[pve-devel] [PATCH] firewall autodisable
Alen Grizonic
a.grizonic at proxmox.com
Thu Jun 25 10:06:27 CEST 2015
firewall enable parameter type changed from boolean to integer so it can store
the timestamp of the firewall enable call to avoid an admin remote lockout
Signed-off-by: Alen Grizonic <a.grizonic at proxmox.com>
---
src/PVE/API2/Firewall/Cluster.pm | 7 ++++---
src/PVE/Firewall.pm | 8 ++++++--
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index 0f6b98c..b924f4e 100644
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -73,7 +73,8 @@ __PACKAGE__->register_method({
my $option_properties = {
enable => {
- type => 'boolean',
+ type => 'integer',
+ minimum => 0,
optional => 1,
},
policy_in => {
@@ -163,8 +164,8 @@ __PACKAGE__->register_method({
}
}
- if (defined($param->{enable})) {
- $param->{enable} = $param->{enable} ? 1 : 0;
+ if (defined($param->{enable}) && ($param->{enable} > 1)) {
+ $param->{enable} = time();
}
foreach my $k (keys %$option_properties) {
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f0c105e..54e50bb 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1106,7 +1106,8 @@ my $rule_properties = {
optional => 1,
},
enable => {
- type => 'boolean',
+ type => 'integer',
+ minumum => 0,
optional => 1,
},
sport => {
@@ -2360,9 +2361,12 @@ sub parse_clusterfw_option {
my ($opt, $value);
- if ($line =~ m/^(enable):\s*(0|1)\s*$/i) {
+ if ($line =~ m/^(enable):\s*(\d+)\s*$/i) {
$opt = lc($1);
$value = int($2);
+ if (($value > 1) && ((time() - $value) > 60)) {
+ $value = 0
+ }
} elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
$opt = lc($1);
$value = uc($3);
--
2.1.4
More information about the pve-devel
mailing list