}
delete $rule->{iface_in};
}
+
+ # allow standard traffic for management ipset (includes cluster network)
+ my $mngmntsrc = "-m set --match-set PVEFW-management src";
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006 -j $accept_action"); # PVE API
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action"); # SSH
my $clusternet = cluster_network();
- # allow standard traffic on cluster network
+ # corosync
if ($clusternet) {
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j $accept_action"); # SSH
-
- # corosync
- my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action";
+ my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action";
ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
}
ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console
ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy
- my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action";
+ my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action";
ruleset_addrule($ruleset, $chain, "-d $clusternet $corosync_rule");
ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule");
}
return ($opt, $value);
}
-sub parse_clusterfw_alias {
+sub parse_alias {
my ($line) = @_;
# we can add single line comments to the end of the line
sub parse_vm_fw_rules {
my ($filename, $fh) = @_;
- my $res = { rules => [], options => {}};
+ my $res = {
+ rules => [],
+ options => {},
+ aliases => {},
+ };
my $section;
next;
}
+ if ($section eq 'aliases') {
+ eval {
+ my $data = parse_alias($line);
+ $res->{aliases}->{lc($data->{name})} = $data;
+ };
+ warn "$prefix: $@" if $@;
+ next;
+ }
+
my $rule;
eval { $rule = parse_fw_rule($line, 1, 1); };
if (my $err = $@) {
warn "$prefix: $@" if $@;
} elsif ($section eq 'aliases') {
eval {
- my $data = parse_clusterfw_alias($line);
+ my $data = parse_alias($line);
$res->{aliases}->{lc($data->{name})} = $data;
};
warn "$prefix: $@" if $@;
my $options = $vmfw_conf->{options};
$raw .= &$format_options($options) if scalar(keys %$options);
+ my $aliases = $vmfw_conf->{aliases};
+ $raw .= &$format_aliases($aliases) if scalar(keys %$aliases);
+
my $rules = $vmfw_conf->{rules} || [];
if (scalar(@$rules)) {
$raw .= "[RULES]\n\n";
$cluster_conf->{ipset}->{venet0} = [];
-
+
+ my $clusternet = cluster_network() || '127.0.0.0/8';
+ push @{$cluster_conf->{ipset}->{management}}, { cidr => $clusternet };
+
my $ruleset = {};
ruleset_create_chain($ruleset, "PVEFW-INPUT");
projects / pve-firewall.git / blobdiff