[pve-devel] [PATCH firewall] improve search for local-network
Wolfgang Bumiller
w.bumiller at proxmox.com
Wed Nov 23 10:23:36 CET 2016
Skip zero-prefix routes as they make no sense to be
considered (and ipset doesn't allow ::/0 to be added
anyway).
Support /128 local addresses by also checking for identical
addresses beside b-in-a overlapping.
---
This should fix:
https://forum.proxmox.com/threads/firewall-syslog-problem.30390/#post-153064
src/PVE/Firewall.pm | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index cf96564..ef74ca2 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -911,13 +911,17 @@ sub local_network {
my $mask;
if ($isv6) {
$mask = $entry->{prefix};
+ next if !$mask; # skip the default route...
} else {
$mask = $PVE::Network::ipv4_mask_hash_localnet->{$entry->{mask}};
next if !defined($mask);
}
my $cidr = "$entry->{dest}/$mask";
my $testnet = Net::IP->new($cidr);
- if ($testnet->overlaps($testip) == $Net::IP::IP_B_IN_A_OVERLAP) {
+ my $overlap = $testnet->overlaps($testip);
+ if ($overlap == $Net::IP::IP_B_IN_A_OVERLAP ||
+ $overlap == $Net::IP::IP_IDENTICAL)
+ {
$__local_network = $cidr;
return;
}
--
2.1.4
More information about the pve-devel
mailing list