[pve-devel] [PATCH v2 firewall] check multiport limit in port ranges

[Wolfgang Bumiller]

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
Changes:
  We don't actually use the returned $count for anything other than
  checking whether it's >1 to know whether to use `--match multiport`.
  This still works when counting ranges as 2.

 src/PVE/Firewall.pm | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 2feac54..bc3d9fe 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1035,12 +1035,13 @@ sub parse_port_name_number_or_range {
     my @elements = split(/,/, $str);
     die "extraneous commas in list\n" if $str ne join(',', @elements);
     foreach my $item (@elements) {
-	$count++;
 	if ($item =~ m/^(\d+):(\d+)$/) {
+	    $count += 2;
 	    my ($port1, $port2) = ($1, $2);
 	    die "invalid port '$port1'\n" if $port1 > 65535;
 	    die "invalid port '$port2'\n" if $port2 > 65535;
 	} elsif ($item =~ m/^(\d+)$/) {
+	    $count += 1;
 	    my $port = $1;
 	    die "invalid port '$port'\n" if $port > 65535;
 	} else {
@@ -1054,7 +1055,13 @@ sub parse_port_name_number_or_range {
 	}
     }
 
-    die "ICPM ports not allowed in port range\n" if $icmp_port && $count > 1;
+    die "ICPM ports not allowed in port range\n" if $icmp_port && $count > 0;
+
+    # I really don't like to use the word number here, but it's the only thing
+    # that makes sense in a literal way. The range 1:100 counts as 2, not as
+    # one and not as 100...
+    die "too many entries in port list (> 15 numbers)\n"
+	if $count > 15;
 
     return $count;
 }
-- 
2.11.0