also allow VNC and SPICE traffic inside cluster_network

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index ea2abe27660de47c66f41dfc57b7e697c26a1db6..9b0e299d76ad11e04a217999d978043e8c42855b 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -705,11 +705,14 @@ my $ipv4_mask_hash_clusternet = {
     '255.255.255.252' => 30,
 };
 
-my $cluster_network;
+my $__cluster_network;
 
-sub get_cluster_network {
+sub cluster_network {
+    my ($new_value) = @_;
 
-    return $cluster_network if defined($cluster_network);
+    $__cluster_network = $new_value if defined($new_value);
+
+    return $__cluster_network if defined($__cluster_network);
 
     eval {
        my $nodename = PVE::INotify::nodename();
@@ -726,14 +729,14 @@ sub get_cluster_network {
            my $cidr = "$entry->{dest}/$mask";
            my $testnet = Net::IP->new($cidr);
            if ($testnet->overlaps($testip)) {
-               $cluster_network = $cidr;
+               $__cluster_network = $cidr;
                return;
            }
        }
     };
     warn $@ if $@;
 
-    return $cluster_network;
+    return $__cluster_network;
 }
 
 sub parse_address_list {
@@ -1699,7 +1702,7 @@ sub enable_host_firewall {
        delete $rule->{iface_in};
     }
    
-    my $clusternet = get_cluster_network();
+    my $clusternet = cluster_network();
 
     # allow standard traffic on cluster network
     if ($clusternet) {
@@ -1709,7 +1712,7 @@ sub enable_host_firewall {
        ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j $accept_action");  # SSH
  
        # corosync
-       my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action"
+       my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action";
        ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
        ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
     }
@@ -1747,10 +1750,12 @@ sub enable_host_firewall {
     if ($clusternet) {
        ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 8006 -j $accept_action");  # PVE API
        ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 22 -j $accept_action");  # SSH
+       ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 5900:5999 -j $accept_action");  # PVE VNC Console 
+       ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 3128 -j $accept_action");  # SPICE Proxy
  
        my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action";
-       ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
-       ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+       ruleset_addrule($ruleset, $chain, "-d $clusternet $corosync_rule");
+       ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule");
     }
 
     # implement output policy