On 4/29/20 3:45 PM, Mira Limbeck wrote:
> This has to be done in both icmp and icmpv6 cases. Currently if
> 'ipv6-icmp' is set via the GUI ('icmpv6' is not available there) there
> is no icmp-type handling. As this is meant to fix the iptables-restore
> failure if an icmp-type > 255 is specified, no ipv6-icmp handling is
> introduced.
>
> These error messages are not logged as warnings are ignored. To get
> these messages you have to run pve-firewall compile and look at the
> output.
>
> Signed-off-by: Mira Limbeck <m.limb...@proxmox.com>
> ---
> src/PVE/Firewall.pm | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index d22b15a..39f1bfc 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -2041,11 +2041,17 @@ sub ipt_rule_to_cmds {
> # Note: we use dport to store --icmp-type
> die "unknown icmp-type '$rule->{dport}'\n"
> if $rule->{dport} !~ /^\d+$/ &&
> !defined($icmp_type_names->{$rule->{dport}});
> + # values for icmp-type range between 0 and 255
> + # higher values and iptables-restore fails
> + die "invalid icmp-type '$rule->{dport}'\n" if
> ($rule->{dport} =~ m/^(\d+)$/) && ($1 > 255);
> push @match, "-m icmp --icmp-type $rule->{dport}";
> } elsif ($proto eq 'icmpv6') {
> # Note: we use dport to store --icmpv6-type
> die "unknown icmpv6-type '$rule->{dport}'\n"
> if $rule->{dport} !~ /^\d+$/ &&
> !defined($icmpv6_type_names->{$rule->{dport}});
> + # values for icmpv6-type range between 0 and 255
> + # higher values and iptables-restore fails
> + die "invalid icmpv6-type '$rule->{dport}'\n" if
> ($rule->{dport} =~ m/^(\d+)$/) && ($1 > 255);
> push @match, "-m icmpv6 --icmpv6-type $rule->{dport}";
> } elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) {
> die "protocol $proto does not have ports\n";
>
applied, thanks!
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
