X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=8fd0f482c6353b38f3989f13e6862e3fb53a7c42;hp=e060244e9d26439f3cffc5df0c270bec8c42ebfe;hb=3655b01f381276b96d69f6be303504affcbc7311;hpb=cbb5d6f35612337edbb6d2bb0aa18028dd07fe9f

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index e060244..8fd0f48 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -613,18 +613,20 @@ sub get_etc_protocols {
 sub parse_address_list {
     my ($str) = @_;
 
-    my $nbaor = 0;
-    foreach my $aor (split(/,/, $str)) {
-	if($nbaor > 0 && $aor =~ m/-/){
-	    die "you can use a range in a list";
-	}
-	if (!Net::IP->new($aor)) {
+    return if $str !~ m/^(\+)(\S+)$/; # ipset ref
+
+    my $count = 0;
+    my $iprange = 0;
+    foreach my $elem (split(/,/, $str)) {
+	$count++;
+	if (!Net::IP->new($elem)) {
 	    my $err = Net::IP::Error();
 	    die "invalid IP address: $err\n";
-	}else{
-	    $nbaor++;
 	}
+	$iprange = 1 if $elem =~ m/-/;
     }
+    
+    die "you can use a range in a list\n" if $iprange && $count > 1;
 }
 
 sub parse_port_name_number_or_range {
@@ -765,7 +767,9 @@ sub add_rule_properties {
     my ($properties) = @_;
 
     foreach my $k (keys %$rule_properties) {
-	$properties->{$k} = $rule_properties->{$k};
+	my $h = $rule_properties->{$k};
+	# copy data, so that we can modify later without side effects
+	foreach my $opt (keys %$h) { $properties->{$k}->{$opt} = $h->{$opt}; }
     }
 
     return $properties;
@@ -950,7 +954,7 @@ sub ruleset_generate_cmdstr {
 	    die "no such ipset $2" if !$cluster_conf->{ipset}->{$2};
 	    push @cmd, "-m set --match-set PVEFW-$2 src";
 
-        } elsif ($source =~ m/^(\d+)\.(\d+).(\d+).(\d+)\-(\d+)\.(\d+).(\d+).(\d+)$/){
+        } elsif ($source =~ m/\-/){
 	    push @cmd, "-m iprange --src-range $source";
 
 	} else {
@@ -1591,8 +1595,8 @@ sub parse_fw_rule {
     parse_port_name_number_or_range($dport) if defined($dport);
     parse_port_name_number_or_range($sport) if defined($sport);
 
-    parse_address_list($source) if $source && $source !~ m/^(\+)(\S+)$/;
-    parse_address_list($dest) if $dest && $dest !~ m/^(\+)(\S+)$/;
+    parse_address_list($source) if $source;
+    parse_address_list($dest) if $dest;
 
     return {
 	type => $type,