if ($clusternet) {
ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API
ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 22 -j $accept_action"); # SSH
+ ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console
+ ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy
my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action";
- ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
- ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-d $clusternet $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule");
}
# implement output policy
if ($vmdata) { # test mode
my $testdir = $vmdata->{testdir} || die "no test directory specified";
my $filename = "$testdir/cluster.fw";
- die "missing test file '$filename'\n" if ! -f $filename;
$cluster_conf = load_clusterfw_conf($filename);
$filename = "$testdir/host.fw";
- die "missing test file '$filename'\n" if ! -f $filename;
$hostfw_conf = load_hostfw_conf($filename);
$vmfw_configs = read_vm_firewall_configs($vmdata, $testdir);
my $conf = $vmdata->{qemu}->{$vmid};
my $vmfw_conf = $vmfw_configs->{$vmid};
next if !$vmfw_conf;
- next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0);
+ next if !$vmfw_conf->{options}->{enable};
foreach my $netid (keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
my $vmfw_conf = $vmfw_configs->{$vmid};
next if !$vmfw_conf;
- next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0);
+ next if !$vmfw_conf->{options}->{enable};
if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
my $ip = $conf->{ip_address}->{value};