rule type and action are required parameters

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 88fc044315a77aed0664dbbf4455a83e960d764a..8fd0f482c6353b38f3989f13e6862e3fb53a7c42 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -613,6 +613,8 @@ sub get_etc_protocols {
 sub parse_address_list {
     my ($str) = @_;
 
+    return if $str !~ m/^(\+)(\S+)$/; # ipset ref
+
     my $count = 0;
     my $iprange = 0;
     foreach my $elem (split(/,/, $str)) {
@@ -765,7 +767,9 @@ sub add_rule_properties {
     my ($properties) = @_;
 
     foreach my $k (keys %$rule_properties) {
-       $properties->{$k} = $rule_properties->{$k};
+       my $h = $rule_properties->{$k};
+       # copy data, so that we can modify later without side effects
+       foreach my $opt (keys %$h) { $properties->{$k}->{$opt} = $h->{$opt}; }
     }
 
     return $properties;
@@ -950,7 +954,7 @@ sub ruleset_generate_cmdstr {
            die "no such ipset $2" if !$cluster_conf->{ipset}->{$2};
            push @cmd, "-m set --match-set PVEFW-$2 src";
 
-        } elsif ($source =~ m/^(\d+)\.(\d+).(\d+).(\d+)\-(\d+)\.(\d+).(\d+).(\d+)$/){
+        } elsif ($source =~ m/\-/){
            push @cmd, "-m iprange --src-range $source";
 
        } else {
@@ -1591,8 +1595,8 @@ sub parse_fw_rule {
     parse_port_name_number_or_range($dport) if defined($dport);
     parse_port_name_number_or_range($sport) if defined($sport);
 
-    parse_address_list($source) if $source && $source !~ m/^(\+)(\S+)$/;
-    parse_address_list($dest) if $dest && $dest !~ m/^(\+)(\S+)$/;
+    parse_address_list($source) if $source;
+    parse_address_list($dest) if $dest;
 
     return {
        type => $type,