Thomas Lamprecht [Fri, 23 Nov 2018 13:05:23 +0000 (14:05 +0100)]
bump version to 3.0-15
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Rhonda D'Vine [Mon, 12 Nov 2018 14:14:46 +0000 (15:14 +0100)]
d/control: add missing Build-Depends
Found while building in a clean chroot.
Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
Rhonda D'Vine [Mon, 12 Nov 2018 14:14:45 +0000 (15:14 +0100)]
Fix #1971: display firewall rule properties
This is the list of the properties that should get returned in the
pretty print format, too, not just in yaml/json output.
Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
Thomas Lamprecht [Tue, 4 Sep 2018 07:50:37 +0000 (09:50 +0200)]
d/rules: fix pvefw-logger service unit-name
debhelpers on stretch do not care about the wrong uinit name, and the
name used is always the one from --name.
But buster cares, so fix it to the right one.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Fri, 24 Aug 2018 08:51:19 +0000 (10:51 +0200)]
bump version to 3.0-14
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Stoiko Ivanov [Thu, 23 Aug 2018 14:04:50 +0000 (16:04 +0200)]
Fix #1841: ebtables: sort interfaces per guest
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Wolfgang Bumiller [Thu, 28 Jun 2018 12:47:25 +0000 (14:47 +0200)]
bump version to 3.0-13
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Stoiko Ivanov [Thu, 28 Jun 2018 12:41:56 +0000 (14:41 +0200)]
ebtables: sort guest chains during rulecreation
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Thomas Lamprecht [Thu, 14 Jun 2018 10:08:52 +0000 (12:08 +0200)]
api: host, vm: explicit import raise_param_exc
we inherited the import from PVE::RESTHandler but may want to get rid
of it there. So explicitly import it here.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 13 Jun 2018 11:26:28 +0000 (13:26 +0200)]
whitespace fixup
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 12 Jun 2018 10:02:32 +0000 (12:02 +0200)]
bump version to 3.0-12
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 12 Jun 2018 10:00:10 +0000 (12:00 +0200)]
fixup active_chains distinction when deleting chains
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Thomas Lamprecht [Wed, 6 Jun 2018 14:18:48 +0000 (16:18 +0200)]
fixup changelog UNRELEASED
Thomas Lamprecht [Wed, 6 Jun 2018 14:15:01 +0000 (16:15 +0200)]
bump version to 3.0-11
Stoiko Ivanov [Wed, 6 Jun 2018 09:56:05 +0000 (11:56 +0200)]
rename ebtables_enable to ebtables
and register ebtables option with the API
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Wolfgang Bumiller [Tue, 29 May 2018 13:14:43 +0000 (15:14 +0200)]
bump version to 3.0-10
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 29 May 2018 13:08:25 +0000 (15:08 +0200)]
typo fixup
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Stoiko Ivanov [Sat, 26 May 2018 20:50:30 +0000 (22:50 +0200)]
Don't change external ebtables rules
* Fixes #1764
* Introduces ebtables_enable option to cluster config
* All ebtables chains not created by PVE are left in place
* get_ruleset_status optionally takes an additional argument
(a regex indicating which chains should be left intact)
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Wolfgang Bumiller [Thu, 17 May 2018 12:41:40 +0000 (14:41 +0200)]
bump version to 3.0-9
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Thu, 17 May 2018 11:09:23 +0000 (13:09 +0200)]
fix PVEFW-FORWARD chain not being used
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Wed, 11 Apr 2018 12:26:15 +0000 (14:26 +0200)]
bump version to 3.0-8
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Thu, 29 Mar 2018 07:48:28 +0000 (09:48 +0200)]
ebtables_get_chains: deal with empty chains
Since we don't have signatures in ebtables we need to also
see empty chains to not think we have to create them.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:31 +0000 (10:53 +0200)]
add ebtables dependency
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:30 +0000 (10:53 +0200)]
avoid double spaces in ruleset_addrule
ebtables doesn't have comment rules we could store the
digest in, so we need to match the ebtables-save output
instead.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alexandre Derumier [Wed, 28 Mar 2018 08:53:29 +0000 (10:53 +0200)]
apply ebtables_ruleset
need ebtables-save && ebtables-restore, ebtables debian package don't include them.
