Discussion:
[pve-devel] [PATCH firewall v2] fix #2004: do not allow backwards ranges
Dominik Csapak
2018-11-30 15:31:41 UTC
Permalink
ranges like 10:5 are allowed by us, but iptables throws an error
that is only visible in the syslog and the firewall rules do not
get updated

Signed-off-by: Dominik Csapak <***@proxmox.com>
---
changes from v1:
* better error message
src/PVE/Firewall.pm | 1 +
1 file changed, 1 insertion(+)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 035dc7e..db1eae3 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1054,6 +1054,7 @@ sub parse_port_name_number_or_range {
my ($port1, $port2) = ($1, $2);
die "invalid port '$port1'\n" if $port1 > 65535;
die "invalid port '$port2'\n" if $port2 > 65535;
+ die "backwards range '$port1:$port2' not allowed, did you mean '$port2:$port1'?\n" if $port1 > $port2;
} elsif ($item =~ m/^([0-9]+)$/) {
$count += 1;
my $port = $1;
--
2.11.0
Wolfgang Bumiller
2018-12-03 13:12:17 UTC
Permalink
applied
Post by Dominik Csapak
ranges like 10:5 are allowed by us, but iptables throws an error
that is only visible in the syslog and the firewall rules do not
get updated
---
* better error message
src/PVE/Firewall.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 035dc7e..db1eae3 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1054,6 +1054,7 @@ sub parse_port_name_number_or_range {
my ($port1, $port2) = ($1, $2);
die "invalid port '$port1'\n" if $port1 > 65535;
die "invalid port '$port2'\n" if $port2 > 65535;
+ die "backwards range '$port1:$port2' not allowed, did you mean '$port2:$port1'?\n" if $port1 > $port2;
} elsif ($item =~ m/^([0-9]+)$/) {
$count += 1;
my $port = $1;
--
2.11.0
Loading...