$have_pve_manager = 1;
};
+my $pve_fw_status_dir = "/var/lib/pve-firewall";
+
+mkdir $pve_fw_status_dir; # make sure this exists
+
my $security_group_name_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
my $ipset_name_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
our $ip_alias_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
$errors->{$param} = $msg if !$errors->{$param};
};
+ my $ipversion;
+ my $set_ip_version = sub {
+ my $vers = shift;
+ if ($vers) {
+ die "detected mixed ipv4/ipv6 adresses in rule\n"
+ if $ipversion && ($vers != $ipversion);
+ $ipversion = $vers;
+ }
+ };
+
my $check_ipset_or_alias_property = sub {
my ($name, $expected_ipversion) = @_;
my $e = $fw_conf->{aliases}->{$alias} if $fw_conf;
$e = $cluster_conf->{aliases}->{$alias} if !$e && $cluster_conf;
- die "detected mixed ipv4/ipv6 adresses in rule\n"
- if $expected_ipversion && ($expected_ipversion != $e->{ipversion});
+ &$set_ip_version($e->{ipversion});
}
}
};
}
}
- my $ipversion;
- my $set_ip_version = sub {
- my $vers = shift;
- if ($vers) {
- die "detected mixed ipv4/ipv6 adresses in rule\n"
- if $ipversion && ($vers != $ipversion);
- $ipversion = $vers;
- }
- };
-
if ($rule->{proto}) {
eval { pve_fw_verify_protocol_spec($rule->{proto}); };
&$add_error('proto', $@) if $@;
# remove unused list chains first
foreach my $chain (keys %$statushash) {
next if $statushash->{$chain}->{action} ne 'delete';
- next if $chain !~ m/-v[46]$/;
+ next if $chain =~ m/-v[46]$/;
$delete_cmdlist .= "flush $chain\n";
$delete_cmdlist .= "destroy $chain\n";
# the remove unused -v4 -v6 chains
foreach my $chain (keys %$statushash) {
next if $statushash->{$chain}->{action} ne 'delete';
- next if $chain =~ m/-v[46]$/;
+ next if $chain !~ m/-v[46]$/;
$delete_cmdlist .= "flush $chain\n";
$delete_cmdlist .= "destroy $chain\n";
}
}
+ my $tmpfile = "$pve_fw_status_dir/ipsetcmdlist1";
+ PVE::Tools::file_set_contents($tmpfile, $ipset_create_cmdlist || '');
+
ipset_restore_cmdlist($ipset_create_cmdlist);
+ $tmpfile = "$pve_fw_status_dir/ip4cmdlist";
+ PVE::Tools::file_set_contents($tmpfile, $cmdlist || '');
+
iptables_restore_cmdlist($cmdlist);
+
+ $tmpfile = "$pve_fw_status_dir/ip6cmdlist";
+ PVE::Tools::file_set_contents($tmpfile, $cmdlistv6 || '');
+
ip6tables_restore_cmdlist($cmdlistv6);
+ $tmpfile = "$pve_fw_status_dir/ipsetcmdlist2";
+ PVE::Tools::file_set_contents($tmpfile, $ipset_delete_cmdlist || '');
+
ipset_restore_cmdlist($ipset_delete_cmdlist) if $ipset_delete_cmdlist;
# test: re-read status and check if everything is up to date