ebtables-restore need to restore the full ruleset (atomicaly),
so we can't update only 1 chain
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alexandre Derumier [Wed, 28 Mar 2018 08:53:28 +0000 (10:53 +0200)]
compile ebtables rules
-A FORWARD -j PVEFW-FORWARD
-A PVEFW-FORWARD -p IPv4 -j ACCEPT #filter mac in iptables for ipv4, so we can speedup rules with conntrack established
-A PVEFW-FORWARD -p IPv6 -j ACCEPT
-A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
-A PVEFW-FWBR-OUT -i tap110i0 -j tap110i0-OUT
-A tap110i0-OUT -s ! 36:97:15:91:19:3c -j DROP
-A tap110i0-OUT -p ARP -j ACCEPT
-A tap110i0-OUT -j DROP
-A tap110i0-OUT -j ACCEPT
-A PVEFW-FWBR-OUT -i veth130.1 -j veth130.1-OUT
-A veth130.1-OUT -s ! 36:95:a9:ae:f5:ec -j DROP
-A veth130.1-OUT -j ACCEPT
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:27 +0000 (10:53 +0200)]
/etc/services can also define 'sctp' services
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:26 +0000 (10:53 +0200)]
add get_etc_ethertypes
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:25 +0000 (10:53 +0200)]
parse_protocol_file: support lines without end comments
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:24 +0000 (10:53 +0200)]
split parser out of get_etc_protocols
Into a reusable parse_protocol_file.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Mon, 12 Mar 2018 13:58:19 +0000 (14:58 +0100)]
bump version to 3.0-7
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fabian Grünbichler [Mon, 12 Mar 2018 11:38:51 +0000 (12:38 +0100)]
multiport: add explaining comment
about ordering single port matches before multiport matches,
and improve readability by adding some blank lines after returns.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Wolfgang Bumiller [Mon, 12 Mar 2018 10:55:18 +0000 (11:55 +0100)]
fix and improve multiport handling
The multiport `--ports` parameter is an `OR` match on source
and destination ports, so we should not use it.
We also don't actually use the port count, so let the port
range parser simply return a boolean and use the counter
only for the internal check. This also fixes a regression
caused by the previous multiport check which caused a single
port range to be recognized as a multiport option while it
did not have to be one, causing entries such as the SMB
macro to be added with `--match multiport` mistakenly, which
refused to accept the source port option.
Additionally, we now allow the case with 1 multiport and 1
single port entry: In order for the iptables command to
accept this the single port entry must come first, otherwise
it'll be passed to the multiport matcher (because why
shouldn't it interpret a singular `--Xport` as an alias to
the plural version `--Xports`... *sigh*).
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: 6a241ca745f7 ("check multiport limit in port ranges")
Dietmar Maurer [Thu, 8 Mar 2018 12:53:54 +0000 (13:53 +0100)]
bump version to 3.0-6
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:56 +0000 (13:33 +0100)]
build: use git rev-parse for GITVERSION
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:55 +0000 (13:33 +0100)]
debian: remove duplicate dh_systemd_enable code
dh_systemd_enable already includes this snippet via the #DEBHELPER#
stanza, no need to duplicate it manually.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:54 +0000 (13:33 +0100)]
debian: drop preinst
the only actual code was for upgrading from PVE 3 to PVE 4..
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:53 +0000 (13:33 +0100)]
debian: switch to compat 9
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:52 +0000 (13:33 +0100)]
debian: drop init scripts
and switch to plain dh_systemd_*
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:51 +0000 (13:33 +0100)]
fix #1319: don't fail postinst with masked service
by using "try-reload-or-restart" instead of "reload-or-restart"
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Wolfgang Bumiller [Thu, 8 Mar 2018 11:06:21 +0000 (12:06 +0100)]
check multiport limit in port ranges
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Thu, 7 Dec 2017 07:31:53 +0000 (08:31 +0100)]
bump version to 3.0-5
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Thu, 7 Dec 2017 07:30:01 +0000 (08:30 +0100)]
honor disabled flag on group rules again
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Thu, 16 Nov 2017 10:42:37 +0000 (11:42 +0100)]
bump version to 3.0-4
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Dominik Csapak [Wed, 15 Nov 2017 10:41:34 +0000 (11:41 +0100)]
sort ipsets so that the digest is consistent
otherwise, editing an ipset randomly works (or not) due to
a wrong digest
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Tom Weber [Wed, 18 Oct 2017 20:24:10 +0000 (22:24 +0200)]
remove ruleset_generate_match, ruleset_generate_action
ruleset_generate_match and ruleset_generate_action not used anymore
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:09 +0000 (22:24 +0200)]
remove unused ruleset_generate_rule_insert
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:08 +0000 (22:24 +0200)]
cleanup parameters to ruleset_generate_rule
remove $actions and $goto - not used anymore
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:07 +0000 (22:24 +0200)]
rule_substitude_action, remove ruleset_generate_rule_old
implement rule_substitude_action
eliminate use of ruleset_genereate_rule_old and remove it
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:06 +0000 (22:24 +0200)]
remove unused ruleset_generate_cmdstr
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:05 +0000 (22:24 +0200)]
implement ipt_rule_to_cmds, ruleset_add_ipt_cmd
ipt_rule_to_cmds converts a %rule to an array of iptables commands
ruleset_add_ipt_cmd adds such an iptables command to a chain
ruleset_generate_rule uses these now
ruleset_generate_rule_old is an interim workaround
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:04 +0000 (22:24 +0200)]
iptables address matching in own subroutine
put generation of iptables source/destination address matching
in own subroutine and use this in ruleset_generate_match
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:03 +0000 (22:24 +0200)]
eliminate unused nbdport in pve_std_chains_conf
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:02 +0000 (22:24 +0200)]
make $pve_std_chains a copy of $pve_std_chains_conf
create a new $pve_std_chains with $pve_std_chains_conf as template on
every compilation of the rules. This avoids persitant changes to the
$pve_std_chains and makes it easier to read the std_chains configuration
from external config files (later to implement).
