parser: fix scoped alias resolution

We tried to resolve aliases in some places where the cluster
configuration didn't get set. It's probably better to handle these cases
directly in the function at hand, instead of at every place where this
issues might arise.

This seemingly fixes the issues reported on pve-user and the forum:
  * https://forum.proxmox.com/threads/pve-8-pve-firewall-status-no-such-alias.130202/
  * https://forum.proxmox.com/threads/ipset-not-working-for-accepting-cluster-traffic.129599/

Signed-off-by: Leo Nunner <l.nunner@proxmox.com>

diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index baa57cabc2ebf96bd51a267b6d1a300291904c0b..ed92d877ee0685726f69fc5f807c3a316a925dbe 100644 (file)
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -203,8 +203,6 @@ sub register_create_ip {
                if ($cidr =~ m@^(dc/|guest/)?(${PVE::Firewall::ip_alias_pattern})$@) {
                    my $scope = $1 // "";
                    my $alias = $2;
-                   # on the cluster level
-                   $cluster_conf = $fw_conf if (!$cluster_conf);
                    # make sure alias exists (if $cidr is an alias)
                    PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $alias, $scope);
                } else {

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 9bed8dfaadd60bb89c2f727ab591c835b25cac6f..77cbaf46598ff7eff0842a0484ef90239e4a58b0 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2979,13 +2979,23 @@ sub parse_clusterfw_option {
 sub resolve_alias {
     my ($clusterfw_conf, $fw_conf, $cidr, $scope) = @_;
 
+    # When we're on the cluster level, the cluster config only gets
+    # saved into fw_conf, so we need some extra handling here (to
+    # stay consistent)
+    my ($cluster_config, $local_config);
+    if (!$clusterfw_conf) {
+       ($cluster_config, $local_config) = ($fw_conf, undef);
+    } else {
+       ($cluster_config, $local_config) = ($clusterfw_conf, $fw_conf);
+    }
+
     my $alias = lc($cidr);
     my $e;
-    if ($scope ne 'dc/' && $fw_conf) {
-       $e = $fw_conf->{aliases}->{$alias};
+    if ($scope ne 'dc/' && $local_config) {
+       $e = $local_config->{aliases}->{$alias};
     }
-    if ($scope ne 'guest/' && !$e && $clusterfw_conf) {
-       $e = $clusterfw_conf->{aliases}->{$alias};
+    if ($scope ne 'guest/' && !$e && $cluster_config) {
+       $e = $cluster_config->{aliases}->{$alias};
     }
 
     die "no such alias '$cidr'\n" if !$e;;