+
+ my ($action, $iface, $source, $dest, $proto, $dport, $sport);
+
+ $line =~ s/#.*$//;
+
+ my @data = split(/\s+/, $line);
+ my $expected_elements = $need_iface ? 7 : 6;
+
+ die "wrong number of rule elements\n" if scalar(@data) > $expected_elements;
+
+ if ($need_iface) {
+ ($action, $iface, $source, $dest, $proto, $dport, $sport) = @data
+ } else {
+ ($action, $source, $dest, $proto, $dport, $sport) = @data;
+ }
+
+ die "incomplete rule\n" if !$action;
+
+ my $macro;
+ my $macro_name;
+
+ if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) {
+ # OK
+ } elsif ($allow_groups && $action =~ m/^GROUP-(:?\S+)$/) {
+ # OK
+ } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
+ ($macro_name, $action) = ($1, $2);
+ my $lc_macro_name = lc($macro_name);
+ my $preferred_name = $pve_fw_preferred_macro_names->{$lc_macro_name};
+ $macro_name = $preferred_name if $preferred_name;
+ $macro = $macros->{$lc_macro_name};
+ die "unknown macro '$macro_name'\n" if !$macro;
+ } else {
+ die "unknown action '$action'\n";
+ }
+
+ if ($need_iface) {
+ $iface = undef if $iface && $iface eq '-';
+ die "unknown interface '$iface'\n"
+ if defined($iface) && !$valid_netdev_names->{$iface};
+ }
+
+ $proto = undef if $proto && $proto eq '-';
+ die "unknown protokol '$proto'\n" if $proto &&
+ !(defined($protocols->{byname}->{$proto}) ||
+ defined($protocols->{byid}->{$proto}));
+
+ $source = undef if $source && $source eq '-';
+ $dest = undef if $dest && $dest eq '-';
+
+ $dport = undef if $dport && $dport eq '-';
+ $sport = undef if $sport && $sport eq '-';
+
+ my $nbsource = undef;
+ my $nbdest = undef;
+
+ $nbsource = parse_address_list($source) if $source;
+ $nbdest = parse_address_list($dest) if $dest;
+
+ my $rules = [];
+
+ my $param = {
+ action => $action,
+ iface => $iface,
+ source => $source,
+ dest => $dest,
+ nbsource => $nbsource,
+ nbdest => $nbdest,
+ proto => $proto,
+ dport => $dport,
+ sport => $sport,
+ };
+
+ if ($macro) {
+ foreach my $templ (@$macro) {
+ my $rule = {};
+ foreach my $k (keys %$templ) {
+ my $v = $templ->{$k};
+ $v = $param->{$k} if $v eq 'PARAM';
+ die "missing parameter '$k' in macro '$macro_name'\n" if !defined($v);
+ $rule->{$k} = $v;
+ }
+ push @$rules, $rule;
+ }
+ } else {
+ push @$rules, $param;
+ }
+
+ foreach my $rule (@$rules) {
+ $rule->{nbdport} = parse_port_name_number_or_range($rule->{dport})
+ if defined($rule->{dport});
+ $rule->{nbsport} = parse_port_name_number_or_range($rule->{sport})
+ if defined($rule->{sport});
+ }
+
+ return $rules;
+}
+
+sub parse_vm_fw_rules {
+ my ($filename, $fh) = @_;
+
+ my $res = { in => [], out => [] };
+
+ my $section;
+