From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 4FE5BCDAA for ; Tue, 11 Jul 2023 11:41:53 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 31E5721181 for ; Tue, 11 Jul 2023 11:41:23 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 11 Jul 2023 11:41:22 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 40D9442F02 for ; Tue, 11 Jul 2023 11:41:22 +0200 (CEST) From: Leo Nunner To: pve-devel@lists.proxmox.com Date: Tue, 11 Jul 2023 11:41:15 +0200 Message-Id: <20230711094115.125034-1-l.nunner@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.092 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH firewall] parser: fix scoped alias resolution X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jul 2023 09:41:53 -0000 We tried to resolve aliases in some places where the cluster configuration didn't get set. It's probably better to handle these cases directly in the function at hand, instead of at every place where this issues might arise. This seemingly fixes the issues reported on pve-user and the forum: * https://forum.proxmox.com/threads/pve-8-pve-firewall-status-no-such-alias.130202/ * https://forum.proxmox.com/threads/ipset-not-working-for-accepting-cluster-traffic.129599/ Signed-off-by: Leo Nunner --- src/PVE/API2/Firewall/IPSet.pm | 2 -- src/PVE/Firewall.pm | 18 ++++++++++++++---- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm index baa57ca..ed92d87 100644 --- a/src/PVE/API2/Firewall/IPSet.pm +++ b/src/PVE/API2/Firewall/IPSet.pm @@ -203,8 +203,6 @@ sub register_create_ip { if ($cidr =~ m@^(dc/|guest/)?(${PVE::Firewall::ip_alias_pattern})$@) { my $scope = $1 // ""; my $alias = $2; - # on the cluster level - $cluster_conf = $fw_conf if (!$cluster_conf); # make sure alias exists (if $cidr is an alias) PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $alias, $scope); } else { diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 9bed8df..77cbaf4 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2979,13 +2979,23 @@ sub parse_clusterfw_option { sub resolve_alias { my ($clusterfw_conf, $fw_conf, $cidr, $scope) = @_; + # When we're on the cluster level, the cluster config only gets + # saved into fw_conf, so we need some extra handling here (to + # stay consistent) + my ($cluster_config, $local_config); + if (!$clusterfw_conf) { + ($cluster_config, $local_config) = ($fw_conf, undef); + } else { + ($cluster_config, $local_config) = ($clusterfw_conf, $fw_conf); + } + my $alias = lc($cidr); my $e; - if ($scope ne 'dc/' && $fw_conf) { - $e = $fw_conf->{aliases}->{$alias}; + if ($scope ne 'dc/' && $local_config) { + $e = $local_config->{aliases}->{$alias}; } - if ($scope ne 'guest/' && !$e && $clusterfw_conf) { - $e = $clusterfw_conf->{aliases}->{$alias}; + if ($scope ne 'guest/' && !$e && $cluster_config) { + $e = $cluster_config->{aliases}->{$alias}; } die "no such alias '$cidr'\n" if !$e;; -- 2.39.2