X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=6d4127e8585917c51c841497959d902a8a8620cd;hp=88fc044315a77aed0664dbbf4455a83e960d764a;hb=5b7974dfa29048836d6ca5f66a05c96e54732cbf;hpb=3162af6b6288fdf740f6808421ad1ebc7993784c

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 88fc044..6d4127e 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -613,6 +613,8 @@ sub get_etc_protocols {
 sub parse_address_list {
     my ($str) = @_;
 
+    return if $str !~ m/^(\+)(\S+)$/; # ipset ref
+
     my $count = 0;
     my $iprange = 0;
     foreach my $elem (split(/,/, $str)) {
@@ -765,12 +767,28 @@ sub add_rule_properties {
     my ($properties) = @_;
 
     foreach my $k (keys %$rule_properties) {
-	$properties->{$k} = $rule_properties->{$k};
+	my $h = $rule_properties->{$k};
+	# copy data, so that we can modify later without side effects
+	foreach my $opt (keys %$h) { $properties->{$k}->{$opt} = $h->{$opt}; }
     }
 
     return $properties;
 }
 
+sub delete_rule_properties {
+    my ($rule, $delete_str) = @_;
+    
+    foreach my $opt (PVE::Tools::split_list($delete_str)) {
+	raise_param_exc({ 'delete' => "no such property ('$opt')"})
+	    if !defined($rule_properties->{$opt});
+	raise_param_exc({ 'delete' => "unable to delete required property '$opt'"})
+	    if $opt eq 'type' || $opt eq 'action';
+	delete $rule->{$opt};
+    }
+
+    return $rule;
+}
+
 sub copy_rule_data {
     my ($rule, $param) = @_;
 
@@ -950,7 +968,7 @@ sub ruleset_generate_cmdstr {
 	    die "no such ipset $2" if !$cluster_conf->{ipset}->{$2};
 	    push @cmd, "-m set --match-set PVEFW-$2 src";
 
-        } elsif ($source =~ m/^(\d+)\.(\d+).(\d+).(\d+)\-(\d+)\.(\d+).(\d+).(\d+)$/){
+        } elsif ($source =~ m/\-/){
 	    push @cmd, "-m iprange --src-range $source";
 
 	} else {
@@ -1591,8 +1609,8 @@ sub parse_fw_rule {
     parse_port_name_number_or_range($dport) if defined($dport);
     parse_port_name_number_or_range($sport) if defined($sport);
 
-    parse_address_list($source) if $source && $source !~ m/^(\+)(\S+)$/;
-    parse_address_list($dest) if $dest && $dest !~ m/^(\+)(\S+)$/;
+    parse_address_list($source) if $source;
+    parse_address_list($dest) if $dest;
 
     return {
 	type => $type,