allow numeric icmp types

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f75b2954d215e9c06d472ff367392a30cda498b6..a39cf6d46503dcded67f047387a8d50a3369fb36 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -137,6 +137,15 @@ my $pve_ipv6fw_macros = {
     'Ping' => [
        { action => 'PARAM', proto => 'icmpv6', dport => 'echo-request' },
     ],
+    'NeighborDiscovery' => [
+       "IPv6 neighbor solicitation, neighbor and router advertisement",
+       { action => 'PARAM', proto => 'icmpv6', dport => 'router-advertisement' },
+       { action => 'PARAM', proto => 'icmpv6', dport => 'neighbor-solicitation' },
+       { action => 'PARAM', proto => 'icmpv6', dport => 'neighbor-advertisement' },
+    ],
+    'DHCPv6' => [
+       { action => 'PARAM', proto => 'udp', dport => '546:547', sport => '546:547' },
+    ],
     'Trcrt' => [
        { action => 'PARAM', proto => 'udp', dport => '33434:33524' },
        { action => 'PARAM', proto => 'icmpv6', dport => 'echo-request' },
@@ -735,7 +744,9 @@ my $icmpv6_type_names = {
     'echo-reply' => 1,
     'router-solicitation' => 1,
     'router-advertisement' => 1,
+    'neighbor-solicitation' => 1,
     'neighbour-solicitation' => 1,
+    'neighbor-advertisement' => 1,
     'neighbour-advertisement' => 1,
     'redirect' => 1,
 };
@@ -1664,11 +1675,13 @@ sub ruleset_generate_cmdstr {
        if ($rule->{dport}) {
            if ($rule->{proto} && $rule->{proto} eq 'icmp') {
                # Note: we use dport to store --icmp-type
-               die "unknown icmp-type '$rule->{dport}'\n" if !defined($icmp_type_names->{$rule->{dport}});
+               die "unknown icmp-type '$rule->{dport}'\n"
+                   if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}});
                push @cmd, "-m icmp --icmp-type $rule->{dport}";
            } elsif ($rule->{proto} && $rule->{proto} eq 'icmpv6') {
                # Note: we use dport to store --icmpv6-type
-               die "unknown icmpv6-type '$rule->{dport}'\n" if !defined($icmpv6_type_names->{$rule->{dport}});
+               die "unknown icmpv6-type '$rule->{dport}'\n"
+                   if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}});
                push @cmd, "-m icmpv6 --icmpv6-type $rule->{dport}";
            } else {
                if ($nbdport > 1) {
@@ -2117,7 +2130,8 @@ sub enable_host_firewall {
     ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action");  # SPICE Proxy
     ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action");  # SSH
 
-    my ($localnet, $localnet_ver) = parse_ip_or_cidr(local_network());
+    my $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
+    my $localnet_ver = $cluster_conf->{aliases}->{local_network}->{ipversion};
 
     # corosync
     if ($localnet && ($ipversion == $localnet_ver)) {
@@ -3089,8 +3103,11 @@ sub compile_iptables_filter {
     if ($cluster_conf->{aliases}->{local_network}) {
        $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
     } else {
-       $localnet = local_network() || '127.0.0.0/8';
-       $cluster_conf->{aliases}->{local_network} = { cidr => $localnet };
+       my $localnet_ver;
+       ($localnet, $localnet_ver) = parse_ip_or_cidr(local_network() || '127.0.0.0/8');
+
+       $cluster_conf->{aliases}->{local_network} = { 
+           name => 'local_network', cidr => $localnet, ipversion => $localnet_ver };
     }
 
     push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };