[pve-devel] applied: [PATCH firewall] fix #967: source: dest: limit length
Thomas Lamprecht
t.lamprecht at proxmox.com
Thu Apr 22 19:03:34 CEST 2021
On 22.04.21 14:30, Aaron Lauterer wrote:
> iptables-restore has a buffer limit of 1024 for paramters [0].
>
> If users end up adding a long list of IPs in the source or dest field
> they might reach this limit. The result is that the rule will not be
> applied and pve-firewall will show some error in the syslog which will
> be "hidden" for most users.
>
> Enforcing a smaller limit ourselves should help to avoid any such
> situation. 512 characters should help to not run into any problems that
> stem from differences in what counts as character. If people need longer
> lists, using IP sets are the better approach anyway.
>
> [0] http://git.netfilter.org/iptables/tree/iptables/xshared.c?h=v1.8.7#n469
>
> Signed-off-by: Aaron Lauterer <a.lauterer at proxmox.com>
> ---
> src/PVE/Firewall.pm | 2 ++
> 1 file changed, 2 insertions(+)
>
>
applied, thanks! Even in the worst case IP-address length, namely Ipv4-mapped
IPv6 (which we do not really support anyway, so only as theoretical worst-case),
for example: "0000:0000:0000:0000:0000:ffff:192.168.100.228", there we would
need 45 + 1 characters per entry plus separator, so even then one could add 11
IPs in there, which is IMO more than enough for direct apply - IPsets should
be preferred, like you hint in the gui patch anyway.
More information about the pve-devel
mailing list