[pve-devel] [PATCH] Added the optional ! (invert sense) of IPs/IPset/range in Firewall rules

Tue May 12 22:51:46 CEST 2015

Hello,

Spaces are allowed in order to look like iptables syntax.

I'll add some regression tests.

Regards,
Flav

2015-05-12 8:37 GMT+02:00 Dietmar Maurer <dietmar at proxmox.com>:
>> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
>> index 2bdff20..a3b4ccb 100644
>> --- a/src/PVE/Firewall.pm
>> +++ b/src/PVE/Firewall.pm
>> @@ -960,6 +960,11 @@ sub compute_ipfilter_ipset_name {
>>  sub parse_address_list {
>>      my ($str) = @_;
>>
>> +    # if it is a not
>> +    if ($str =~ m/^!\s*(.*)/) {
>> +     $str = $1;
>> +    }
>> +
>
> Why do we allow spaces after '!'?
>
>>      if ($str =~ m/^(\+)(\S+)$/) { # ipset ref
>>       die "ipset name too long\n" if length($str) > ($max_ipset_name_length + 1);
>>       return;
>> @@ -1634,16 +1639,20 @@ sub ruleset_generate_cmdstr {
>>      my $source = $rule->{source};
>>      my $dest = $rule->{dest};
>>
>> +    my $negate = "";
>>      if ($source) {
>> +        if ($source =~ s/^!\s*//) {
>> +            $negate = "! ";
>> +        }
>
> same her -  why spaces?
>
> Also, would you mind to provide some regression tests for
> this new feature?
>