my $new_ipversion = Net::IP::ip_is_ipv6($ip->ip()) ? 6 : 4;
die "detected mixed ipv4/ipv6 addresses in address list '$str'\n"
- if defined($ipversion) && ($new_ipversion != $ipversion);
+ if $ipversion && ($new_ipversion != $ipversion);
$ipversion = $new_ipversion;
}
foreach my $rule (@$rules) {
next if $rule->{iface} && $rule->{iface} ne $netid;
next if !$rule->{enable} || $rule->{errors};
- next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
+ next if $rule->{ipversion} && ($rule->{ipversion} != $ipversion);
if ($rule->{type} eq 'group') {
ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, $direction,
my $ipset_ruleset = {};
- if ($hostfw_enable) {
+ if ($hostfw_enable && $ipversion eq 4) {
eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf); };
warn $@ if $@; # just to be sure - should not happen
}
if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
my $ip = $conf->{ip_address}->{value};
$ip =~ s/\s+/,/g;
- parse_address_list($ip); # make sure we have a valid $ip list
- my @ips = split(',', $ip);
+ my @ips = ();
- foreach my $singleip (@ips) {
- my $venet0ipset = {};
- $venet0ipset->{cidr} = $singleip;
- push @{$cluster_conf->{ipset}->{venet0}}, $venet0ipset;
+ foreach my $singleip (split(',', $ip)) {
+ my $singleip_ver = parse_address_list($singleip); # make sure we have a valid $ip list
+ push @{$cluster_conf->{ipset}->{venet0}}, { cidr => $singleip };
+ push @ips, $singleip if $singleip_ver == $ipversion;
}
- generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'IN', $ipversion);
- generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'OUT', $ipversion);
+ if (scalar(@ips)) {
+ my $ip_list = join(',', @ips);
+ generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip_list, 'IN', $ipversion);
+ generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip_list, 'OUT', $ipversion);
+ }
}
}
projects / pve-firewall.git / blobdiff