[pve-devel] [PATCH firewall 2/2] fix #2004: do not allow backwards ranges
Alwin Antreich
a.antreich at proxmox.com
Fri Nov 30 11:11:47 CET 2018
On Fri, Nov 30, 2018 at 09:53:50AM +0100, Dominik Csapak wrote:
> ranges like 10:5 are allowed by us, but iptables throws an error
> that is only visible in the syslog and the firewall rules do not
> get updated
>
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> src/PVE/Firewall.pm | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index 035dc7e..d7d1439 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -1054,6 +1054,7 @@ sub parse_port_name_number_or_range {
> my ($port1, $port2) = ($1, $2);
> die "invalid port '$port1'\n" if $port1 > 65535;
> die "invalid port '$port2'\n" if $port2 > 65535;
> + die "backwards range '$port1:$port2'\n" if $port1 > $port2;
Couldn't we go ahead and switch the ports to get a acceptable range for
iptables? I suspect that a user will change the port order to get the
rule applied anyway.
If we don't want to swith ports, then IMHO the message needs more
information. Like eg. "backwards range '$port1:$port2' not allowed, use
forward ranges".
> } elsif ($item =~ m/^([0-9]+)$/) {
> $count += 1;
> my $port = $1;
> --
> 2.11.0
>
More information about the pve-devel
mailing list