[pve-devel] [PATCH firewall] check multiport limit in port ranges
Wolfgang Bumiller
w.bumiller at proxmox.com
Thu Mar 8 11:36:06 CET 2018
Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
src/PVE/Firewall.pm | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 2feac54..f8d6009 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1030,6 +1030,7 @@ sub parse_port_name_number_or_range {
my $services = PVE::Firewall::get_etc_services();
my $count = 0;
+ my $range_count = 0;
my $icmp_port = 0;
my @elements = split(/,/, $str);
@@ -1037,6 +1038,7 @@ sub parse_port_name_number_or_range {
foreach my $item (@elements) {
$count++;
if ($item =~ m/^(\d+):(\d+)$/) {
+ $range_count++;
my ($port1, $port2) = ($1, $2);
die "invalid port '$port1'\n" if $port1 > 65535;
die "invalid port '$port2'\n" if $port2 > 65535;
@@ -1056,6 +1058,12 @@ sub parse_port_name_number_or_range {
die "ICPM ports not allowed in port range\n" if $icmp_port && $count > 1;
+ # I really don't like to use the word number here, but it's the only thing
+ # that makes sense in a literal way. The range 1:100 counts as 2, not as
+ # one and not as 100...
+ die "too many entries in port list (> 15 numbers)\n"
+ if $count + $range_count > 15;
+
return $count;
}
--
2.11.0
More information about the pve-devel
mailing list