Add ipv6 macros to the macro list

Additionally there's now a way to specify ipv6-only or
ipv4-only macros.

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index a39cf6d46503dcded67f047387a8d50a3369fb36..3057d218a8c73747b7b56ecd9b161defbf18f352 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -506,6 +506,7 @@ my $pve_fw_macros = {
 
 my $pve_fw_parsed_macros;
 my $pve_fw_macro_descr;
+my $pve_fw_macro_ipversion = {};
 my $pve_fw_preferred_macro_names = {};
 
 my $pve_std_chains = {};
@@ -755,14 +756,32 @@ sub init_firewall_macros {
 
     $pve_fw_parsed_macros = {};
 
-    foreach my $k (keys %$pve_fw_macros) {
+    my $parse = sub {
+       my ($k, $macro) = @_;
        my $lc_name = lc($k);
-       my $macro = $pve_fw_macros->{$k};
-       if (!ref($macro->[0])) {
-           $pve_fw_macro_descr->{$k} = shift @$macro;
+       $pve_fw_macro_ipversion->{$k} = 0;
+       while (!ref($macro->[0])) {
+           my $desc = shift @$macro;
+           if ($desc eq 'ipv4only') {
+               $pve_fw_macro_ipversion->{$k} = 4;
+           } elsif ($desc eq 'ipv6only') {
+               $pve_fw_macro_ipversion->{$k} = 6;
+           } else {
+               $pve_fw_macro_descr->{$k} = $desc;
+           }
        }
        $pve_fw_preferred_macro_names->{$lc_name} = $k;
        $pve_fw_parsed_macros->{$k} = $macro;
+    };
+
+    foreach my $k (keys %$pve_fw_macros) {
+       &$parse($k, $pve_fw_macros->{$k});
+    }
+
+    foreach my $k (keys %$pve_ipv6fw_macros) {
+       next if $pve_fw_parsed_macros->{$k};
+       &$parse($k, $pve_ipv6fw_macros->{$k});
+       $pve_fw_macro_ipversion->{$k} = 6;
     }
 }
 
@@ -1170,6 +1189,9 @@ my $apply_macro = sub {
        $macro_rules = $pve_ipv6fw_macros->{$macro_name};
     }
 
+    # skip macros which are specific to another ipversion
+    return if ($ipversion//0) != ($pve_fw_macro_ipversion->{$macro_name}//0);
+
     my $rules = [];
 
     foreach my $templ (@$macro_rules) {