use integer compare for $ipversion

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index e99019e4d1421a99e4f802441ef3121dd9521234..c3cd90e02bbc5b69ee07bb2631462eecaf3aa80d 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2925,7 +2925,8 @@ sub compile_iptables_filter {
 
     my $ipset_ruleset = {};
 
-    if ($hostfw_enable) {
+    # currently pveproxy don't works with ipv6, so let's generate host fw ipv4 only for the moment
+    if ($hostfw_enable && ($ipversion == 4)) {
        eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf); };
        warn $@ if $@; # just to be sure - should not happen
     }
@@ -2971,18 +2972,20 @@ sub compile_iptables_filter {
                if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
                    my $ip = $conf->{ip_address}->{value};
                    $ip =~ s/\s+/,/g;
-                   parse_address_list($ip); # make sure we have a valid $ip list
 
-                   my @ips = split(',', $ip);
+                   my @ips = ();
 
-                   foreach my $singleip (@ips) {
-                       my $venet0ipset = {};
-                       $venet0ipset->{cidr} = $singleip;
-                       push @{$cluster_conf->{ipset}->{venet0}}, $venet0ipset;
+                   foreach my $singleip (split(',', $ip)) {
+                       my $singleip_ver = parse_address_list($singleip); # make sure we have a valid $ip list
+                       push @{$cluster_conf->{ipset}->{venet0}}, { cidr => $singleip };
+                       push @ips, $singleip if $singleip_ver == $ipversion;
                    }
 
-                   generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'IN', $ipversion);
-                   generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'OUT', $ipversion);
+                   if (scalar(@ips)) {
+                       my $ip_list = join(',', @ips);
+                       generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip_list, 'IN', $ipversion);
+                       generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip_list, 'OUT', $ipversion);
+                   }
                }
            }