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:01 +0000 (22:24 +0200)]
convert string based rule definitions to hashes
also extending %rule with log,logmsg,match,target
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:00 +0000 (22:24 +0200)]
integrate logging into ruleset_addrule
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:23:59 +0000 (22:23 +0200)]
prepare code for more generic firewall logging
making ruleset generation aware of a match and action
part in iptable rules.
code will generate the same iptables as before! (except for
a few additional spaces between match and action).
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:23:58 +0000 (22:23 +0200)]
remove unused $rule_format
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Philip Abernethy [Mon, 16 Oct 2017 08:59:23 +0000 (10:59 +0200)]
Use run_cli_handler instead of deprecated run_cli
Fabian Grünbichler [Tue, 17 Oct 2017 12:24:01 +0000 (14:24 +0200)]
pvefw-logger: fix typo
Fabian Grünbichler [Wed, 4 Oct 2017 09:05:33 +0000 (11:05 +0200)]
build: reformat debian/control
using wrap-and-sort -abt
Wolfgang Bumiller [Tue, 12 Sep 2017 12:43:13 +0000 (14:43 +0200)]
bump version to 3.0-3
Wolfgang Bumiller [Wed, 6 Sep 2017 07:35:04 +0000 (09:35 +0200)]
buildsys: clean: remove .buildinfo files
Wolfgang Bumiller [Mon, 4 Sep 2017 08:56:59 +0000 (10:56 +0200)]
Fix #1492: logger: print timestamps only if we have one
There's no guarantee that there's a timestamp in an skb, so
nflog_get_timestamp can fail.
Wolfgang Bumiller [Mon, 17 Jul 2017 13:27:44 +0000 (15:27 +0200)]
bump version to 3.0-2
Emmanuel Kasper [Mon, 17 Jul 2017 12:50:26 +0000 (14:50 +0200)]
Fix #1446: allow pve-firewall package install twice in a row
On packages removal (!= purge) systemd units are masked.
The postinst script has then to reenable this units at the
beginning of the 'configure' step.
Our other packages are doing this manually, or automatically
when the dh_systemd_enable helpers generated a postinst,
but this was missing here.
Wolfgang Bumiller [Wed, 22 Mar 2017 11:53:34 +0000 (12:53 +0100)]
log errors encountered by the daemon to syslog
Wolfgang Bumiller [Wed, 22 Mar 2017 11:53:33 +0000 (12:53 +0100)]
forbid trailing commas in lists
iptables-restore doesn't allow them
Fabian Grünbichler [Thu, 9 Mar 2017 13:04:44 +0000 (14:04 +0100)]
bump version to 3.0-1
Fabian Grünbichler [Thu, 9 Mar 2017 13:04:06 +0000 (14:04 +0100)]
buildsys: update upload target
Fabian Grünbichler [Thu, 9 Mar 2017 13:49:20 +0000 (14:49 +0100)]
buildsys: fix deb target dependencies
Fabian Grünbichler [Thu, 9 Mar 2017 13:03:45 +0000 (14:03 +0100)]
buildsys: remove fakeroot from dpkg-buildpackage
Wolfgang Bumiller [Fri, 10 Feb 2017 12:57:59 +0000 (13:57 +0100)]
buildsys: use dpkg-architecture
Wolfgang Bumiller [Mon, 6 Feb 2017 11:07:23 +0000 (12:07 +0100)]
logger: drop gthread dependency
g_thread_new is part of glib directly, libgthread only
contains the deprecated g_thread_init() & friends which we
do not use.
This silences a build warning.
