X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=3123550fb24805e6ee96c4a8613674dc24bc2e6d;hb=78a72bc4b25a2b32a470e2d39fd1fcd120dafbdc;hp=5c810f2e9886f75bb81a66f99f9b8a3653f5e284;hpb=84870b1ac7ff662fce18ece5628ef0ed1beeb7b2;p=pve-firewall.git

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 5c810f2..3123550 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -816,7 +816,7 @@ sub parse_address_list {
 	my $new_ipversion = Net::IP::ip_is_ipv6($ip->ip()) ? 6 : 4;
 
 	die "detected mixed ipv4/ipv6 addresses in address list '$str'\n"
-	    if defined($ipversion) && ($new_ipversion != $ipversion);
+	    if $ipversion && ($new_ipversion != $ipversion);
 
 	$ipversion = $new_ipversion;
     }
@@ -1750,7 +1750,7 @@ sub ruleset_generate_vm_rules {
     foreach my $rule (@$rules) {
 	next if $rule->{iface} && $rule->{iface} ne $netid;
 	next if !$rule->{enable} || $rule->{errors};
-	next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
+	next if $rule->{ipversion} && ($rule->{ipversion} != $ipversion);
 
 	if ($rule->{type} eq 'group') {
 	    ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, $direction,
@@ -2925,7 +2925,7 @@ sub compile_iptables_filter {
 
     my $ipset_ruleset = {};
 
-    if ($hostfw_enable) {
+    if ($hostfw_enable && $ipversion eq 4) {
 	eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf); };
 	warn $@ if $@; # just to be sure - should not happen
     }
@@ -2971,18 +2971,20 @@ sub compile_iptables_filter {
 		if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
 		    my $ip = $conf->{ip_address}->{value};
 		    $ip =~ s/\s+/,/g;
-		    parse_address_list($ip); # make sure we have a valid $ip list
 
-		    my @ips = split(',', $ip);
+		    my @ips = ();
 
-		    foreach my $singleip (@ips) {
-			my $venet0ipset = {};
-			$venet0ipset->{cidr} = $singleip;
-			push @{$cluster_conf->{ipset}->{venet0}}, $venet0ipset;
+		    foreach my $singleip (split(',', $ip)) {
+			my $singleip_ver = parse_address_list($singleip); # make sure we have a valid $ip list
+			push @{$cluster_conf->{ipset}->{venet0}}, { cidr => $singleip };
+			push @ips, $singleip if $singleip_ver == $ipversion;
 		    }
 
-		    generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'IN', $ipversion);
-		    generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'OUT', $ipversion);
+		    if (scalar(@ips)) {
+			my $ip_list = join(',', @ips);
+			generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip_list, 'IN', $ipversion);
+			generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip_list, 'OUT', $ipversion);
+		    }
 		}
 	    }