$have_pve_manager = 1;
};
+my $pve_fw_status_dir = "/var/lib/pve-firewall";
+
+mkdir $pve_fw_status_dir; # make sure this exists
+
my $security_group_name_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
my $ipset_name_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
-my $ip_alias_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
+our $ip_alias_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
my $max_alias_name_length = 64;
my $max_ipset_name_length = 64;
$errors->{$param} = $msg if !$errors->{$param};
};
+ my $ipversion;
+ my $set_ip_version = sub {
+ my $vers = shift;
+ if ($vers) {
+ die "detected mixed ipv4/ipv6 adresses in rule\n"
+ if $ipversion && ($vers != $ipversion);
+ $ipversion = $vers;
+ }
+ };
+
my $check_ipset_or_alias_property = sub {
my ($name, $expected_ipversion) = @_;
my $e = $fw_conf->{aliases}->{$alias} if $fw_conf;
$e = $cluster_conf->{aliases}->{$alias} if !$e && $cluster_conf;
- die "detected mixed ipv4/ipv6 adresses in rule\n"
- if $expected_ipversion && ($expected_ipversion != $e->{ipversion});
+ &$set_ip_version($e->{ipversion});
}
}
};
}
}
- my $ipversion;
- my $set_ip_version = sub {
- my $vers = shift;
- if ($vers) {
- die "detected mixed ipv4/ipv6 adresses in rule\n"
- if $ipversion && ($vers != $ipversion);
- $ipversion = $vers;
- }
- };
-
if ($rule->{proto}) {
eval { pve_fw_verify_protocol_spec($rule->{proto}); };
&$add_error('proto', $@) if $@;
}
}
+ my $tmpfile = "$pve_fw_status_dir/ipsetcmdlist1";
+ PVE::Tools::file_set_contents($tmpfile, $ipset_create_cmdlist || '');
+
ipset_restore_cmdlist($ipset_create_cmdlist);
+ $tmpfile = "$pve_fw_status_dir/ip4cmdlist";
+ PVE::Tools::file_set_contents($tmpfile, $cmdlist || '');
+
iptables_restore_cmdlist($cmdlist);
+
+ $tmpfile = "$pve_fw_status_dir/ip6cmdlist";
+ PVE::Tools::file_set_contents($tmpfile, $cmdlistv6 || '');
+
ip6tables_restore_cmdlist($cmdlistv6);
+ $tmpfile = "$pve_fw_status_dir/ipsetcmdlist2";
+ PVE::Tools::file_set_contents($tmpfile, $ipset_delete_cmdlist || '');
+
ipset_restore_cmdlist($ipset_delete_cmdlist) if $ipset_delete_cmdlist;
# test: re-read status and check if everything is up to date