do not open forward tunnel on insecure migrations

Restore previous behaviour and do not request a forward tunnel on
insecure migrations.

For the migrations of all kind this has no direct impact, they all
worked, but an port to much requested from an limited pool is still
not ideal. Also an open tunnel, if not needed.

This is a light regression introduced from commit 1c9d54b.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm
index baf736421c453bca79a8954a0068eb29f8a1c1bc..7b9506f93a65a8e4568a00defcbb61d09f05a1ab 100644 (file)
--- a/PVE/QemuMigrate.pm
+++ b/PVE/QemuMigrate.pm
@@ -91,7 +91,7 @@ sub finish_command_pipe {
 sub fork_tunnel {
     my ($self, $tunnel_addr) = @_;
 
-    my @localtunnelinfo = ('-L' , $tunnel_addr );
+    my @localtunnelinfo = defined($tunnel_addr) ? ('-L' , $tunnel_addr ) : ();
 
     my $cmd = [@{$self->{rem_ssh}}, '-o ExitOnForwardFailure=yes', @localtunnelinfo, 'qm', 'mtunnel' ];
 
@@ -439,11 +439,15 @@ sub phase2 {
            }
 
        } elsif ($ruri =~ /^tcp:/) {
-           # for backwards compatibility with older qemu-server versions
-           my $pfamily = PVE::Tools::get_host_address_family($nodename);
-           my $lport = PVE::Tools::next_migrate_port($pfamily);
+           my $tunnel_addr;
+           if ($raddr eq "localhost") {
+               # for backwards compatibility with older qemu-server versions
+               my $pfamily = PVE::Tools::get_host_address_family($nodename);
+               my $lport = PVE::Tools::next_migrate_port($pfamily);
+               $tunnel_addr = "$lport:localhost:$rport";
+           }
 
-           $self->{tunnel} = $self->fork_tunnel("$lport:localhost:$rport");
+           $self->{tunnel} = $self->fork_tunnel($tunnel_addr);
 
        } else {
            die "unsupported protocol in migration URI: $ruri\n";