[pve-devel] [PATCH firewall 1/3] fix #4556: introduce 'dc' and 'vm' prefix for IPSets

Wed Jun 7 12:17:48 CEST 2023

to differentiate whether they should be taken from the datacenter config
or from the local config. The parser now accepts IPSets in the following
format:

    +dc/ipset
	Looks for the IPSet on the Datacenter level.
    +vm/ipset
	Looks for the IPSet on the VM level.
    +ipset
	Uses the previous method of scoping, where it first looks at the
	VM level and then at the Datacenter level.

Signed-off-by: Leo Nunner <l.nunner at proxmox.com>
---
 src/PVE/Firewall.pm | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8e40872..ff18de0 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1683,9 +1683,9 @@ sub verify_rule {
 
 	if (my $value = $rule->{$name}) {
 	    if ($value =~ m/^\+/) {
-		if ($value =~ m/^\+(${ipset_name_pattern})$/) {
-		    &$add_error($name, "no such ipset '$1'")
-			if !($cluster_conf->{ipset}->{$1} || ($fw_conf && $fw_conf->{ipset}->{$1}));
+		if ($value =~ m@^\+(vm/|dc/)?(${ipset_name_pattern})$@) {
+		    &$add_error($name, "no such ipset '$2'")
+			if !($cluster_conf->{ipset}->{$2} || ($fw_conf && $fw_conf->{ipset}->{$2}));
 
 		} else {
 		    &$add_error($name, "invalid ipset name '$value'");
@@ -2095,12 +2095,13 @@ sub ipt_gen_src_or_dst_match {
 
     my $match;
     if ($adr =~ m/^\+/) {
-	if ($adr =~ m/^\+(${ipset_name_pattern})$/) {
-	    my $name = $1;
+	if ($adr =~ m@^\+(vm/|dc/)?(${ipset_name_pattern})$@) {
+	    my $scope = $1;
+	    my $name = $2;
 	    my $ipset_chain;
-	    if ($fw_conf && $fw_conf->{ipset}->{$name}) {
+	    if ($scope ne 'dc/' && $fw_conf && $fw_conf->{ipset}->{$name}) {
 		$ipset_chain = compute_ipset_chain_name($fw_conf->{vmid}, $name, $ipversion);
-	    } elsif ($cluster_conf && $cluster_conf->{ipset}->{$name}) {
+	    } elsif ($scope ne 'vm/' && $cluster_conf && $cluster_conf->{ipset}->{$name}) {
 		$ipset_chain = compute_ipset_chain_name(0, $name, $ipversion);
 	    } else {
 		die "no such ipset '$name'\n";
-- 
2.30.2




