sub parse_address_list {
my ($str) = @_;
- my $nbaor = 0;
- foreach my $aor (split(/,/, $str)) {
- if($nbaor > 0 && $aor =~ m/-/){
- die "you can use a range in a list";
- }
- if (!Net::IP->new($aor)) {
+ return if $str !~ m/^(\+)(\S+)$/; # ipset ref
+
+ my $count = 0;
+ my $iprange = 0;
+ foreach my $elem (split(/,/, $str)) {
+ $count++;
+ if (!Net::IP->new($elem)) {
my $err = Net::IP::Error();
die "invalid IP address: $err\n";
- }else{
- $nbaor++;
}
+ $iprange = 1 if $elem =~ m/-/;
}
+
+ die "you can use a range in a list\n" if $iprange && $count > 1;
}
sub parse_port_name_number_or_range {
my ($properties) = @_;
foreach my $k (keys %$rule_properties) {
- $properties->{$k} = $rule_properties->{$k};
+ my $h = $rule_properties->{$k};
+ # copy data, so that we can modify later without side effects
+ foreach my $opt (keys %$h) { $properties->{$k}->{$opt} = $h->{$opt}; }
}
return $properties;
die "no such ipset $2" if !$cluster_conf->{ipset}->{$2};
push @cmd, "-m set --match-set PVEFW-$2 src";
- } elsif ($source =~ m/^(\d+)\.(\d+).(\d+).(\d+)\-(\d+)\.(\d+).(\d+).(\d+)$/){
+ } elsif ($source =~ m/\-/){
push @cmd, "-m iprange --src-range $source";
} else {
parse_port_name_number_or_range($dport) if defined($dport);
parse_port_name_number_or_range($sport) if defined($sport);
- parse_address_list($source) if $source && $source !~ m/^(\+)(\S+)$/;
- parse_address_list($dest) if $dest && $dest !~ m/^(\+)(\S+)$/;
+ parse_address_list($source) if $source;
+ parse_address_list($dest) if $dest;
return {
type => $type,
projects / pve-firewall.git / blobdiff