From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Aaron Lauterer <a.lauterer@proxmox.com>
Subject: [pve-devel] applied: [PATCH firewall] fix #967: source: dest: limit length
Date: Thu, 22 Apr 2021 19:03:34 +0200 [thread overview]
Message-ID: <2c5178ab-281a-6d54-307c-d505f037d188@proxmox.com> (raw)
In-Reply-To: <20210422123010.14006-1-a.lauterer@proxmox.com>
On 22.04.21 14:30, Aaron Lauterer wrote:
> iptables-restore has a buffer limit of 1024 for paramters [0].
>
> If users end up adding a long list of IPs in the source or dest field
> they might reach this limit. The result is that the rule will not be
> applied and pve-firewall will show some error in the syslog which will
> be "hidden" for most users.
>
> Enforcing a smaller limit ourselves should help to avoid any such
> situation. 512 characters should help to not run into any problems that
> stem from differences in what counts as character. If people need longer
> lists, using IP sets are the better approach anyway.
>
> [0] http://git.netfilter.org/iptables/tree/iptables/xshared.c?h=v1.8.7#n469
>
> Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
> ---
> src/PVE/Firewall.pm | 2 ++
> 1 file changed, 2 insertions(+)
>
>
applied, thanks! Even in the worst case IP-address length, namely Ipv4-mapped
IPv6 (which we do not really support anyway, so only as theoretical worst-case),
for example: "0000:0000:0000:0000:0000:ffff:192.168.100.228", there we would
need 45 + 1 characters per entry plus separator, so even then one could add 11
IPs in there, which is IMO more than enough for direct apply - IPsets should
be preferred, like you hint in the gui patch anyway.
prev parent reply other threads:[~2021-04-22 17:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-22 12:30 [pve-devel] " Aaron Lauterer
2021-04-22 12:30 ` [pve-devel] [PATCH manager] ui: firewall: rule: maxlength for source and dest Aaron Lauterer
2021-04-22 19:34 ` [pve-devel] applied: " Thomas Lamprecht
2021-04-22 17:03 ` Thomas Lamprecht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2c5178ab-281a-6d54-307c-d505f037d188@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=a.lauterer@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.