X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;ds=inline;f=src%2FPVE%2FFirewall.pm;h=da1784cf66cbbf7c4f72771724f8193691b9cd41;hb=be99c6a0e95108bd9fe84b3c238e216ed2b31e64;hp=84f71d6fcfebc161c97043a3bf0c69e25d1906d8;hpb=fab41100e1ca3e50af5acdff20e8b60a67cd7822;p=pve-firewall.git diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 84f71d6..da1784c 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1623,6 +1623,8 @@ sub verify_rule { if !$allow_groups; &$add_error('action', "invalid characters in security group name") if $action && ($action !~ m/^${security_group_name_pattern}$/); + &$add_error('action', "security group '$action' does not exist") + if $action && !defined($cluster_conf->{groups}->{$action}); } else { &$add_error('type', "unknown rule type '$type'"); } @@ -2041,11 +2043,17 @@ sub ipt_rule_to_cmds { # Note: we use dport to store --icmp-type die "unknown icmp-type '$rule->{dport}'\n" if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}}); + # values for icmp-type range between 0 and 255 + # higher values and iptables-restore fails + die "invalid icmp-type '$rule->{dport}'\n" if ($rule->{dport} =~ m/^(\d+)$/) && ($1 > 255); push @match, "-m icmp --icmp-type $rule->{dport}"; } elsif ($proto eq 'icmpv6') { # Note: we use dport to store --icmpv6-type die "unknown icmpv6-type '$rule->{dport}'\n" if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}}); + # values for icmpv6-type range between 0 and 255 + # higher values and iptables-restore fails + die "invalid icmpv6-type '$rule->{dport}'\n" if ($rule->{dport} =~ m/^(\d+)$/) && ($1 > 255); push @match, "-m icmpv6 --icmpv6-type $rule->{dport}"; } elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) { die "protocol $proto does not have ports\n"; @@ -2897,6 +2905,8 @@ sub generic_fw_config_parser { } return {} if !$raw; + my $curr_group_keys = {}; + my $linenr = 0; while ($raw =~ /^\h*(.*?)\h*$/gm) { my $line = $1; @@ -2957,6 +2967,8 @@ sub generic_fw_config_parser { } $res->{$section}->{$group} = []; + $curr_group_keys = {}; + $res->{ipset_comments}->{$group} = decode('utf8', $comment) if $comment; next; @@ -3021,6 +3033,8 @@ sub generic_fw_config_parser { } else { $cidr = parse_ip_or_cidr($cidr); } + die "duplicate ipset entry for '$cidr'\n" + if defined($curr_group_keys->{$cidr}); }; if (my $err = $@) { chomp $err; @@ -3044,6 +3058,7 @@ sub generic_fw_config_parser { } push @{$res->{$section}->{$group}}, $entry; + $curr_group_keys->{$cidr} = 1; } else { warn "$prefix: skip line - unknown section\n"; next; @@ -3221,7 +3236,13 @@ my $format_ipsets = sub { my $nethash = {}; foreach my $entry (@$options) { - $nethash->{$entry->{cidr}} = $entry; + my $cidr = $entry->{cidr}; + if (defined($nethash->{$cidr})) { + warn "ignoring duplicate ipset entry '$cidr'\n"; + next; + } + + $nethash->{$cidr} = $entry; } foreach my $cidr (sort keys %$nethash) { @@ -3282,13 +3303,15 @@ sub clone_vmfw_conf { my $sourcevm_conffile = "$pvefw_conf_dir/$vmid.fw"; my $clonevm_conffile = "$pvefw_conf_dir/$newid.fw"; - if (-f $clonevm_conffile) { - unlink $clonevm_conffile; - } - if (-f $sourcevm_conffile) { - my $data = PVE::Tools::file_get_contents($sourcevm_conffile); - PVE::Tools::file_set_contents($clonevm_conffile, $data); - } + lock_vmfw_conf($newid, 10, sub { + if (-f $clonevm_conffile) { + unlink $clonevm_conffile; + } + if (-f $sourcevm_conffile) { + my $data = PVE::Tools::file_get_contents($sourcevm_conffile); + PVE::Tools::file_set_contents($clonevm_conffile, $data); + } + }); } sub read_vm_firewall_configs {