Define $ip_alias_name to make it easier to read the code.
IN SSH(ACCEPT) net0 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
IN SSH(ACCEPT) net0 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
IN SSH(ACCEPT) net0 +mynetgroup #accept ssh for netgroup mynetgroup
IN SSH(ACCEPT) net0 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
IN SSH(ACCEPT) net0 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
IN SSH(ACCEPT) net0 +mynetgroup #accept ssh for netgroup mynetgroup
-IN SSH(ACCEPT) net0 +myserveralias #accept ssh for alias myserveralias
+IN SSH(ACCEPT) net0 myserveralias #accept ssh for alias myserveralias
|IN SSH(ACCEPT) net0 # disabled rule
|IN SSH(ACCEPT) net0 # disabled rule
-my $security_group_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
+my $security_group_name_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
+my $ip_alias_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
PVE::JSONSchema::register_standard_option('pve-security-group-name', {
description => "Security Group name.",
type => 'string',
PVE::JSONSchema::register_standard_option('pve-security-group-name', {
description => "Security Group name.",
type => 'string',
- pattern => $security_group_pattern,
+ pattern => $security_group_name_pattern,
minLength => 2,
maxLength => 20,
});
minLength => 2,
maxLength => 20,
});
my ($str) = @_;
return if $str =~ m/^(\+)(\S+)$/; # ipset ref
my ($str) = @_;
return if $str =~ m/^(\+)(\S+)$/; # ipset ref
- return if $str =~ m/^${security_group_pattern}$/; # aliases
+ return if $str =~ m/^${ip_alias_pattern}$/;
my $count = 0;
my $iprange = 0;
my $count = 0;
my $iprange = 0;
description => "Rule action ('ACCEPT', 'DROP', 'REJECT') or security group name.",
type => 'string',
optional => 1,
description => "Rule action ('ACCEPT', 'DROP', 'REJECT') or security group name.",
type => 'string',
optional => 1,
- pattern => $security_group_pattern,
+ pattern => $security_group_name_pattern,
maxLength => 20,
minLength => 2,
},
maxLength => 20,
minLength => 2,
},
raise_param_exc({ type => "security groups not allowed"})
if !$allow_groups;
raise_param_exc({ action => "invalid characters in security group name"})
raise_param_exc({ type => "security groups not allowed"})
if !$allow_groups;
raise_param_exc({ action => "invalid characters in security group name"})
- if $rule->{action} !~ m/^${security_group_pattern}$/;
+ if $rule->{action} !~ m/^${security_group_name_pattern}$/;
} else {
raise_param_exc({ type => "unknown rule type '$type'"});
}
} else {
raise_param_exc({ type => "unknown rule type '$type'"});
}
my $dest = $rule->{dest};
if ($source) {
my $dest = $rule->{dest};
if ($source) {
- if ($source =~ m/^(\+)(\S+)$/) {
- die "no such ipset $2" if !$cluster_conf->{ipset}->{$2};
- push @cmd, "-m set --match-set PVEFW-$2 src";
-
- } elsif ($source =~ m/^${security_group_pattern}$/){
- die "no such alias $source" if !$cluster_conf->{aliases}->{$source};
+ if ($source =~ m/^\+/) {
+ if ($source =~ m/^\+(${security_group_name_pattern})$/) {
+ die "no such ipset '$1'\n" if !$cluster_conf->{ipset}->{$1};
+ push @cmd, "-m set --match-set PVEFW-$1 src";
+ } else {
+ die "invalid security group name '$source'\n";
+ }
+ } elsif ($source =~ m/^${ip_alias_pattern}$/){
+ die "no such alias $source\n" if !$cluster_conf->{aliases}->{$source};
push @cmd, "-s $cluster_conf->{aliases}->{$source}";
} elsif ($source =~ m/\-/){
push @cmd, "-s $cluster_conf->{aliases}->{$source}";
} elsif ($source =~ m/\-/){
- if ($dest =~ m/^(\+)(\S+)$/) {
- die "no such ipset $2" if !$cluster_conf->{ipset}->{$2};
- push @cmd, "-m set --match-set PVEFW-$2 dst";
-
- } elsif ($dest =~ m/^${security_group_pattern}$/){
+ if ($dest =~ m/^\+/) {
+ if ($dest =~ m/^\+(${security_group_name_pattern})$/) {
+ die "no such ipset '$1'\n" if !$cluster_conf->{ipset}->{$1};
+ push @cmd, "-m set --match-set PVEFW-$1 dst";
+ } else {
+ die "invalid security group name '$dest'\n";
+ }
+ } elsif ($dest =~ m/^${ip_alias_pattern}$/){
die "no such alias $dest" if !$cluster_conf->{aliases}->{$dest};
push @cmd, "-d $cluster_conf->{aliases}->{$dest}";
die "no such alias $dest" if !$cluster_conf->{aliases}->{$dest};
push @cmd, "-d $cluster_conf->{aliases}->{$dest}";
die "wrong number of rule elements\n" if scalar(@data) != 3;
die "groups disabled\n" if !$allow_groups;
die "wrong number of rule elements\n" if scalar(@data) != 3;
die "groups disabled\n" if !$allow_groups;
- die "invalid characters in group name\n" if $action !~ m/^${security_group_pattern}$/;
+ die "invalid characters in group name\n" if $action !~ m/^${security_group_name_pattern}$/;
} else {
die "unknown rule type '$type'\n";
}
} else {
die "unknown rule type '$type'\n";
}
my $nomatch = $1;
my $cidr = $2;
my $nomatch = $1;
my $cidr = $2;
- if($cidr !~ m/^${security_group_pattern}$/) {
+ if($cidr !~ m/^${ip_alias_pattern}$/) {
$cidr =~ s|/32$||;
eval { pve_verify_ipv4_or_cidr($cidr); };
$cidr =~ s|/32$||;
eval { pve_verify_ipv4_or_cidr($cidr); };
my $nethash = {};
foreach my $entry (@$options) {
my $cidr = $entry->{cidr};
my $nethash = {};
foreach my $entry (@$options) {
my $cidr = $entry->{cidr};
- #check aliases
- if ($cidr =~ m/^${security_group_pattern}$/){
+ if ($cidr =~ m/^${ip_alias_pattern}$/){
die "no such alias $cidr" if !$aliases->{$cidr};
$entry->{cidr} = $aliases->{$cidr};
}
die "no such alias $cidr" if !$aliases->{$cidr};
$entry->{cidr} = $aliases->{$cidr};
}