git.proxmox.com Git - pve-firewall.git/commit

author	Aaron Lauterer <a.lauterer@proxmox.com>
	Thu, 22 Apr 2021 12:30:09 +0000 (14:30 +0200)
committer	Thomas Lamprecht <t.lamprecht@proxmox.com>
	Thu, 22 Apr 2021 15:49:44 +0000 (17:49 +0200)
commit	12d3b75f1a8a315caeca1be43914b6ab3aec1f6d
tree	83a0bdc173c86fbb9d5170b8b73e6a7e25ad3a27	tree
parent	ab9a6ae6fc5e848cfd0b8deb0d25103adf35917f	commit \| diff

fix #967: source: dest: limit length

iptables-restore has a buffer limit of 1024 for paramters [0].

If users end up adding a long list of IPs in the source or dest field
they might reach this limit. The result is that the rule will not be
applied and pve-firewall will show some error in the syslog which will
be "hidden" for most users.

Enforcing a smaller limit ourselves should help to avoid any such
situation. 512 characters should help to not run into any problems that
stem from differences in what counts as character. If people need longer
lists, using IP sets are the better approach anyway.

[0] http://git.netfilter.org/iptables/tree/iptables/xshared.c?h=v1.8.7#n469

Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>