sub parse_fw_rule {
my ($prefix, $line, $cluster_conf, $fw_conf, $rule_env, $verbose) = @_;
- chomp $line;
-
my $orig_line = $line;
my $rule = {};
$opt = lc($1);
$value = $2;
} else {
- chomp $line;
die "can't parse option '$line'\n"
}
$opt = lc($1);
$value = int($2);
} else {
- chomp $line;
die "can't parse option '$line'\n"
}
$opt = lc($1);
$value = uc($3);
} else {
- chomp $line;
die "can't parse option '$line'\n"
}
next if $line =~ m/^#/;
next if $line =~ m/^\s*$/;
+ chomp $line;
+
my $linenr = $fh->input_line_number();
my $prefix = "$filename (line $linenr)";
$line =~ m/^(\!)?\s*(\S+)\s*$/;
my $nomatch = $1;
my $cidr = $2;
+ my $errors;
+
+ if ($nomatch && !$feature_ipset_nomatch) {
+ $errors->{nomatch} = "nomatch not supported by kernel";
+ }
eval {
if ($cidr =~ m/^${ip_alias_pattern}$/) {
resolve_alias($cluster_conf, $res, $cidr); # make sure alias exists
} else {
$cidr =~ s|/32$||;
- pve_verify_ipv4_or_cidr($cidr);
+ pve_verify_ipv4_or_cidr_or_alias($cidr);
}
};
if (my $err = $@) {
- warn "$prefix: $cidr - $err";
- next;
+ chomp $err;
+ $errors->{cidr} = $err;
}
my $entry = { cidr => $cidr };
$entry->{nomatch} = 1 if $nomatch;
$entry->{comment} = $comment if $comment;
+ $entry->{errors} = $errors if $errors;
+
+ if ($verbose && $errors) {
+ warn "$prefix - errors in ipset '$group': $line\n";
+ foreach my $p (keys %{$errors}) {
+ warn " $p: $errors->{$p}\n";
+ }
+ }
push @{$res->{$section}->{$group}}, $entry;
} else {
# remove duplicates
my $nethash = {};
foreach my $entry (@$options) {
+ next if $entry->{errors}; # skip entries with errors
eval {
my $cidr = resolve_alias($clusterfw_conf, $fw_conf, $entry->{cidr});
$nethash->{$cidr} = { cidr => $cidr, nomatch => $entry->{nomatch} };
push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
+ return ({}, {}) if !$cluster_conf->{options}->{enable};
+
my $ruleset = {};
ruleset_create_chain($ruleset, "PVEFW-INPUT");