firewall - Ceph macro added

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f0c105e0b1fb8346aee87a93f10df9e2c4eca5ac..26fc63e2fb5110664d256fd03b6c904ef313474e 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -113,8 +113,6 @@ eval  {
 
 };
 
-use Data::Dumper;
-
 my $nodename = PVE::INotify::nodename();
 
 my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
@@ -168,6 +166,11 @@ my $pve_fw_macros = {
        { action => 'PARAM', proto => 'tcp', dport => '6881:6999' },
        { action => 'PARAM', proto => 'udp', dport => '6881' },
     ],
+    'Ceph' => [
+        "Ceph Storage Cluster traffic (Ceph Monitors, OSD & MDS Deamons)",
+        { action => 'PARAM', proto => 'tcp', dport => '6789' },
+        { action => 'PARAM', proto => 'tcp', dport => '6800:7300' },
+    ],
     'CVS' => [
        "Concurrent Versions System pserver traffic",
        { action => 'PARAM', proto => 'tcp', dport => '2401' },
@@ -1106,7 +1109,8 @@ my $rule_properties = {
        optional => 1,
     },
     enable => {
-       type => 'boolean',
+        type => 'integer',
+       minimum => 0,
        optional => 1,
     },
     sport => {
@@ -2360,9 +2364,12 @@ sub parse_clusterfw_option {
 
     my ($opt, $value);
 
-    if ($line =~ m/^(enable):\s*(0|1)\s*$/i) {
+    if ($line =~ m/^(enable):\s*(\d+)\s*$/i) {
        $opt = lc($1);
        $value = int($2);
+       if (($value > 1) && ((time() - $value) > 60)) {
+           $value = 0
+       }
     } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
        $opt = lc($1);
        $value = uc($3);