[pve-devel] applied: [PATCH firewall] fix #967: source: dest: limit length

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Apr 22 19:03:34 CEST 2021


On 22.04.21 14:30, Aaron Lauterer wrote:
> iptables-restore has a buffer limit of 1024 for paramters [0].
> 
> If users end up adding a long list of IPs in the source or dest field
> they might reach this limit. The result is that the rule will not be
> applied and pve-firewall will show some error in the syslog which will
> be "hidden" for most users.
> 
> Enforcing a smaller limit ourselves should help to avoid any such
> situation. 512 characters should help to not run into any problems that
> stem from differences in what counts as character. If people need longer
> lists, using IP sets are the better approach anyway.
> 
> [0] http://git.netfilter.org/iptables/tree/iptables/xshared.c?h=v1.8.7#n469
> 
> Signed-off-by: Aaron Lauterer <a.lauterer at proxmox.com>
> ---
>  src/PVE/Firewall.pm | 2 ++
>  1 file changed, 2 insertions(+)
> 
>

applied, thanks! Even in the worst case IP-address length, namely Ipv4-mapped
IPv6 (which we do not really support anyway, so only as theoretical worst-case),
for example: "0000:0000:0000:0000:0000:ffff:192.168.100.228", there we would
need 45 + 1 characters per entry plus separator, so even then one could add 11
IPs in there, which is IMO more than enough for direct apply - IPsets should
be preferred, like you hint in the gui patch anyway.




More information about the pve-devel mailing list