Wolfgang Bumiller [Mon, 6 Feb 2017 11:05:01 +0000 (12:05 +0100)]
buildsys: depend on lsb-base
Wolfgang Bumiller [Tue, 31 Jan 2017 10:15:22 +0000 (11:15 +0100)]
simulator: make lxc/qemu optional
Wolfgang Bumiller [Mon, 6 Feb 2017 10:52:54 +0000 (11:52 +0100)]
buildsys: make job safety
Thomas Lamprecht [Tue, 13 Dec 2016 12:13:39 +0000 (13:13 +0100)]
fix ambiguous if statements
the funciton nflog_bind_pf(...) returns an integer smaller 0 on a
failure, we negated that which results in 1 if no failure and 0 if
there was a failure.
This is ambiguous and as no parenthesis are set the GCC 6 warning
"logical-not-parentheses" gets triggered.
Use a simple
nflog_bind_pf(...) < 0
check instead.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dietmar Maurer [Tue, 29 Nov 2016 11:18:41 +0000 (12:18 +0100)]
bump version to 2.0-33
Wolfgang Bumiller [Tue, 29 Nov 2016 11:06:23 +0000 (12:06 +0100)]
ipset: don't allow the creation of zero-prefix entries
Wolfgang Bumiller [Tue, 29 Nov 2016 11:06:22 +0000 (12:06 +0100)]
ipsets: catch zero-prefix entries
This way the error is visible with pve-firewall compile
without breaking the rest.
Dietmar Maurer [Tue, 29 Nov 2016 05:42:32 +0000 (06:42 +0100)]
bump version to 2.0-32
Wolfgang Bumiller [Wed, 23 Nov 2016 09:23:36 +0000 (10:23 +0100)]
improve search for local-network
Skip zero-prefix routes as they make no sense to be
considered (and ipset doesn't allow ::/0 to be added
anyway).
Support /128 local addresses by also checking for identical
addresses beside b-in-a overlapping.
Dietmar Maurer [Thu, 6 Oct 2016 06:34:17 +0000 (08:34 +0200)]
bump version to 2.0-31
Dietmar Maurer [Thu, 6 Oct 2016 06:33:42 +0000 (08:33 +0200)]
use new repoman for upload target
Wolfgang Bumiller [Wed, 5 Oct 2016 13:36:55 +0000 (15:36 +0200)]
don't try to apply ports to rules which don't support them
Wolfgang Bumiller [Wed, 5 Oct 2016 13:36:54 +0000 (15:36 +0200)]
remove redundant checks
Dietmar Maurer [Fri, 16 Sep 2016 06:53:27 +0000 (08:53 +0200)]
bump version to 2.0-30
Emmanuel Kasper [Mon, 5 Sep 2016 14:03:26 +0000 (16:03 +0200)]
add multicast DNS to the list of Macros
multicast DNS allows to quickly access hosts without the need to
configure a DNS server
Dietmar Maurer [Mon, 5 Sep 2016 08:22:51 +0000 (10:22 +0200)]
add missing parameter descriptions
Wolfgang Bumiller [Tue, 28 Jun 2016 13:02:01 +0000 (15:02 +0200)]
build-depends: add dh-systemd
Dietmar Maurer [Fri, 3 Jun 2016 14:46:55 +0000 (16:46 +0200)]
bump version to 2.0-29
Dominik Csapak [Fri, 3 Jun 2016 14:11:27 +0000 (16:11 +0200)]
prevent overwriting ipsets/sec. groups by renaming
we did not check if the target name of the group/ipset
already existed, so we overwrote them
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 3 Jun 2016 13:14:24 +0000 (15:14 +0200)]
fix allowed group name length
the allowed length for an iptable chain is 28 chars
we had a max set of 20 but a format of
GROUP-<name>-IN and
GROUP-<name>-OUT
where <name> is the group name
but GROUP--OUT are 10 chars so we just allow 18 chars max
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 3 Jun 2016 13:14:23 +0000 (15:14 +0200)]
make group digest stable
if we had mulitple security groups and wanted to
edit one, we did not have a stable digest,
because perl hashes are not sorted
this patch sorts the keys before hashing
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dietmar Maurer [Fri, 3 Jun 2016 09:02:06 +0000 (11:02 +0200)]
bump version to 2.0-28
Wolfgang Bumiller [Fri, 3 Jun 2016 08:40:13 +0000 (10:40 +0200)]
use pve-common's ipv4_mask_hash_localnet
Dietmar Maurer [Tue, 17 May 2016 06:00:12 +0000 (08:00 +0200)]
bump version to 2.0-27
Fabian Grünbichler [Fri, 13 May 2016 08:23:10 +0000 (10:23 +0200)]
fix #972: make PVEFW-FWBR-* rule order stable
by sorting the VM/CT IDs and the VM/CT config keys before
iterating over them.
Dietmar Maurer [Mon, 9 May 2016 08:02:07 +0000 (10:02 +0200)]
bump version to 2.0-26