From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <l.nunner@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 4FE5BCDAA
 for <pve-devel@lists.proxmox.com>; Tue, 11 Jul 2023 11:41:53 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 31E5721181
 for <pve-devel@lists.proxmox.com>; Tue, 11 Jul 2023 11:41:23 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Tue, 11 Jul 2023 11:41:22 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 40D9442F02
 for <pve-devel@lists.proxmox.com>; Tue, 11 Jul 2023 11:41:22 +0200 (CEST)
From: Leo Nunner <l.nunner@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Tue, 11 Jul 2023 11:41:15 +0200
Message-Id: <20230711094115.125034-1-l.nunner@proxmox.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.092 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
Subject: [pve-devel] [PATCH firewall] parser: fix scoped alias resolution
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2023 09:41:53 -0000

We tried to resolve aliases in some places where the cluster
configuration didn't get set. It's probably better to handle these cases
directly in the function at hand, instead of at every place where this
issues might arise.

This seemingly fixes the issues reported on pve-user and the forum:
  * https://forum.proxmox.com/threads/pve-8-pve-firewall-status-no-such-alias.130202/
  * https://forum.proxmox.com/threads/ipset-not-working-for-accepting-cluster-traffic.129599/

Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
---
 src/PVE/API2/Firewall/IPSet.pm |  2 --
 src/PVE/Firewall.pm            | 18 ++++++++++++++----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index baa57ca..ed92d87 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -203,8 +203,6 @@ sub register_create_ip {
 		if ($cidr =~ m@^(dc/|guest/)?(${PVE::Firewall::ip_alias_pattern})$@) {
 		    my $scope = $1 // "";
 		    my $alias = $2;
-		    # on the cluster level
-		    $cluster_conf = $fw_conf if (!$cluster_conf);
 		    # make sure alias exists (if $cidr is an alias)
 		    PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $alias, $scope);
 		} else {
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 9bed8df..77cbaf4 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2979,13 +2979,23 @@ sub parse_clusterfw_option {
 sub resolve_alias {
     my ($clusterfw_conf, $fw_conf, $cidr, $scope) = @_;
 
+    # When we're on the cluster level, the cluster config only gets
+    # saved into fw_conf, so we need some extra handling here (to
+    # stay consistent)
+    my ($cluster_config, $local_config);
+    if (!$clusterfw_conf) {
+	($cluster_config, $local_config) = ($fw_conf, undef);
+    } else {
+	($cluster_config, $local_config) = ($clusterfw_conf, $fw_conf);
+    }
+
     my $alias = lc($cidr);
     my $e;
-    if ($scope ne 'dc/' && $fw_conf) {
-	$e = $fw_conf->{aliases}->{$alias};
+    if ($scope ne 'dc/' && $local_config) {
+	$e = $local_config->{aliases}->{$alias};
     }
-    if ($scope ne 'guest/' && !$e && $clusterfw_conf) {
-	$e = $clusterfw_conf->{aliases}->{$alias};
+    if ($scope ne 'guest/' && !$e && $cluster_config) {
+	$e = $cluster_config->{aliases}->{$alias};
     }
 
     die "no such alias '$cidr'\n" if !$e;;
-- 
2.39.2