[pve-devel] [PATCH v2 firewall 2/2] let multiport parser return only a boolean

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Mar 12 08:46:37 CET 2018


Keep the count for internal checking only and just return
whether the multiport matcher is required.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
Also fixes an undefined value usage in the new 'dport eq sport'
condition.

 src/PVE/Firewall.pm | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 54ad48a..0367d62 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1030,11 +1030,13 @@ sub parse_port_name_number_or_range {
 
     my $services = PVE::Firewall::get_etc_services();
     my $count = 0;
+    my $entries = 0;
     my $icmp_port = 0;
 
     my @elements = split(/,/, $str);
     die "extraneous commas in list\n" if $str ne join(',', @elements);
     foreach my $item (@elements) {
+	++$entries;
 	if ($item =~ m/^(\d+):(\d+)$/) {
 	    $count += 2;
 	    my ($port1, $port2) = ($1, $2);
@@ -1063,7 +1065,7 @@ sub parse_port_name_number_or_range {
     die "too many entries in port list (> 15 numbers)\n"
 	if $count > 15;
 
-    return $count;
+    return ($entries>1);
 }
 
 PVE::JSONSchema::register_format('pve-fw-sport-spec', \&pve_fw_verify_sport_spec);
@@ -1885,14 +1887,14 @@ sub ipt_rule_to_cmds {
 	if (my $proto = $rule->{proto}) {
 	    push @match, "-p $proto";
 
-	    my $nbdport = defined($rule->{dport}) ? parse_port_name_number_or_range($rule->{dport}, 1) : 0;
-	    my $nbsport = defined($rule->{sport}) ? parse_port_name_number_or_range($rule->{sport}, 0) : 0;
+	    my $multidport = defined($rule->{dport}) && parse_port_name_number_or_range($rule->{dport}, 1);
+	    my $multisport = defined($rule->{sport}) && parse_port_name_number_or_range($rule->{sport}, 0);
 
 	    # 0 = no multiport
 	    # 1 = multiport with different src and dst port ranges
 	    # 2 = multiport with identical port ranges
-	    my $multiport = ($nbdport > 1) || ($nbsport > 1);
-	    $multiport++ if $multiport && ($rule->{dport} eq $rule->{sport});
+	    my $multiport = ($multidport || $multisport) ? 1 : 0;
+	    $multiport++ if $multidport && $multisport && $rule->{dport} eq $rule->{sport};
 
 	    if ($rule->{dport}) {
 		if ($proto eq 'icmp') {
-- 
2.11.0





More information about the pve-devel mailing list