[pve-devel] [PATCH V3 firewall 0/2] allow non zero ip address host bits to be entered

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

* [pve-devel] [PATCH V3 firewall 0/2] allow non zero ip address host bits to be entered
@ 2022-12-13 15:14 Stefan Hrdlicka
  2022-12-13 15:14 ` [pve-devel] [PATCH V3 firewall 1/2] " Stefan Hrdlicka
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Stefan Hrdlicka @ 2022-12-13 15:14 UTC (permalink / raw)
  To: pve-devel

V2 -> V3
* review fix: removed closure from clean_cidr

V1 -> V2
* zero out host bits instead of ignoring error
* regex "cleanup"

Stefan Hrdlicka (2):
  allow non zero ip address host bits to be entered
  cleanup: don't capture "/xx" of CIDR

 src/PVE/API2/Firewall/IPSet.pm |  2 +-
 src/PVE/Firewall.pm            | 21 +++++++++++++++++++--
 2 files changed, 20 insertions(+), 3 deletions(-)

-- 
2.30.2





^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] [PATCH V3 firewall 1/2] allow non zero ip address host bits to be entered
  2022-12-13 15:14 [pve-devel] [PATCH V3 firewall 0/2] allow non zero ip address host bits to be entered Stefan Hrdlicka
@ 2022-12-13 15:14 ` Stefan Hrdlicka
  2022-12-13 15:14 ` [pve-devel] [PATCH V3 firewall 2/2] cleanup: don't capture "/xx" of CIDR Stefan Hrdlicka
  2022-12-14 13:42 ` [pve-devel] applied-series: [PATCH V3 firewall 0/2] allow non zero ip address host bits to be entered Wolfgang Bumiller
  2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hrdlicka @ 2022-12-13 15:14 UTC (permalink / raw)
  To: pve-devel

They can already be set directly via the cluster.fw file. Net::IP is just a
bit more picky with what it allows:
For example:
  error:   192.168.1.155/24
  correct: 192.168.1.0/24

This cleans the entered IP and removes the non zero host bits.

Signed-off-by: Stefan Hrdlicka <s.hrdlicka@proxmox.com>
---
 src/PVE/API2/Firewall/IPSet.pm |  2 +-
 src/PVE/Firewall.pm            | 19 ++++++++++++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index a5f69e9..14bcfcb 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -199,7 +199,7 @@ sub register_create_ip {
 
 		my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
 
-		my $cidr = $param->{cidr};
+		my $cidr = PVE::Firewall::clean_cidr($param->{cidr});
 		if ($cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/) {
 		    # make sure alias exists (if $cidr is an alias)
 		    PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr);
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index d40a9b1..ae5f221 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -69,8 +69,12 @@ sub pve_verify_ip_or_cidr {
     my ($cidr, $noerr) = @_;
 
     if ($cidr =~ m!^(?:$IPV6RE|$IPV4RE)(/(\d+))?$!) {
-	return $cidr if Net::IP->new($cidr);
+        # Net::IP throws an error if the masked CIDR part isn't zero, e.g., `192.168.1.155/24`
+        # fails but `192.168.1.0/24` succeeds. clean_cidr removes the non zero bits from the CIDR.
+	my $clean_cidr = clean_cidr($cidr);
+	return $cidr if Net::IP->new($clean_cidr);
 	return undef if $noerr;
+
 	die Net::IP::Error() . "\n";
     }
     return undef if $noerr;
@@ -86,6 +90,19 @@ sub pve_verify_ip_or_cidr_or_alias {
     return pve_verify_ip_or_cidr($cidr, $noerr);
 }
 
+sub clean_cidr {
+    my ($cidr) = @_;
+    my ($ip, $len) = split('/', $cidr);
+    return $cidr if !$len;
+    my $ver = ($ip =~ m!^$IPV4RE$!) ? 4 : 6;
+
+    my $bin_ip = Net::IP::ip_iptobin( Net::IP::ip_expand_address($ip, $ver), $ver);
+    my $bin_mask = Net::IP::ip_get_mask($len, $ver);
+    my $clean_ip = Net::IP::ip_compress_address( Net::IP::ip_bintoip($bin_ip & $bin_mask, $ver), $ver);
+
+    return "${clean_ip}/$len";
+}
+
 PVE::JSONSchema::register_standard_option('ipset-name', {
     description => "IP set name.",
     type => 'string',
-- 
2.30.2





