* [PATCH pve-firewall 1/1] rules: verify no interface is set for rules with direction forward
@ 2026-06-26 12:20 Stefan Hanreich
0 siblings, 0 replies; only message in thread
From: Stefan Hanreich @ 2026-06-26 12:20 UTC (permalink / raw)
To: pve-devel
It is not possible to specify the iface option for rules with
direction forward. This has not been verified by the backend, which
made it very easy to accidentally create invalid FORWARD chain rules.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
src/PVE/Firewall.pm | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 93f8c34..3fc692f 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1842,6 +1842,9 @@ sub verify_rule {
$add_error->('iface', "value does not match the regex pattern 'net\\d+'")
if $rule->{iface} !~ m/^net(\d+)$/;
}
+
+ $add_error->('iface', "cannot define an interface on rules with direction FORWARD")
+ if $type eq 'forward';
}
if ($rule->{macro}) {
--
2.47.3
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-26 12:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-26 12:20 [PATCH pve-firewall 1/1] rules: verify no interface is set for rules with direction forward Stefan Hanreich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox