'255.255.255.252' => 30,
};
-my $cluster_network;
+my $__cluster_network;
-sub get_cluster_network {
+sub cluster_network {
+ my ($new_value) = @_;
- return $cluster_network if defined($cluster_network);
+ $__cluster_network = $new_value if defined($new_value);
+
+ return $__cluster_network if defined($__cluster_network);
eval {
my $nodename = PVE::INotify::nodename();
my $cidr = "$entry->{dest}/$mask";
my $testnet = Net::IP->new($cidr);
if ($testnet->overlaps($testip)) {
- $cluster_network = $cidr;
+ $__cluster_network = $cidr;
return;
}
}
};
warn $@ if $@;
- return $cluster_network;
+ return $__cluster_network;
}
sub parse_address_list {
delete $rule->{iface_in};
}
- my $clusternet = get_cluster_network();
+ my $clusternet = cluster_network();
# allow standard traffic on cluster network
if ($clusternet) {
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j $accept_action"); # SSH
# corosync
- my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action"
+ my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action";
ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
}
if ($clusternet) {
ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API
ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 22 -j $accept_action"); # SSH
+ ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console
+ ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy
my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action";
- ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
- ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-d $clusternet $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule");
}
# implement output policy