ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
ruleset_chain_add_input_filters($ruleset, $chain, $options, $cluster_conf, $loglevel);
- my $clusternet = get_cluster_network();
-
- if ($clusternet) {
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j ACCEPT"); # PVE API
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j ACCEPT"); # PVE VNC Console
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j ACCEPT"); # SPICE Proxy
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j ACCEPT"); # SSH
- }
-
- ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
- ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
- ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
-
# we use RETURN because we need to check also tap rules
my $accept_action = 'RETURN';
}
delete $rule->{iface_in};
}
+
+ my $clusternet = get_cluster_network();
+
+ # allow standard traffic on cluster network
+ if ($clusternet) {
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j $accept_action"); # SSH
+
+ # corosync
+ my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action"
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+ }
# implement input policy
my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default
ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
- ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
- ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
- ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
-
# we use RETURN because we may want to check other thigs later
$accept_action = 'RETURN';
delete $rule->{iface_out};
}
+ # allow standard traffic on cluster network
+ if ($clusternet) {
+ ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API
+ ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 22 -j $accept_action"); # SSH
+
+ my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action";
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+ }
+
# implement output policy
$policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
projects / pve-firewall.git / blobdiff