[pve-devel] [PATCH http-server v3 2/2] access control: also include ipv6 in 'all'

Stoiko Ivanov s.ivanov at proxmox.com
Wed May 5 16:36:27 CEST 2021


Net::IP objects are bound to a version - 0/0 is treated as ipv4 only.
If 'all' is present in the allow_from/deny_from list we should also
add ::/0 for matching all ipv6 addresses.

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
 PVE/APIServer/Utils.pm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/PVE/APIServer/Utils.pm b/PVE/APIServer/Utils.pm
index 8470f80..449d764 100644
--- a/PVE/APIServer/Utils.pm
+++ b/PVE/APIServer/Utils.pm
@@ -33,7 +33,11 @@ sub read_proxy_config {
 	if ($key eq 'ALLOW_FROM' || $key eq 'DENY_FROM') {
 	    my $ips = [];
 	    foreach my $ip (split(/,/, $value)) {
-		$ip = "0/0" if $ip eq 'all';
+		if ($ip eq 'all') {
+		    push @$ips, Net::IP->new('0/0') || die Net::IP::Error() . "\n";
+		    push @$ips, Net::IP->new('::/0') || die Net::IP::Error() . "\n";
+		    next;
+		}
 		push @$ips, Net::IP->new(normalize_v4_in_v6($ip)) || die Net::IP::Error() . "\n";
 	    }
 	    $res->{$key} = $ips;
-- 
2.20.1






More information about the pve-devel mailing list