[pve-devel] [PATCH] Added the optional ! (invert sense) of IPs/IPset/range in Firewall rules

Dietmar Maurer dietmar at proxmox.com
Tue May 12 08:37:34 CEST 2015


> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index 2bdff20..a3b4ccb 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -960,6 +960,11 @@ sub compute_ipfilter_ipset_name {
>  sub parse_address_list {
>      my ($str) = @_;
>  
> +    # if it is a not
> +    if ($str =~ m/^!\s*(.*)/) {
> +	$str = $1;
> +    }
> +

Why do we allow spaces after '!'? 

>      if ($str =~ m/^(\+)(\S+)$/) { # ipset ref
>  	die "ipset name too long\n" if length($str) > ($max_ipset_name_length + 1);
>  	return;
> @@ -1634,16 +1639,20 @@ sub ruleset_generate_cmdstr {
>      my $source = $rule->{source};
>      my $dest = $rule->{dest};
>  
> +    my $negate = "";
>      if ($source) {
> +        if ($source =~ s/^!\s*//) {
> +            $negate = "! ";
> +        }

same her -  why spaces?

Also, would you mind to provide some regression tests for 
this new feature?




More information about the pve-devel mailing list