code cleanup

Define $ip_alias_name to make it easier to read the code.

diff --git a/debian/example/100.fw b/debian/example/100.fw
index 78f300a1b9ce15769d643fd960901e087985a570..5ccdcaed40b0eef61b32c25bd523eb75e23a26e8 100644 (file)
--- a/debian/example/100.fw
+++ b/debian/example/100.fw
@@ -40,7 +40,7 @@ IN SSH(ACCEPT) net0 192.168.2.192  # only allow SSH from  192.168.2.192
 IN SSH(ACCEPT) net0 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
 IN SSH(ACCEPT) net0 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
 IN SSH(ACCEPT) net0 +mynetgroup   #accept ssh for netgroup mynetgroup
-IN SSH(ACCEPT) net0 +myserveralias   #accept ssh for alias myserveralias
+IN SSH(ACCEPT) net0 myserveralias   #accept ssh for alias myserveralias
 
 |IN SSH(ACCEPT) net0 # disabled rule
 

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 24bb524f10adc964dfccb7602bd68ff6eb6c4c4e..0c83e2fccf1848889ea844c9cf95327b7b1a9ccc 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -63,12 +63,13 @@ PVE::JSONSchema::register_standard_option('pve-fw-loglevel' => {
     optional => 1,
 });
 
-my $security_group_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
+my $security_group_name_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
+my $ip_alias_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
 
 PVE::JSONSchema::register_standard_option('pve-security-group-name', {
     description => "Security Group name.",
     type => 'string',
-    pattern => $security_group_pattern,
+    pattern => $security_group_name_pattern,
     minLength => 2,
     maxLength => 20,                             
 });
@@ -712,7 +713,7 @@ sub parse_address_list {
     my ($str) = @_;
 
     return if $str =~ m/^(\+)(\S+)$/; # ipset ref
-    return if $str =~ m/^${security_group_pattern}$/; # aliases
+    return if $str =~ m/^${ip_alias_pattern}$/;
 
     my $count = 0;
     my $iprange = 0;
@@ -855,7 +856,7 @@ my $rule_properties = {
        description => "Rule action ('ACCEPT', 'DROP', 'REJECT') or security group name.",
        type => 'string',
        optional => 1,
-       pattern => $security_group_pattern,
+       pattern => $security_group_name_pattern,
        maxLength => 20,
        minLength => 2,
     },
@@ -987,7 +988,7 @@ sub verify_rule {
        raise_param_exc({ type => "security groups not allowed"}) 
            if !$allow_groups;
        raise_param_exc({ action => "invalid characters in security group name"}) 
-           if $rule->{action} !~ m/^${security_group_pattern}$/;
+           if $rule->{action} !~ m/^${security_group_name_pattern}$/;
     } else {
        raise_param_exc({ type => "unknown rule type '$type'"});
     }
@@ -1205,12 +1206,15 @@ sub ruleset_generate_cmdstr {
     my $dest = $rule->{dest};
 
     if ($source) {
-        if ($source =~ m/^(\+)(\S+)$/) {
-           die "no such ipset $2" if !$cluster_conf->{ipset}->{$2};
-           push @cmd, "-m set --match-set PVEFW-$2 src";
-
-       } elsif ($source =~ m/^${security_group_pattern}$/){
-           die "no such alias $source" if !$cluster_conf->{aliases}->{$source};
+        if ($source =~ m/^\+/) {
+           if ($source =~ m/^\+(${security_group_name_pattern})$/) {
+               die "no such ipset '$1'\n" if !$cluster_conf->{ipset}->{$1};
+               push @cmd, "-m set --match-set PVEFW-$1 src";
+           } else {
+               die "invalid security group name '$source'\n";
+           }
+       } elsif ($source =~ m/^${ip_alias_pattern}$/){
+           die "no such alias $source\n" if !$cluster_conf->{aliases}->{$source};
            push @cmd, "-s $cluster_conf->{aliases}->{$source}";
 
         } elsif ($source =~ m/\-/){
@@ -1222,11 +1226,14 @@ sub ruleset_generate_cmdstr {
     }
 
     if ($dest) {
-        if ($dest =~ m/^(\+)(\S+)$/) {
-           die "no such ipset $2" if !$cluster_conf->{ipset}->{$2};
-           push @cmd, "-m set --match-set PVEFW-$2 dst";
-
-       } elsif ($dest =~ m/^${security_group_pattern}$/){
+        if ($dest =~ m/^\+/) {
+           if ($dest =~ m/^\+(${security_group_name_pattern})$/) {
+               die "no such ipset '$1'\n" if !$cluster_conf->{ipset}->{$1};
+               push @cmd, "-m set --match-set PVEFW-$1 dst";
+           } else {
+               die "invalid security group name '$dest'\n";
+           }
+       } elsif ($dest =~ m/^${ip_alias_pattern}$/){
            die "no such alias $dest" if !$cluster_conf->{aliases}->{$dest};
            push @cmd, "-d $cluster_conf->{aliases}->{$dest}";
 
@@ -1811,7 +1818,7 @@ sub parse_fw_rule {
        die "wrong number of rule elements\n" if scalar(@data) != 3;
        die "groups disabled\n" if !$allow_groups;
 
-       die "invalid characters in group name\n" if $action !~ m/^${security_group_pattern}$/;
+       die "invalid characters in group name\n" if $action !~ m/^${security_group_name_pattern}$/;
     } else {
        die "unknown rule type '$type'\n";
     }
@@ -2133,7 +2140,7 @@ sub parse_cluster_fw_rules {
            my $nomatch = $1;
            my $cidr = $2;
 
-           if($cidr !~ m/^${security_group_pattern}$/) {
+           if($cidr !~ m/^${ip_alias_pattern}$/) {
                $cidr =~ s|/32$||;
            
                eval { pve_verify_ipv4_or_cidr($cidr); };
@@ -2408,8 +2415,7 @@ sub generate_ipset {
     my $nethash = {};
     foreach my $entry (@$options) {
        my $cidr = $entry->{cidr};
-       #check aliases
-       if ($cidr =~ m/^${security_group_pattern}$/){
+       if ($cidr =~ m/^${ip_alias_pattern}$/){
            die "no such alias $cidr" if !$aliases->{$cidr};
            $entry->{cidr} = $aliases->{$cidr};
        }