sub parse_fw_rule {
my ($prefix, $line, $cluster_conf, $fw_conf, $rule_env, $verbose) = @_;
- chomp $line;
-
my $orig_line = $line;
my $rule = {};
$opt = lc($1);
$value = $2;
} else {
- chomp $line;
die "can't parse option '$line'\n"
}
$opt = lc($1);
$value = int($2);
} else {
- chomp $line;
die "can't parse option '$line'\n"
}
$opt = lc($1);
$value = uc($3);
} else {
- chomp $line;
die "can't parse option '$line'\n"
}
return ($opt, $value);
}
+sub resolve_alias {
+ my ($clusterfw_conf, $fw_conf, $cidr) = @_;
+
+ if ($cidr !~ m/^\d/) {
+ my $alias = lc($cidr);
+ my $e = $fw_conf->{aliases}->{$alias} if $fw_conf;
+ $e = $clusterfw_conf->{aliases}->{$alias} if !$e && $clusterfw_conf;
+ return $e->{cidr} if $e;
+
+ die "no such alias '$cidr'\n";
+ }
+
+ return $cidr;
+}
+
sub parse_alias {
my ($line) = @_;
my $res = $empty_conf;
- my $ipset_option = get_standard_option('ipset-name');
-
while (defined(my $line = <$fh>)) {
next if $line =~ m/^#/;
next if $line =~ m/^\s*$/;
+ chomp $line;
+
my $linenr = $fh->input_line_number();
my $prefix = "$filename (line $linenr)";
$line =~ m/^(\!)?\s*(\S+)\s*$/;
my $nomatch = $1;
my $cidr = $2;
+ my $errors;
- if($cidr !~ m/^${ip_alias_pattern}$/) {
- $cidr =~ s|/32$||;
+ if ($nomatch && !$feature_ipset_nomatch) {
+ $errors->{nomatch} = "nomatch not supported by kernel";
+ }
- eval { pve_verify_ipv4_or_cidr($cidr); };
- if (my $err = $@) {
- warn "$prefix: $cidr - $err";
- next;
+ eval {
+ if ($cidr =~ m/^${ip_alias_pattern}$/) {
+ resolve_alias($cluster_conf, $res, $cidr); # make sure alias exists
+ } else {
+ $cidr =~ s|/32$||;
+ pve_verify_ipv4_or_cidr_or_alias($cidr);
}
+ };
+ if (my $err = $@) {
+ chomp $err;
+ $errors->{cidr} = $err;
}
my $entry = { cidr => $cidr };
$entry->{nomatch} = 1 if $nomatch;
$entry->{comment} = $comment if $comment;
+ $entry->{errors} = $errors if $errors;
+
+ if ($verbose && $errors) {
+ warn "$prefix - errors in ipset '$group': $line\n";
+ foreach my $p (keys %{$errors}) {
+ warn " $p: $errors->{$p}\n";
+ }
+ }
push @{$res->{$section}->{$group}}, $entry;
} else {
# remove duplicates
my $nethash = {};
foreach my $entry (@$options) {
- my $cidr = $entry->{cidr};
- if ($cidr =~ m/^${ip_alias_pattern}$/) {
- my $alias = lc($cidr);
- my $e = $fw_conf->{aliases}->{$alias} if $fw_conf;
- $e = $clusterfw_conf->{aliases}->{$alias} if !$e && $clusterfw_conf;
- if ($e) {
- $entry->{cidr} = $e->{cidr};
- $nethash->{$entry->{cidr}} = $entry;
- } else {
- warn "no such alias '$cidr'\n";
- }
- } else {
- $nethash->{$entry->{cidr}} = $entry;
- }
+ next if $entry->{errors}; # skip entries with errors
+ eval {
+ my $cidr = resolve_alias($clusterfw_conf, $fw_conf, $entry->{cidr});
+ $nethash->{$cidr} = { cidr => $cidr, nomatch => $entry->{nomatch} };
+ };
+ warn $@ if $@;
}
foreach my $cidr (sort keys %$nethash) {
push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
+ return ({}, {}) if !$cluster_conf->{options}->{enable};
+
my $ruleset = {};
ruleset_create_chain($ruleset, "PVEFW-INPUT");