use Digest::SHA;
use PVE::INotify;
use PVE::Exception qw(raise raise_param_exc);
-use PVE::JSONSchema qw(get_standard_option);
+use PVE::JSONSchema qw(register_standard_option get_standard_option);
use PVE::Cluster;
use PVE::ProcFSTools;
use PVE::Tools qw($IPV4RE);
sub pve_verify_ipv4_or_cidr {
my ($cidr, $noerr) = @_;
- if ($cidr =~ m!^(?:$IPV4RE)(/(\d+))?$! && (!$1 || (($2 > 7) && ($2 <= 32)))) {
- return $cidr;
+ if ($cidr =~ m!^(?:$IPV4RE)(/(\d+))?$!) {
+ return $cidr if Net::IP->new($cidr);
+ return undef if $noerr;
+ die Net::IP::Error() . "\n";
}
return undef if $noerr;
die "value does not look like a valid IP address or CIDR network\n";
}
+PVE::JSONSchema::register_standard_option('ipset-name', {
+ description => "IP set name.",
+ type => 'string',
+ pattern => '[A-Za-z][A-Za-z0-9\-\_]+',
+ minLength => 2,
+ maxLength => 20,
+});
+
+PVE::JSONSchema::register_standard_option('pve-security-group-name', {
+ description => "Security Group name.",
+ type => 'string',
+ pattern => '[A-Za-z][A-Za-z0-9\-\_]+',
+ minLength => 2,
+ maxLength => 20,
+});
my $feature_ipset_nomatch = 0;
eval {
sub parse_address_list {
my ($str) = @_;
- return if $str !~ m/^(\+)(\S+)$/; # ipset ref
+ return if $str =~ m/^(\+)(\S+)$/; # ipset ref
my $count = 0;
my $iprange = 0;
if ($line =~ m/^\[group\s+(\S+)\]\s*$/i) {
$section = 'groups';
$group = lc($1);
+ $res->{$section}->{$group} = [];
next;
}
if ($line =~ m/^\[ipset\s+(\S+)\]\s*$/i) {
$section = 'ipset';
$group = lc($1);
+ $res->{$section}->{$group} = [];
next;
}
# we can add single line comments to the end of the rule
my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//;
- $line =~ m/^(\!)?\s*((?:\d+)\.(?:\d+)\.(?:\d+)\.(?:\d+))(?:\/(\d+))?\s*$/;
+ $line =~ m/^(\!)?\s*(\S+)\s*$/;
my $nomatch = $1;
my $cidr = $2;
- $cidr .= "/$3" if defined($3) && $3 != 32;
-
- if (!Net::IP->new($cidr)) {
- my $err = Net::IP::Error();
- warn "$prefix: $cidr - $err\n";
+ $cidr =~ s|/32$||;
+
+ eval { pve_verify_ipv4_or_cidr($cidr); };
+ if (my $err = $@) {
+ warn "$prefix: $cidr - $err";
next;
}
push @{$ipset_ruleset->{$name}}, "create $name hash:net family inet hashsize $hashsize maxelem $hashsize";
+ # remove duplicates
+ my $nethash = {};
foreach my $entry (@$options) {
- my $cidr = $entry->{cidr};
+ $nethash->{$entry->{cidr}} = $entry;
+ }
+
+ foreach my $cidr (sort keys %$nethash) {
+ my $entry = $nethash->{$cidr};
+
my $cmd = "add $name $cidr";
if ($entry->{nomatch}) {
if ($feature_ipset_nomatch) {
my $active_chains = ipset_get_chains();
my $statushash = get_ruleset_status($ruleset, $active_chains, \&ipset_chain_digest, $verbose);
+ # remove stale _swap chains
+ foreach my $chain (keys %$active_chains) {
+ if ($chain =~ m/^PVEFW-\S+_swap$/) {
+ $cmdlist .= "destroy $chain\n";
+ }
+ }
+
foreach my $chain (sort keys %$ruleset) {
my $stat = $statushash->{$chain};
die "internal error" if !$stat;
projects / pve-firewall.git / blobdiff