[pve-devel] applied: [PATCH firewall] fix CT rule generation with ipfilter set
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue May 28 08:24:02 CEST 2019
commit 255698f65192e736708f123d380bbed2aa8c3eac tried to prevent an
error from happening but wasn't to well thought out, perl's operator
precedence was overlooked.
The commit resulted effectively in:
if (my $ip = ($net->{ip} && $vmfw_conf->{options}->{ipfilter})) ...
But intended was:
if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) ...
First one makes $ip always boolean true (1 in perl) if the if branch
is hit, and the seconds really has then the $ip value in it..
Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
applied to master and stable-5
src/PVE/Firewall.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index abcc1e8..b08cea5 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3782,7 +3782,7 @@ sub compile_ebtables_filter {
push(@$arpfilter, $ip);
}
}
- if (my $ip = $net->{ip} && $vmfw_conf->{options}->{ipfilter}) {
+ if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) {
# ebtables changes this to a .0/MASK network but we just
# want the address here, no network - see #2193
$ip =~ s|/(\d+)$||;
--
2.20.1
More information about the pve-devel
mailing list