for example, the config parser drops a trailing /32 for IPv4, so we
should do the same here. otherwise we can have one entry for $IP and
one for $IP/32 with different properties until the next R-M-W cycle
drops one of them again.
Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
src/PVE/API2/Firewall/IPSet.pm | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index 913dd86..ec9326f 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -195,6 +195,13 @@ sub register_create_ip {
my ($cluster_conf, $fw_conf, $ipset) =
$class->load_config($param);
my $cidr = $param->{cidr};
+ if ($cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/) {
+ # make sure alias exists (if $cidr is an alias)
+ PVE::Firewall::resolve_alias($cluster_conf, $fw_conf,
$cidr);
+ } else {
+ # normalize like config parser, otherwise duplicates might
slip through
+ $cidr = PVE::Firewall::parse_ip_or_cidr($cidr);
+ }
foreach my $entry (@$ipset) {
raise_param_exc({ cidr => "address '$cidr' already exists"
})
@@ -204,9 +211,6 @@ sub register_create_ip {
raise_param_exc({ cidr => "a zero prefix is not allowed in
ipset entries" })
if $cidr =~ m!/0+$!;
- # make sure alias exists (if $cidr is an alias)
- PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr)
- if $cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/;
my $data = { cidr => $cidr };
--
2.20.1
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
