# corosync preparation
my $corosync_rule = "-p udp --dport 5404:5405";
my $corosync_local_addresses = {};
+ my $multicast_enabled;
my $local_hostname = PVE::INotify::nodename();
if (defined($corosync_conf)) {
PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
$corosync_local_addresses->{$key} = $node_ip;
}
});
+
+ # allow multicast only if enabled in config
+ my $corosync_transport = $corosync_conf->{main}->{totem}->{transport};
+ $multicast_enabled = defined($corosync_transport) && $corosync_transport eq 'udp';
}
# host inbound firewall
# corosync inbound rules
if (defined($corosync_conf)) {
- # always allow multicast
- ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
+ ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action")
+ if $multicast_enabled;
PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
my ($node_name, $node_ip, $node_ipversion, $key) = @_;
+ my $destination = $corosync_local_addresses->{$key};
- if ($node_name ne $local_hostname) {
- my $destination = $corosync_local_addresses->{$key};
-
+ if ($node_name ne $local_hostname && defined($destination)) {
# accept only traffic on same ring
- if (defined($destination)) {
- ruleset_addrule($ruleset, $chain, "-d $destination -s $node_ip $corosync_rule", "-j $accept_action");
- }
+ ruleset_addrule($ruleset, $chain, "-d $destination -s $node_ip $corosync_rule", "-j $accept_action");
}
});
}
# corosync outbound rules
if (defined($corosync_conf)) {
- # always allow multicast
- ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
+ ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action")
+ if $multicast_enabled;
PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
my ($node_name, $node_ip, $node_ipversion, $key) = @_;
+ my $source = $corosync_local_addresses->{$key};
- if ($node_name ne $local_hostname) {
- my $source = $corosync_local_addresses->{$key};
-
+ if ($node_name ne $local_hostname && defined($source)) {
# accept only traffic on same ring
- if (defined($source)) {
- ruleset_addrule($ruleset, $chain, "-s $source -d $node_ip $corosync_rule", "-j $accept_action");
- }
+ ruleset_addrule($ruleset, $chain, "-s $source -d $node_ip $corosync_rule", "-j $accept_action");
}
});
}
$hostfw_conf = load_hostfw_conf($cluster_conf, undef) if !$hostfw_conf;
# cfs_update is handled by daemon or API
- $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf") if !$corosync_conf;
+ $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf")
+ if !defined($corosync_conf) && PVE::Corosync::check_conf_exists(1);
$vmdata = read_local_vm_config();
$vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef);