[pve-devel] applied: [PATCH firewall] fix CT rule generation with ipfilter set

Thomas Lamprecht t.lamprecht at proxmox.com
Tue May 28 08:24:02 CEST 2019


commit 255698f65192e736708f123d380bbed2aa8c3eac tried to prevent an
error from happening but wasn't to well thought out, perl's operator
precedence was overlooked.
The commit resulted effectively in:
if (my $ip = ($net->{ip} && $vmfw_conf->{options}->{ipfilter})) ...

But intended was:
if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) ...

First one makes $ip always boolean true (1 in perl) if the if branch
is hit, and the seconds really has then the $ip value in it..

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---

applied to master and stable-5

 src/PVE/Firewall.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index abcc1e8..b08cea5 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3782,7 +3782,7 @@ sub compile_ebtables_filter {
 			push(@$arpfilter, $ip);
 		    }
 		}
-		if (my $ip = $net->{ip} && $vmfw_conf->{options}->{ipfilter}) {
+		if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) {
 		    # ebtables changes this to a .0/MASK network but we just
 		    # want the address here, no network - see #2193
 		    $ip =~ s|/(\d+)$||;
-- 
2.20.1





More information about the pve-devel mailing list