split parser out of get_etc_protocols

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f952978516d358473bf94ed852443266439d4a24..d8f05d85b4efa64958c54965fbc2d2cca671eaae 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -876,12 +876,8 @@ sub get_etc_services {
     return $etc_services;
 }
 
-my $etc_protocols;
-
-sub get_etc_protocols {
-    return $etc_protocols if $etc_protocols;
-
-    my $filename = "/etc/protocols";
+sub parse_protocol_file {
+    my ($filename) = @_;
 
     my $fh = IO::File->new($filename, O_RDONLY);
     if (!$fh) {
@@ -904,6 +900,16 @@ sub get_etc_protocols {
 
     close($fh);
 
+    return $protocols;
+}
+
+my $etc_protocols;
+
+sub get_etc_protocols {
+    return $etc_protocols if $etc_protocols;
+
+    my $protocols = parse_protocol_file('/etc/protocols');
+
     # add special case for ICMP v6
     $protocols->{byid}->{icmpv6}->{name} = "icmpv6";
     $protocols->{byname}->{icmpv6} = $protocols->{byid}->{icmpv6};
@@ -1890,6 +1896,7 @@ sub ipt_rule_to_cmds {
 
            my $add_dport = sub {
                return if !$rule->{dport};
+
                if ($proto eq 'icmp') {
                    # Note: we use dport to store --icmp-type
                    die "unknown icmp-type '$rule->{dport}'\n"
@@ -1911,6 +1918,7 @@ sub ipt_rule_to_cmds {
 
            my $add_sport = sub {
                return if !$rule->{sport};
+
                die "protocol $proto does not have ports\n"
                    if !$PROTOCOLS_WITH_PORTS->{$proto};
                if ($multisport) {
@@ -1920,6 +1928,7 @@ sub ipt_rule_to_cmds {
                }
            };
 
+           # order matters - single port before multiport!
            $add_dport->() if $multisport;
            $add_sport->();
            $add_dport->() if !$multisport;