^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] [PATCH V3 firewall 2/2] cleanup: don't capture "/xx" of CIDR
  2022-12-13 15:14 [pve-devel] [PATCH V3 firewall 0/2] allow non zero ip address host bits to be entered Stefan Hrdlicka
  2022-12-13 15:14 ` [pve-devel] [PATCH V3 firewall 1/2] " Stefan Hrdlicka
@ 2022-12-13 15:14 ` Stefan Hrdlicka
  2022-12-14 13:42 ` [pve-devel] applied-series: [PATCH V3 firewall 0/2] allow non zero ip address host bits to be entered Wolfgang Bumiller
  2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hrdlicka @ 2022-12-13 15:14 UTC (permalink / raw)
  To: pve-devel

Signed-off-by: Stefan Hrdlicka <s.hrdlicka@proxmox.com>
---
 src/PVE/Firewall.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index ae5f221..4924d51 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -68,7 +68,7 @@ PVE::JSONSchema::register_format('IPorCIDR', \&pve_verify_ip_or_cidr);
 sub pve_verify_ip_or_cidr {
     my ($cidr, $noerr) = @_;
 
-    if ($cidr =~ m!^(?:$IPV6RE|$IPV4RE)(/(\d+))?$!) {
+    if ($cidr =~ m!^(?:$IPV6RE|$IPV4RE)(?:/\d+)?$!) {
         # Net::IP throws an error if the masked CIDR part isn't zero, e.g., `192.168.1.155/24`
         # fails but `192.168.1.0/24` succeeds. clean_cidr removes the non zero bits from the CIDR.
 	my $clean_cidr = clean_cidr($cidr);
-- 
2.30.2





^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] applied-series: [PATCH V3 firewall 0/2] allow non zero ip address host bits to be entered
  2022-12-13 15:14 [pve-devel] [PATCH V3 firewall 0/2] allow non zero ip address host bits to be entered Stefan Hrdlicka
  2022-12-13 15:14 ` [pve-devel] [PATCH V3 firewall 1/2] " Stefan Hrdlicka
  2022-12-13 15:14 ` [pve-devel] [PATCH V3 firewall 2/2] cleanup: don't capture "/xx" of CIDR Stefan Hrdlicka
@ 2022-12-14 13:42 ` Wolfgang Bumiller
  2 siblings, 0 replies; 4+ messages in thread
From: Wolfgang Bumiller @ 2022-12-14 13:42 UTC (permalink / raw)
  To: Stefan Hrdlicka; +Cc: pve-devel

applied both patches, thanks

On Tue, Dec 13, 2022 at 04:14:17PM +0100, Stefan Hrdlicka wrote:
> V2 -> V3
> * review fix: removed closure from clean_cidr
> 
> V1 -> V2
> * zero out host bits instead of ignoring error
> * regex "cleanup"
> 
> Stefan Hrdlicka (2):
>   allow non zero ip address host bits to be entered
>   cleanup: don't capture "/xx" of CIDR
> 
>  src/PVE/API2/Firewall/IPSet.pm |  2 +-
>  src/PVE/Firewall.pm            | 21 +++++++++++++++++++--
>  2 files changed, 20 insertions(+), 3 deletions(-)
> 
> -- 
> 2.30.2




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-12-14 13:43 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-13 15:14 [pve-devel] [PATCH V3 firewall 0/2] allow non zero ip address host bits to be entered Stefan Hrdlicka
2022-12-13 15:14 ` [pve-devel] [PATCH V3 firewall 1/2] " Stefan Hrdlicka
2022-12-13 15:14 ` [pve-devel] [PATCH V3 firewall 2/2] cleanup: don't capture "/xx" of CIDR Stefan Hrdlicka
2022-12-14 13:42 ` [pve-devel] applied-series: [PATCH V3 firewall 0/2] allow non zero ip address host bits to be entered Wolfgang Bumiller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal