[pve-devel] [PATCH firewall 1/3] fix #4556: introduce 'dc' and 'vm' prefix for IPSets
Leo Nunner
l.nunner at proxmox.com
Wed Jun 7 12:17:48 CEST 2023
to differentiate whether they should be taken from the datacenter config
or from the local config. The parser now accepts IPSets in the following
format:
+dc/ipset
Looks for the IPSet on the Datacenter level.
+vm/ipset
Looks for the IPSet on the VM level.
+ipset
Uses the previous method of scoping, where it first looks at the
VM level and then at the Datacenter level.
Signed-off-by: Leo Nunner <l.nunner at proxmox.com>
---
src/PVE/Firewall.pm | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8e40872..ff18de0 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1683,9 +1683,9 @@ sub verify_rule {
if (my $value = $rule->{$name}) {
if ($value =~ m/^\+/) {
- if ($value =~ m/^\+(${ipset_name_pattern})$/) {
- &$add_error($name, "no such ipset '$1'")
- if !($cluster_conf->{ipset}->{$1} || ($fw_conf && $fw_conf->{ipset}->{$1}));
+ if ($value =~ m@^\+(vm/|dc/)?(${ipset_name_pattern})$@) {
+ &$add_error($name, "no such ipset '$2'")
+ if !($cluster_conf->{ipset}->{$2} || ($fw_conf && $fw_conf->{ipset}->{$2}));
} else {
&$add_error($name, "invalid ipset name '$value'");
@@ -2095,12 +2095,13 @@ sub ipt_gen_src_or_dst_match {
my $match;
if ($adr =~ m/^\+/) {
- if ($adr =~ m/^\+(${ipset_name_pattern})$/) {
- my $name = $1;
+ if ($adr =~ m@^\+(vm/|dc/)?(${ipset_name_pattern})$@) {
+ my $scope = $1;
+ my $name = $2;
my $ipset_chain;
- if ($fw_conf && $fw_conf->{ipset}->{$name}) {
+ if ($scope ne 'dc/' && $fw_conf && $fw_conf->{ipset}->{$name}) {
$ipset_chain = compute_ipset_chain_name($fw_conf->{vmid}, $name, $ipversion);
- } elsif ($cluster_conf && $cluster_conf->{ipset}->{$name}) {
+ } elsif ($scope ne 'vm/' && $cluster_conf && $cluster_conf->{ipset}->{$name}) {
$ipset_chain = compute_ipset_chain_name(0, $name, $ipversion);
} else {
die "no such ipset '$name'\n";
--
2.30.2
More information about the pve-devel
mailing list