[pve-devel] [PATCH firewall 5/7] api/ipsets: parse_cidr before checking for duplicates

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Apr 29 10:52:54 CEST 2020


for example, the config parser drops a trailing /32 for IPv4, so we
should do the same here.  otherwise we can have one entry for $IP and
one for $IP/32 with different properties until the next R-M-W cycle
drops one of them again.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 src/PVE/API2/Firewall/IPSet.pm | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index 913dd86..ec9326f 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -195,6 +195,13 @@ sub register_create_ip {
 		my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
 
 		my $cidr = $param->{cidr};
+		if ($cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/) {
+		    # make sure alias exists (if $cidr is an alias)
+		    PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr);
+		} else {
+		    # normalize like config parser, otherwise duplicates might slip through
+		    $cidr = PVE::Firewall::parse_ip_or_cidr($cidr);
+		}
 
 		foreach my $entry (@$ipset) {
 		    raise_param_exc({ cidr => "address '$cidr' already exists" })
@@ -204,9 +211,6 @@ sub register_create_ip {
 		raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" })
 		    if $cidr =~ m!/0+$!;
 
-		# make sure alias exists (if $cidr is an alias)
-		PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr)
-		    if $cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/;
 
 		my $data = { cidr => $cidr };
 
-- 
2.20.1





More information about the pve-devel mailing list