X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=db1eae36655f8522dd8c8d9d3b7f043d0fd30e52;hp=62cbf66268a4b4ee89b49df4fd4ff66b0887521d;hb=12be0dfe9fc44906a8650a355baa1b601e6a3c0d;hpb=2549e7ef48b4f514898bdf6170ecf755e76a9112

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 62cbf66..db1eae3 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1049,12 +1049,13 @@ sub parse_port_name_number_or_range {
     my @elements = split(/,/, $str);
     die "extraneous commas in list\n" if $str ne join(',', @elements);
     foreach my $item (@elements) {
-	if ($item =~ m/^(\d+):(\d+)$/) {
+	if ($item =~ m/^([0-9]+):([0-9]+)$/) {
 	    $count += 2;
 	    my ($port1, $port2) = ($1, $2);
 	    die "invalid port '$port1'\n" if $port1 > 65535;
 	    die "invalid port '$port2'\n" if $port2 > 65535;
-	} elsif ($item =~ m/^(\d+)$/) {
+	    die "backwards range '$port1:$port2' not allowed, did you mean '$port2:$port1'?\n" if $port1 > $port2;
+	} elsif ($item =~ m/^([0-9]+)$/) {
 	    $count += 1;
 	    my $port = $1;
 	    die "invalid port '$port'\n" if $port > 65535;
@@ -2318,7 +2319,7 @@ sub generate_tap_rules_direction {
 	if ($direction eq 'OUT') {
 	    $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
 	} else {
-	$policy = $options->{policy_in} || 'DROP'; # allow nothing by default
+	    $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
 	}
 
 	my $accept = generate_nfqueue($options);
@@ -3672,13 +3673,13 @@ sub compile_ebtables_filter {
     ruleset_addrule($ruleset, 'PVEFW-FORWARD', '-o fwln+', '-j PVEFW-FWBR-OUT');
 
     # generate firewall rules for QEMU VMs
-    foreach my $vmid (keys %{$vmdata->{qemu}}) {
+    foreach my $vmid (sort keys %{$vmdata->{qemu}}) {
 	eval {
 	    my $conf = $vmdata->{qemu}->{$vmid};
 	    my $vmfw_conf = $vmfw_configs->{$vmid};
 	    return if !$vmfw_conf;
 
-	    foreach my $netid (keys %$conf) {
+	    foreach my $netid (sort keys %$conf) {
 		next if $netid !~ m/^net(\d+)$/;
 		my $net = PVE::QemuServer::parse_net($conf->{$netid});
 		next if !$net->{firewall};
@@ -3693,14 +3694,14 @@ sub compile_ebtables_filter {
     }
 
     # generate firewall rules for LXC containers
-    foreach my $vmid (keys %{$vmdata->{lxc}}) {
+    foreach my $vmid (sort keys %{$vmdata->{lxc}}) {
 	eval {
 	    my $conf = $vmdata->{lxc}->{$vmid};
 
 	    my $vmfw_conf = $vmfw_configs->{$vmid};
 	    return if !$vmfw_conf || !$vmfw_conf->{options}->{enable};
 
-	    foreach my $netid (keys %$conf) {
+	    foreach my $netid (sort keys %$conf) {
 		next if $netid !~ m/^net(\d+)$/;
 		my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid});
 		next if !$net->{firewall};
@@ -3784,11 +3785,12 @@ sub get_ruleset_status {
     foreach my $chain (sort keys %$active_chains) {
 	next if defined($ruleset->{$chain});
 	my $action = 'delete';
+	my $sig = $active_chains->{$chain};
 	if (defined($change_only_regex)) {
 	    $action = 'ignore' if ($chain !~ m/$change_only_regex/);
 	    $statushash->{$chain}->{rules} = $active_chains->{$chain}->{rules};
+	    $sig = $sig->{sig};
 	}
-	my $sig = $active_chains->{$chain}->{sig};
 	$statushash->{$chain}->{action} = $action;
 	$statushash->{$chain}->{sig} = $sig;
 	print "$action $chain ($sig)\n" if $verbose;