From: Aaron Lauterer <a.lauterer@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH firewall] fix #967: source: dest: limit length
Date: Thu, 22 Apr 2021 14:30:09 +0200 [thread overview]
Message-ID: <20210422123010.14006-1-a.lauterer@proxmox.com> (raw)
iptables-restore has a buffer limit of 1024 for paramters [0].
If users end up adding a long list of IPs in the source or dest field
they might reach this limit. The result is that the rule will not be
applied and pve-firewall will show some error in the syslog which will
be "hidden" for most users.
Enforcing a smaller limit ourselves should help to avoid any such
situation. 512 characters should help to not run into any problems that
stem from differences in what counts as character. If people need longer
lists, using IP sets are the better approach anyway.
[0] http://git.netfilter.org/iptables/tree/iptables/xshared.c?h=v1.8.7#n469
Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
---
src/PVE/Firewall.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 92ea33d..50be187 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1449,11 +1449,13 @@ my $rule_properties = {
description => "Restrict packet source address. $addr_list_descr",
type => 'string', format => 'pve-fw-addr-spec',
optional => 1,
+ maxLength => 512,
},
dest => {
description => "Restrict packet destination address. $addr_list_descr",
type => 'string', format => 'pve-fw-addr-spec',
optional => 1,
+ maxLength => 512,
},
proto => {
description => "IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, as defined in '/etc/protocols'.",
--
2.20.1
next reply other threads:[~2021-04-22 12:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-22 12:30 Aaron Lauterer [this message]
2021-04-22 12:30 ` [pve-devel] [PATCH manager] ui: firewall: rule: maxlength for source and dest Aaron Lauterer
2021-04-22 19:34 ` [pve-devel] applied: " Thomas Lamprecht
2021-04-22 17:03 ` [pve-devel] applied: [PATCH firewall] fix #967: source: dest: limit length Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210422123010.14006-1-a.lauterer@proxmox.com \
--to=a.lauterer@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox