skip icmpv6 rule for iptables rules
skip icmp rule for ip6tables rules
Signed-off-by: Alexandre Derumier <aderum...@odiso.com>
---
src/PVE/Firewall.pm | 44 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 43 insertions(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 962e85b..8ad9070 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -618,6 +618,32 @@ my $icmp_type_names = {
'address-mask-reply' => 1,
};
+# ip6tables -p icmpv6 -h
+
+my $icmpv6_type_names = {
+ 'any' => 1,
+ 'destination-unreachable' => 1,
+ 'no-route' => 1,
+ 'communication-prohibited' => 1,
+ 'address-unreachable' => 1,
+ 'port-unreachable' => 1,
+ 'packet-too-big' => 1,
+ 'time-exceeded' => 1,
+ 'ttl-zero-during-transit' => 1,
+ 'ttl-zero-during-reassembly' => 1,
+ 'parameter-problem' => 1,
+ 'bad-header' => 1,
+ 'unknown-header-type' => 1,
+ 'unknown-option' => 1,
+ 'echo-request' => 1,
+ 'echo-reply' => 1,
+ 'router-solicitation' => 1,
+ 'router-advertisement' => 1,
+ 'neighbour-solicitation' => 1,
+ 'neighbour-advertisement' => 1,
+ 'redirect' => 1,
+};
+
sub init_firewall_macros {
$pve_fw_parsed_macros = {};
@@ -704,6 +730,9 @@ sub get_etc_protocols {
close($fh);
+ $protocols->{byid}->{icmpv6}->{name} = "icmpv6";
+ $protocols->{byname}->{icmpv6} = $protocols->{byid}->{icmpv6};
+
$etc_protocols = $protocols;
return $etc_protocols;
@@ -834,6 +863,8 @@ sub parse_port_name_number_or_range {
} else {
if ($icmp_type_names->{$item}) {
$icmp_port = 1;
+ }elsif ($icmpv6_type_names->{$item}) {
+ $icmp_port = 1;
} else {
die "invalid port '$item'\n" if !$services->{byname}->{$item};
}
@@ -1073,6 +1104,7 @@ sub verify_rule {
my $allow_groups = $rule_env eq 'group' ? 0 : 1;
my $ipversion = undef;
+ my $protoversion = undef;
my $allow_iface = $rule_env_iface_lookup->{$rule_env};
die "unknown rule_env '$rule_env'\n" if !defined($allow_iface); # should
not happen
@@ -1154,6 +1186,8 @@ sub verify_rule {
if ($rule->{proto}) {
eval { pve_fw_verify_protocol_spec($rule->{proto}); };
&$add_error('proto', $@) if $@;
+ $protoversion = '4' if($rule->{proto} eq 'icmp');
+ $protoversion = '6' if($rule->{proto} eq 'icmpv6');
}
if ($rule->{dport}) {
@@ -1196,8 +1230,12 @@ sub verify_rule {
}
}
- $rule->{errors} = $errors if $error_count;
+
+ &$add_error('proto', "proto version and ipversion are not the same") if
$ipversion && $protoversion && $protoversion ne $ipversion;
$rule->{ipversion} = $ipversion if $ipversion;
+ $rule->{ipversion} = $protoversion if $protoversion;
+
+ $rule->{errors} = $errors if $error_count;
return $rule;
}
@@ -1451,6 +1489,10 @@ sub ruleset_generate_cmdstr {
# Note: we use dport to store --icmp-type
die "unknown icmp-type '$rule->{dport}'\n" if
!defined($icmp_type_names->{$rule->{dport}});
push @cmd, "-m icmp --icmp-type $rule->{dport}";
+ } elsif ($rule->{proto} && $rule->{proto} eq 'icmpv6') {
+ # Note: we use dport to store --icmpv6-type
+ die "unknown icmpv6-type '$rule->{dport}'\n" if
!defined($icmpv6_type_names->{$rule->{dport}});
+ push @cmd, "-m icmpv6 --icmpv6-type $rule->{dport}";
} else {
if ($nbdport > 1) {
if ($multiport == 2) {
--
1.7.10.4
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
