[pve-devel] [PATCH firewall 2/2] fix #2004: do not allow backwards ranges
Dominik Csapak
d.csapak at proxmox.com
Fri Nov 30 11:17:25 CET 2018
On 11/30/18 11:11 AM, Alwin Antreich wrote:
> On Fri, Nov 30, 2018 at 09:53:50AM +0100, Dominik Csapak wrote:
>> ranges like 10:5 are allowed by us, but iptables throws an error
>> that is only visible in the syslog and the firewall rules do not
>> get updated
>>
>> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
>> ---
>> src/PVE/Firewall.pm | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
>> index 035dc7e..d7d1439 100644
>> --- a/src/PVE/Firewall.pm
>> +++ b/src/PVE/Firewall.pm
>> @@ -1054,6 +1054,7 @@ sub parse_port_name_number_or_range {
>> my ($port1, $port2) = ($1, $2);
>> die "invalid port '$port1'\n" if $port1 > 65535;
>> die "invalid port '$port2'\n" if $port2 > 65535;
>> + die "backwards range '$port1:$port2'\n" if $port1 > $port2;
> Couldn't we go ahead and switch the ports to get a acceptable range for
> iptables? I suspect that a user will change the port order to get the
> rule applied anyway.
>
> If we don't want to swith ports, then IMHO the message needs more
> information. Like eg. "backwards range '$port1:$port2' not allowed, use
> forward ranges".
>
mhmm i do not really want to switch them silently, because some users
might have a different understanding of such a range
e.g. 60000:1000 could be misunderstood as 60000-65535 + 1-1000
but, yes i can write a better error message
>> } elsif ($item =~ m/^([0-9]+)$/) {
>> $count += 1;
>> my $port = $1;
>> --
>> 2.11.0
>>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list