[pve-devel] applied: [PATCH firewall 1/3] fix iptables-restore failing if icmp-type value > 255

[Thomas Lamprecht]

On 4/29/20 3:45 PM, Mira Limbeck wrote:
> This has to be done in both icmp and icmpv6 cases. Currently if
> 'ipv6-icmp' is set via the GUI ('icmpv6' is not available there) there
> is no icmp-type handling. As this is meant to fix the iptables-restore
> failure if an icmp-type > 255 is specified, no ipv6-icmp handling is
> introduced.
> 
> These error messages are not logged as warnings are ignored. To get
> these messages you have to run pve-firewall compile and look at the
> output.
> 
> Signed-off-by: Mira Limbeck <m.limbeck at proxmox.com>
> ---
>  src/PVE/Firewall.pm | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index d22b15a..39f1bfc 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -2041,11 +2041,17 @@ sub ipt_rule_to_cmds {
>  		    # Note: we use dport to store --icmp-type
>  		    die "unknown icmp-type '$rule->{dport}'\n"
>  			if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}});
> +		    # values for icmp-type range between 0 and 255
> +		    # higher values and iptables-restore fails
> +		    die "invalid icmp-type '$rule->{dport}'\n" if ($rule->{dport} =~ m/^(\d+)$/) && ($1 > 255);
>  		    push @match, "-m icmp --icmp-type $rule->{dport}";
>  		} elsif ($proto eq 'icmpv6') {
>  		    # Note: we use dport to store --icmpv6-type
>  		    die "unknown icmpv6-type '$rule->{dport}'\n"
>  			if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}});
> +		    # values for icmpv6-type range between 0 and 255
> +		    # higher values and iptables-restore fails
> +		    die "invalid icmpv6-type '$rule->{dport}'\n" if ($rule->{dport} =~ m/^(\d+)$/) && ($1 > 255);
>  		    push @match, "-m icmpv6 --icmpv6-type $rule->{dport}";
>  		} elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) {
>  		    die "protocol $proto does not have ports\n";
> 

applied, thanks!