{ action => 'PARAM', proto => 'icmpv6', dport => 'neighbor-solicitation' },
{ action => 'PARAM', proto => 'icmpv6', dport => 'neighbor-advertisement' },
],
+ 'DHCPv6' => [
+ { action => 'PARAM', proto => 'udp', dport => '546:547', sport => '546:547' },
+ ],
'Trcrt' => [
{ action => 'PARAM', proto => 'udp', dport => '33434:33524' },
{ action => 'PARAM', proto => 'icmpv6', dport => 'echo-request' },
return 1 if $name =~ m/^PVEFW-\S+$/;
- return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/;
+ return 1 if $name =~ m/^tap\d+i\d+-(?:IN|OUT)$/;
- return 1 if $name =~ m/^veth\d+i\d+-(:?IN|OUT)$/;
+ return 1 if $name =~ m/^veth\d+i\d+-(?:IN|OUT)$/;
- return 1 if $name =~ m/^fwbr\d+(v\d+)?-(:?FW|IN|OUT|IPS)$/;
- return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/;
+ return 1 if $name =~ m/^fwbr\d+(v\d+)?-(?:FW|IN|OUT|IPS)$/;
+ return 1 if $name =~ m/^GROUP-(?:$security_group_name_pattern)-(?:IN|OUT)$/;
return undef;
};
if ($rule->{dport}) {
if ($rule->{proto} && $rule->{proto} eq 'icmp') {
# Note: we use dport to store --icmp-type
- die "unknown icmp-type '$rule->{dport}'\n" if !defined($icmp_type_names->{$rule->{dport}});
+ die "unknown icmp-type '$rule->{dport}'\n"
+ if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}});
push @cmd, "-m icmp --icmp-type $rule->{dport}";
} elsif ($rule->{proto} && $rule->{proto} eq 'icmpv6') {
# Note: we use dport to store --icmpv6-type
- die "unknown icmpv6-type '$rule->{dport}'\n" if !defined($icmpv6_type_names->{$rule->{dport}});
+ die "unknown icmpv6-type '$rule->{dport}'\n"
+ if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}});
push @cmd, "-m icmpv6 --icmpv6-type $rule->{dport}";
} else {
if ($nbdport > 1) {
my $accept = generate_nfqueue($options);
if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
- if ($direction eq 'OUT') {
- ruleset_generate_rule($ruleset, $chain, $ipversion,
- { action => 'PVEFW-SET-ACCEPT-MARK',
- proto => 'udp', sport => 68, dport => 67 });
- } else {
- ruleset_generate_rule($ruleset, $chain, $ipversion,
- { action => 'ACCEPT',
- proto => 'udp', sport => 67, dport => 68 });
+ if ($ipversion == 4) {
+ if ($direction eq 'OUT') {
+ ruleset_generate_rule($ruleset, $chain, $ipversion,
+ { action => 'PVEFW-SET-ACCEPT-MARK',
+ proto => 'udp', sport => 68, dport => 67 });
+ } else {
+ ruleset_generate_rule($ruleset, $chain, $ipversion,
+ { action => 'ACCEPT',
+ proto => 'udp', sport => 67, dport => 68 });
+ }
+ } elsif ($ipversion == 6) {
+ if ($direction eq 'OUT') {
+ ruleset_generate_rule($ruleset, $chain, $ipversion,
+ { action => 'PVEFW-SET-ACCEPT-MARK',
+ proto => 'udp', sport => 546, dport => 547 });
+ } else {
+ ruleset_generate_rule($ruleset, $chain, $ipversion,
+ { action => 'ACCEPT',
+ proto => 'udp', sport => 547, dport => 546 });
+ }
}
+
}
if ($direction eq 'OUT') {
projects / pve-firewall.git / blobdiff