[pve-devel] [PATCH firewall 6/7] configs: warn about duplicate ipset entries
Fabian Grünbichler
f.gruenbichler at proxmox.com
Wed Apr 29 10:52:55 CEST 2020
instead of silently dropping them when writing the config out.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
src/PVE/Firewall.pm | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7b26ac5..4d86032 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2897,6 +2897,8 @@ sub generic_fw_config_parser {
}
return {} if !$raw;
+ my $curr_group_keys = {};
+
my $linenr = 0;
while ($raw =~ /^\h*(.*?)\h*$/gm) {
my $line = $1;
@@ -2957,6 +2959,8 @@ sub generic_fw_config_parser {
}
$res->{$section}->{$group} = [];
+ $curr_group_keys = {};
+
$res->{ipset_comments}->{$group} = decode('utf8', $comment)
if $comment;
next;
@@ -3021,6 +3025,8 @@ sub generic_fw_config_parser {
} else {
$cidr = parse_ip_or_cidr($cidr);
}
+ die "duplicate ipset entry for '$cidr'\n"
+ if defined($curr_group_keys->{$cidr});
};
if (my $err = $@) {
chomp $err;
@@ -3044,6 +3050,7 @@ sub generic_fw_config_parser {
}
push @{$res->{$section}->{$group}}, $entry;
+ $curr_group_keys->{$cidr} = 1;
} else {
warn "$prefix: skip line - unknown section\n";
next;
@@ -3221,7 +3228,13 @@ my $format_ipsets = sub {
my $nethash = {};
foreach my $entry (@$options) {
- $nethash->{$entry->{cidr}} = $entry;
+ my $cidr = $entry->{cidr};
+ if (defined($nethash->{$cidr})) {
+ warn "ignoring duplicate ipset entry '$cidr'\n";
+ next;
+ }
+
+ $nethash->{$cidr} = $entry;
}
foreach my $cidr (sort keys %$nethash) {
--
2.20.1
More information about the pve-devel
mailing list