- foreach my $rule (@$rules) {
- next if $rule->{type} ne 'in';
- ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
+ ruleset_addrule($ruleset, $chain, "-p igmp -j $accept_action"); # important for multicast
+
+ # add host rules first, so that cluster wide rules can be overwritten
+ foreach my $rule (@$rules, @$cluster_rules) {
+ next if !$rule->{enable} || $rule->{errors};
+
+ $rule->{iface_in} = $rule->{iface} if $rule->{iface};
+
+ eval {
+ if ($rule->{type} eq 'group') {
+ ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'IN', $accept_action);
+ } elsif ($rule->{type} eq 'in') {
+ ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
+ undef, $cluster_conf, $hostfw_conf);
+ }
+ };
+ warn $@ if $@;
+ delete $rule->{iface_in};
+ }
+
+ # allow standard traffic for management ipset (includes cluster network)
+ my $mngmnt_ipset_chain = compute_ipset_chain_name(0, "management");
+ my $mngmntsrc = "-m set --match-set ${mngmnt_ipset_chain} src";
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006 -j $accept_action"); # PVE API
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action"); # SSH
+
+ my $localnet = local_network();
+
+ # corosync
+ if ($localnet) {
+ my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action";
+ ruleset_addrule($ruleset, $chain, "-s $localnet -d $localnet $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-s $localnet -m addrtype --dst-type MULTICAST $corosync_rule");