From f78c7ca05b7037beef82ab57bcfd269d8b4adccc Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Thu, 9 Jan 2020 12:55:13 +0100 Subject: [PATCH] api node: always pass cluster conf to node FW parser As else the parsing may lead to "false positive" errors, as cluster wide aliases and other definitions are seemingly missing. Reproducer: * add *cluster* alias * add+enable *host* rule using that alias * enable FW on DC and node level * go to Node -> FW -> Options * check journal/syslog for error like: > pveproxy[1339680]: /etc/pve/nodes/dev6/host.fw (line 3) - errors in rule parameters: IN ACCEPT -source test123 -p tcp -sport 22 -log nolog > pveproxy[1339680]: source: no such alias 'test123' Signed-off-by: Thomas Lamprecht --- src/PVE/API2/Firewall/Host.pm | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/PVE/API2/Firewall/Host.pm b/src/PVE/API2/Firewall/Host.pm index d02619a..2303494 100644 --- a/src/PVE/API2/Firewall/Host.pm +++ b/src/PVE/API2/Firewall/Host.pm @@ -86,7 +86,8 @@ __PACKAGE__->register_method({ code => sub { my ($param) = @_; - my $hostfw_conf = PVE::Firewall::load_hostfw_conf(); + my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); + my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf); return PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options}); }}); @@ -117,7 +118,8 @@ __PACKAGE__->register_method({ code => sub { my ($param) = @_; - my $hostfw_conf = PVE::Firewall::load_hostfw_conf(); + my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); + my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf); my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options}); PVE::Tools::assert_if_modified($digest, $param->{digest}); -- 2.39.2