fix CT rule generation with ipfilter set

commit 255698f65192e736708f123d380bbed2aa8c3eac tried to prevent an
error from happening but wasn't to well thought out, perl's operator
precedence was overlooked.
The commit resulted effectively in:
if (my $ip = ($net->{ip} && $vmfw_conf->{options}->{ipfilter})) ...

But intended was:
if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) ...

First one makes $ip always boolean true (1 in perl) if the if branch
is hit, and the seconds really has then the $ip value in it..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index abcc1e858ebb34d87f262e90a45f40d971c4f987..b08cea57312b9e6a54680e24abced4e4de4c47be 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3782,7 +3782,7 @@ sub compile_ebtables_filter {
                        push(@$arpfilter, $ip);
                    }
                }
-               if (my $ip = $net->{ip} && $vmfw_conf->{options}->{ipfilter}) {
+               if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) {
                    # ebtables changes this to a .0/MASK network but we just
                    # want the address here, no network - see #2193
                    $ip =~ s|/(\d+)$||;