From: Mira Limbeck <m.limbeck@proxmox.com>
Date: Wed, 29 Apr 2020 13:45:23 +0000 (+0200)
Subject: fix iptables-restore failing if icmp-type value > 255
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=be99c6a0e95108bd9fe84b3c238e216ed2b31e64

fix iptables-restore failing if icmp-type value > 255

This has to be done in both icmp and icmpv6 cases. Currently if
'ipv6-icmp' is set via the GUI ('icmpv6' is not available there) there
is no icmp-type handling. As this is meant to fix the iptables-restore
failure if an icmp-type > 255 is specified, no ipv6-icmp handling is
introduced.

These error messages are not logged as warnings are ignored. To get
these messages you have to run pve-firewall compile and look at the
output.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
---

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index aa4fb01..da1784c 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2043,11 +2043,17 @@ sub ipt_rule_to_cmds {
 		    # Note: we use dport to store --icmp-type
 		    die "unknown icmp-type '$rule->{dport}'\n"
 			if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}});
+		    # values for icmp-type range between 0 and 255
+		    # higher values and iptables-restore fails
+		    die "invalid icmp-type '$rule->{dport}'\n" if ($rule->{dport} =~ m/^(\d+)$/) && ($1 > 255);
 		    push @match, "-m icmp --icmp-type $rule->{dport}";
 		} elsif ($proto eq 'icmpv6') {
 		    # Note: we use dport to store --icmpv6-type
 		    die "unknown icmpv6-type '$rule->{dport}'\n"
 			if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}});
+		    # values for icmpv6-type range between 0 and 255
+		    # higher values and iptables-restore fails
+		    die "invalid icmpv6-type '$rule->{dport}'\n" if ($rule->{dport} =~ m/^(\d+)$/) && ($1 > 255);
 		    push @match, "-m icmpv6 --icmpv6-type $rule->{dport}";
 		} elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) {
 		    die "protocol $proto does not have ports\n";