[pve-devel] [PATCH firewall] fix #967: source: dest: limit length

Aaron Lauterer a.lauterer at proxmox.com
Thu Apr 22 14:30:09 CEST 2021


iptables-restore has a buffer limit of 1024 for paramters [0].

If users end up adding a long list of IPs in the source or dest field
they might reach this limit. The result is that the rule will not be
applied and pve-firewall will show some error in the syslog which will
be "hidden" for most users.

Enforcing a smaller limit ourselves should help to avoid any such
situation. 512 characters should help to not run into any problems that
stem from differences in what counts as character. If people need longer
lists, using IP sets are the better approach anyway.

[0] http://git.netfilter.org/iptables/tree/iptables/xshared.c?h=v1.8.7#n469

Signed-off-by: Aaron Lauterer <a.lauterer at proxmox.com>
---
 src/PVE/Firewall.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 92ea33d..50be187 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1449,11 +1449,13 @@ my $rule_properties = {
 	description => "Restrict packet source address. $addr_list_descr",
 	type => 'string', format => 'pve-fw-addr-spec',
 	optional => 1,
+	maxLength => 512,
     },
     dest => {
 	description => "Restrict packet destination address. $addr_list_descr",
 	type => 'string', format => 'pve-fw-addr-spec',
 	optional => 1,
+	maxLength => 512,
     },
     proto => {
 	description => "IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, as defined in '/etc/protocols'.",
-- 
2.20.1





More information about the pve-devel mailing list