[pve-devel] applied: [PATCH firewall 1/3] fix iptables-restore failing if icmp-type value > 255
Thomas Lamprecht
t.lamprecht at proxmox.com
Mon May 4 14:15:46 CEST 2020
On 4/29/20 3:45 PM, Mira Limbeck wrote:
> This has to be done in both icmp and icmpv6 cases. Currently if
> 'ipv6-icmp' is set via the GUI ('icmpv6' is not available there) there
> is no icmp-type handling. As this is meant to fix the iptables-restore
> failure if an icmp-type > 255 is specified, no ipv6-icmp handling is
> introduced.
>
> These error messages are not logged as warnings are ignored. To get
> these messages you have to run pve-firewall compile and look at the
> output.
>
> Signed-off-by: Mira Limbeck <m.limbeck at proxmox.com>
> ---
> src/PVE/Firewall.pm | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index d22b15a..39f1bfc 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -2041,11 +2041,17 @@ sub ipt_rule_to_cmds {
> # Note: we use dport to store --icmp-type
> die "unknown icmp-type '$rule->{dport}'\n"
> if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}});
> + # values for icmp-type range between 0 and 255
> + # higher values and iptables-restore fails
> + die "invalid icmp-type '$rule->{dport}'\n" if ($rule->{dport} =~ m/^(\d+)$/) && ($1 > 255);
> push @match, "-m icmp --icmp-type $rule->{dport}";
> } elsif ($proto eq 'icmpv6') {
> # Note: we use dport to store --icmpv6-type
> die "unknown icmpv6-type '$rule->{dport}'\n"
> if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}});
> + # values for icmpv6-type range between 0 and 255
> + # higher values and iptables-restore fails
> + die "invalid icmpv6-type '$rule->{dport}'\n" if ($rule->{dport} =~ m/^(\d+)$/) && ($1 > 255);
> push @match, "-m icmpv6 --icmpv6-type $rule->{dport}";
> } elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) {
> die "protocol $proto does not have ports\n";
>
applied, thanks!
More information about the pve-devel
mailing list