ m/^\+(${ipset_name_pattern})$/) {
&$add_error($name, "no such ipset '$1'")
if !($cluster_conf->{ipset}->{$1} || ($fw_conf && $fw_conf->{ipset}->{$1}));
if ($source) {
if ($source =~ m/^\+/) {
- if ($source =~ m/^\+(${security_group_name_pattern})$/) {
+ if ($source =~ m/^\+(${ipset_name_pattern})$/) {
my $name = $1;
if ($fw_conf && $fw_conf->{ipset}->{$name}) {
my $ipset_chain = compute_ipset_chain_name($fw_conf->{vmid}, $name);
if ($dest) {
if ($dest =~ m/^\+/) {
- if ($dest =~ m/^\+(${security_group_name_pattern})$/) {
+ if ($dest =~ m/^\+(${ipset_name_pattern})$/) {
my $name = $1;
if ($fw_conf && $fw_conf->{ipset}->{$name}) {
my $ipset_chain = compute_ipset_chain_name($fw_conf->{vmid}, $name);