X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=40400c8a002d1d2fe52de380a16a2e3bf4b07569;hp=ad52ee724163533760ce4a55398d5c15992ac237;hb=b33ce1b52082f986a21e8030fef5b80f6bc57005;hpb=5163367b84fd17743663cc936ba7766d4d04a3a2

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index ad52ee7..40400c8 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -802,19 +802,27 @@ sub parse_address_list {
 
     my $count = 0;
     my $iprange = 0;
-    my $ipversion = undef;
+    my $ipversion;
 
     foreach my $elem (split(/,/, $str)) {
 	$count++;
-	if (!Net::IP->new($elem)) {
+	my $ip = Net::IP->new($elem);
+	if (!$ip) {
 	    my $err = Net::IP::Error();
 	    die "invalid IP address: $err\n";
 	}
 	$iprange = 1 if $elem =~ m/-/;
-	$ipversion = Net::IP::ip_get_version($elem); #fixme : don't work with range
+
+	my $new_ipversion = Net::IP::ip_is_ipv6($ip->ip()) ? 6 : 4;
+
+	die "detected mixed ipv4/ipv6 addresses in address list '$str'\n"
+	    if $ipversion && ($new_ipversion != $ipversion);
+
+	$ipversion = $new_ipversion;
     }
 
     die "you can't use a range in a list\n" if $iprange && $count > 1;
+
     return $ipversion;
 }
 
@@ -1075,7 +1083,6 @@ sub verify_rule {
     my ($rule, $cluster_conf, $fw_conf, $rule_env, $noerr) = @_;
 
     my $allow_groups = $rule_env eq 'group' ? 0 : 1;
-    my $ipversion = undef;
 
     my $allow_iface = $rule_env_iface_lookup->{$rule_env};
     die "unknown rule_env '$rule_env'\n" if !defined($allow_iface); # should not happen
@@ -1173,6 +1180,8 @@ sub verify_rule {
 	    if !$rule->{proto};
     }
 
+    my $ipversion;
+
     if ($rule->{source}) {
 	eval { $ipversion = parse_address_list($rule->{source}); };
 	&$add_error('source', $@) if $@;
@@ -1180,7 +1189,12 @@ sub verify_rule {
     }
 
     if ($rule->{dest}) {
-	eval { $ipversion = parse_address_list($rule->{dest}); };
+	eval { 
+	    my $dest_ipversion = parse_address_list($rule->{dest}); 
+	    die "detected mixed ipv4/ipv6 adresses in rule\n"
+		if defined($ipversion) && ($dest_ipversion != $ipversion);
+	    $ipversion = $dest_ipversion;
+	};
 	&$add_error('dest', $@) if $@;
 	&$check_ipset_or_alias_property('dest');
     }
@@ -1727,7 +1741,7 @@ sub ruleset_add_group_rule {
 }
 
 sub ruleset_generate_vm_rules {
-    my ($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, $netid, $direction, $options) = @_;
+    my ($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, $netid, $direction, $options, $ipversion) = @_;
 
     my $lc_direction = lc($direction);
 
@@ -1736,6 +1750,8 @@ sub ruleset_generate_vm_rules {
     foreach my $rule (@$rules) {
 	next if $rule->{iface} && $rule->{iface} ne $netid;
 	next if !$rule->{enable} || $rule->{errors};
+	next if $rule->{ipversion} && ($rule->{ipversion} != $ipversion);
+
 	if ($rule->{type} eq 'group') {
 	    ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, $direction,
 				   $direction eq 'OUT' ? 'RETURN' : $in_accept);
@@ -1791,7 +1807,7 @@ sub ruleset_generate_vm_ipsrules {
 }
 
 sub generate_venet_rules_direction {
-    my ($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, $direction) = @_;
+    my ($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, $direction, $ipversion) = @_;
 
     my $lc_direction = lc($direction);
 
@@ -1804,7 +1820,7 @@ sub generate_venet_rules_direction {
 
     ruleset_create_vm_chain($ruleset, $chain, $options, undef, undef, $direction);
 
-    ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, 'venet', $direction);
+    ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, 'venet', $direction, undef, $ipversion);
 
     # implement policy
     my $policy;
@@ -1833,7 +1849,7 @@ sub generate_venet_rules_direction {
 }
 
 sub generate_tap_rules_direction {
-    my ($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $direction) = @_;
+    my ($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $direction, $ipversion) = @_;
 
     my $lc_direction = lc($direction);
 
@@ -1852,7 +1868,7 @@ sub generate_tap_rules_direction {
     ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $ipfilter_ipset, $direction);
 
     if ($options->{enable}) {
-	ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options);
+	ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options, $ipversion);
 
 	ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
 
@@ -2933,9 +2949,9 @@ sub compile_iptables_filter {
 
 		my $macaddr = $net->{macaddr};
 		generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
-					     $vmfw_conf, $vmid, 'IN');
+					     $vmfw_conf, $vmid, 'IN', $ipversion);
 		generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
-					     $vmfw_conf, $vmid, 'OUT');
+					     $vmfw_conf, $vmid, 'OUT', $ipversion);
 	    }
 	};
 	warn $@ if $@; # just to be sure - should not happen
@@ -2955,18 +2971,20 @@ sub compile_iptables_filter {
 		if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
 		    my $ip = $conf->{ip_address}->{value};
 		    $ip =~ s/\s+/,/g;
-		    parse_address_list($ip); # make sure we have a valid $ip list
 
-		    my @ips = split(',', $ip);
+		    my @ips = ();
 
-		    foreach my $singleip (@ips) {
-			my $venet0ipset = {};
-			$venet0ipset->{cidr} = $singleip;
-			push @{$cluster_conf->{ipset}->{venet0}}, $venet0ipset;
+		    foreach my $singleip (split(',', $ip)) {
+			my $singleip_ver = parse_address_list($singleip); # make sure we have a valid $ip list
+			push @{$cluster_conf->{ipset}->{venet0}}, { cidr => $singleip };
+			push @ips, $singleip if $singleip_ver == $ipversion;
 		    }
 
-		    generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'IN');
-		    generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'OUT');
+		    if (scalar(@ips)) {
+			my $ip_list = join(',', @ips);
+			generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip_list, 'IN', $ipversion);
+			generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip_list, 'OUT', $ipversion);
+		    }
 		}
 	    }
 
@@ -2979,9 +2997,9 @@ sub compile_iptables_filter {
 		    my $macaddr = $d->{mac};
 		    my $iface = $d->{host_ifname};
 		    generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
-						 $vmfw_conf, $vmid, 'IN');
+						 $vmfw_conf, $vmid, 'IN', $ipversion);
 		    generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
-						 $vmfw_conf, $vmid, 'OUT');
+						 $vmfw_conf, $vmid, 'OUT', $ipversion);
 		}
 	    }
 	};