From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Tue, 28 May 2019 06:06:39 +0000 (+0200)
Subject: fix CT rule generation with ipfilter set
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=9328ea21573bdced86afdaa2f7c3fc7a29129f08

fix CT rule generation with ipfilter set

commit 255698f65192e736708f123d380bbed2aa8c3eac tried to prevent an
error from happening but wasn't to well thought out, perl's operator
precedence was overlooked.
The commit resulted effectively in:
if (my $ip = ($net->{ip} && $vmfw_conf->{options}->{ipfilter})) ...

But intended was:
if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) ...

First one makes $ip always boolean true (1 in perl) if the if branch
is hit, and the seconds really has then the $ip value in it..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index abcc1e8..b08cea5 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3782,7 +3782,7 @@ sub compile_ebtables_filter {
 			push(@$arpfilter, $ip);
 		    }
 		}
-		if (my $ip = $net->{ip} && $vmfw_conf->{options}->{ipfilter}) {
+		if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) {
 		    # ebtables changes this to a .0/MASK network but we just
 		    # want the address here, no network - see #2193
 		    $ip =~ s|/(\d+)$||;