[pve-devel] [PATCH firewall 5/7] api/ipsets: parse_cidr before checking for duplicates
Fabian Grünbichler
f.gruenbichler at proxmox.com
Wed Apr 29 10:52:54 CEST 2020
for example, the config parser drops a trailing /32 for IPv4, so we
should do the same here. otherwise we can have one entry for $IP and
one for $IP/32 with different properties until the next R-M-W cycle
drops one of them again.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
src/PVE/API2/Firewall/IPSet.pm | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index 913dd86..ec9326f 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -195,6 +195,13 @@ sub register_create_ip {
my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
my $cidr = $param->{cidr};
+ if ($cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/) {
+ # make sure alias exists (if $cidr is an alias)
+ PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr);
+ } else {
+ # normalize like config parser, otherwise duplicates might slip through
+ $cidr = PVE::Firewall::parse_ip_or_cidr($cidr);
+ }
foreach my $entry (@$ipset) {
raise_param_exc({ cidr => "address '$cidr' already exists" })
@@ -204,9 +211,6 @@ sub register_create_ip {
raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" })
if $cidr =~ m!/0+$!;
- # make sure alias exists (if $cidr is an alias)
- PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr)
- if $cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/;
my $data = { cidr => $cidr };
--
2.20.1
More information about the pve-devel
mailing list