[pve-devel] applied: [PATCH firewall] api node: always pass cluster conf to node FW parser

[Thomas Lamprecht]

On 1/9/20 1:03 PM, Thomas Lamprecht wrote:
> As else the parsing may lead to "false positive" errors, as cluster
> wide aliases and other definitions are seemingly missing.
> 
> Reproducer:
> * add *cluster* alias
> * add+enable *host* rule using that alias
> * enable FW on DC and node level
> * go to Node -> FW -> Options
> * check journal/syslog for error like:
>> pveproxy[1339680]: /etc/pve/nodes/dev6/host.fw (line 3) - errors in rule parameters: IN ACCEPT -source test123 -p tcp -sport 22 -log nolog
>> pveproxy[1339680]:   source: no such alias 'test123'
> 
> Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
> ---
>  src/PVE/API2/Firewall/Host.pm | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/src/PVE/API2/Firewall/Host.pm b/src/PVE/API2/Firewall/Host.pm
> index d02619a..2303494 100644
> --- a/src/PVE/API2/Firewall/Host.pm
> +++ b/src/PVE/API2/Firewall/Host.pm
> @@ -86,7 +86,8 @@ __PACKAGE__->register_method({
>      code => sub {
>  	my ($param) = @_;
>  
> -	my $hostfw_conf = PVE::Firewall::load_hostfw_conf();
> +	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
> +	my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
>  
>  	return PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options});
>      }});
> @@ -117,7 +118,8 @@ __PACKAGE__->register_method({
>      code => sub {
>  	my ($param) = @_;
>  
> -	my $hostfw_conf = PVE::Firewall::load_hostfw_conf();
> +	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
> +	my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
>  
>  	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options});
>  	PVE::Tools::assert_if_modified($digest, $param->{digest});
> 

applied