for example, the config parser drops a trailing /32 for IPv4, so we
should do the same here. otherwise we can have one entry for $IP and
one for $IP/32 with different properties until the next R-M-W cycle
drops one of them again.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
my $cidr = $param->{cidr};
my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
my $cidr = $param->{cidr};
+ if ($cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/) {
+ # make sure alias exists (if $cidr is an alias)
+ PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr);
+ } else {
+ # normalize like config parser, otherwise duplicates might slip through
+ $cidr = PVE::Firewall::parse_ip_or_cidr($cidr);
+ }
foreach my $entry (@$ipset) {
raise_param_exc({ cidr => "address '$cidr' already exists" })
foreach my $entry (@$ipset) {
raise_param_exc({ cidr => "address '$cidr' already exists" })
raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" })
if $cidr =~ m!/0+$!;
raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" })
if $cidr =~ m!/0+$!;
- # make sure alias exists (if $cidr is an alias)
- PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr)
- if $cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/;
my $data = { cidr => $cidr };
my $data = { cidr => $cidr };
projects / pve-firewall.git / commitdiff