{ action => 'PARAM', proto => 'tcp', dport => '1723' },
],
'Ping' => [
- { action => 'PARAM', proto => 'icmp', dport => '8' },
+ { action => 'PARAM', proto => 'icmp', dport => 'echo-request' },
],
'PostgreSQL' => [
{ action => 'PARAM', proto => 'tcp', dport => '5432' },
],
'Trcrt' => [
{ action => 'PARAM', proto => 'udp', dport => '33434:33524' },
- { action => 'PARAM', proto => 'icmp', dport => '8' },
+ { action => 'PARAM', proto => 'icmp', dport => 'echo-request' },
],
'VNC' => [
{ action => 'PARAM', proto => 'tcp', dport => '5900:5909' },
sub ruleset_generate_rule {
my ($ruleset, $chain, $rule, $actions, $goto) = @_;
+ return if $rule->{disable};
+
my $cmd = '';
$cmd .= " -m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1;
if ($rule->{dport}) {
if ($rule->{proto} && $rule->{proto} eq 'icmp') {
# Note: we use dport to store --icmp-type
- die "unknown icmp-type\n" if !$icmp_type_names->{$rule->{dport}};
+ die "unknown icmp-type '$rule->{dport}'\n" if !$icmp_type_names->{$rule->{dport}};
$cmd .= " -m icmp --icmp-type $rule->{dport}";
} else {
if ($rule->{nbdport} && $rule->{nbdport} > 1) {
my ($action, $iface, $source, $dest, $proto, $dport, $sport);
- $line =~ s/#.*$//;
+ # we can add single line comments to the end of the rule
+ my $comment = $1 if $line =~ s/#\s*(.*?)\s*$//;
+
+ # we can disable a rule when prefixed with '|'
+ my $disable = 1 if $line =~ s/^\|//;
my @data = split(/\s+/, $line);
my $expected_elements = $need_iface ? 7 : 6;
my $rules = [];
my $param = {
+ disable => $disable,
+ comment => $comment,
action => $action,
iface => $iface,
source => $source,
projects / pve-firewall.git / blobdiff