'255.255.255.252' => 30,
};
-my $cluster_network;
+my $__cluster_network;
-sub get_cluster_network {
+sub cluster_network {
+ my ($new_value) = @_;
- return $cluster_network if defined($cluster_network);
+ $__cluster_network = $new_value if defined($new_value);
+
+ return $__cluster_network if defined($__cluster_network);
eval {
my $nodename = PVE::INotify::nodename();
my $cidr = "$entry->{dest}/$mask";
my $testnet = Net::IP->new($cidr);
if ($testnet->overlaps($testip)) {
- $cluster_network = $cidr;
+ $__cluster_network = $cidr;
return;
}
}
};
warn $@ if $@;
- return $cluster_network;
+ return $__cluster_network;
}
sub parse_address_list {
ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
ruleset_chain_add_input_filters($ruleset, $chain, $options, $cluster_conf, $loglevel);
- my $clusternet = get_cluster_network();
-
- if ($clusternet) {
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j ACCEPT"); # PVE API
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j ACCEPT"); # PVE VNC Console
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j ACCEPT"); # SPICE Proxy
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j ACCEPT"); # SSH
-
- # corosync
- my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"
- ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
- ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
- }
-
# we use RETURN because we need to check also tap rules
my $accept_action = 'RETURN';
}
delete $rule->{iface_in};
}
+
+ my $clusternet = cluster_network();
+
+ # allow standard traffic on cluster network
+ if ($clusternet) {
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j $accept_action"); # SSH
+
+ # corosync
+ my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action";
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+ }
# implement input policy
my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default
ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
- if ($clusternet) {
- my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT";
- ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
- ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
- }
-
# we use RETURN because we may want to check other thigs later
$accept_action = 'RETURN';
delete $rule->{iface_out};
}
+ # allow standard traffic on cluster network
+ if ($clusternet) {
+ ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API
+ ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 22 -j $accept_action"); # SSH
+
+ my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action";
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+ }
+
# implement output policy
$policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
projects / pve-firewall.git / blobdiff