[pve-devel] [PATCH firewall 2/2] ipset: don't allow the creation of zero-prefix entries

Wolfgang Bumiller w.bumiller at proxmox.com
Tue Nov 29 12:06:23 CET 2016


---
 src/PVE/API2/Firewall/IPSet.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index 6129c9d..ea6d1a2 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -187,6 +187,9 @@ sub register_create_ip {
 		    if $entry->{cidr} eq $cidr;
 	    }
 
+	    raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" })
+		if $cidr =~ m!/0+$!;
+
 	    # make sure alias exists (if $cidr is an alias)
 	    PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr)
 		if $cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/;
-- 
2.1.4





More information about the pve-devel mailing list