From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id A885275AEB for ; Thu, 22 Apr 2021 14:30:12 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9FB391BEFD for ; Thu, 22 Apr 2021 14:30:12 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id ADDF11BEED for ; Thu, 22 Apr 2021 14:30:11 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 797514200F for ; Thu, 22 Apr 2021 14:30:11 +0200 (CEST) From: Aaron Lauterer To: pve-devel@lists.proxmox.com Date: Thu, 22 Apr 2021 14:30:09 +0200 Message-Id: <20210422123010.14006-1-a.lauterer@proxmox.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.000 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [firewall.pm, netfilter.org] Subject: [pve-devel] [PATCH firewall] fix #967: source: dest: limit length X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Apr 2021 12:30:12 -0000 iptables-restore has a buffer limit of 1024 for paramters [0]. If users end up adding a long list of IPs in the source or dest field they might reach this limit. The result is that the rule will not be applied and pve-firewall will show some error in the syslog which will be "hidden" for most users. Enforcing a smaller limit ourselves should help to avoid any such situation. 512 characters should help to not run into any problems that stem from differences in what counts as character. If people need longer lists, using IP sets are the better approach anyway. [0] http://git.netfilter.org/iptables/tree/iptables/xshared.c?h=v1.8.7#n469 Signed-off-by: Aaron Lauterer --- src/PVE/Firewall.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 92ea33d..50be187 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1449,11 +1449,13 @@ my $rule_properties = { description => "Restrict packet source address. $addr_list_descr", type => 'string', format => 'pve-fw-addr-spec', optional => 1, + maxLength => 512, }, dest => { description => "Restrict packet destination address. $addr_list_descr", type => 'string', format => 'pve-fw-addr-spec', optional => 1, + maxLength => 512, }, proto => { description => "IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, as defined in '/etc/protocols'.", -- 2.20.1