From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Thu, 9 Jan 2020 11:55:13 +0000 (+0100)
Subject: api node: always pass cluster conf to node FW parser
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=f78c7ca05b7037beef82ab57bcfd269d8b4adccc

api node: always pass cluster conf to node FW parser

As else the parsing may lead to "false positive" errors, as cluster
wide aliases and other definitions are seemingly missing.

Reproducer:
* add *cluster* alias
* add+enable *host* rule using that alias
* enable FW on DC and node level
* go to Node -> FW -> Options
* check journal/syslog for error like:
> pveproxy[1339680]: /etc/pve/nodes/dev6/host.fw (line 3) - errors in rule parameters: IN ACCEPT -source test123 -p tcp -sport 22 -log nolog
> pveproxy[1339680]:   source: no such alias 'test123'

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---

diff --git a/src/PVE/API2/Firewall/Host.pm b/src/PVE/API2/Firewall/Host.pm
index d02619a..2303494 100644
--- a/src/PVE/API2/Firewall/Host.pm
+++ b/src/PVE/API2/Firewall/Host.pm
@@ -86,7 +86,8 @@ __PACKAGE__->register_method({
     code => sub {
 	my ($param) = @_;
 
-	my $hostfw_conf = PVE::Firewall::load_hostfw_conf();
+	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+	my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
 
 	return PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options});
     }});
@@ -117,7 +118,8 @@ __PACKAGE__->register_method({
     code => sub {
 	my ($param) = @_;
 
-	my $hostfw_conf = PVE::Firewall::load_hostfw_conf();
+	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+	my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
 
 	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options});
 	PVE::Tools::assert_if_modified($digest, $param->{digest});