X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=0e15090f3d7940c680fcc5aa8a6744d04d54f0e7;hp=ef724a7085871580b7bc11807fb29699827561a3;hb=a44539a351b71b24bb4074949aab52bb59d56e80;hpb=81a0a9ffb7acc40a1e39e8253adaad3622010159 diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index ef724a7..0e15090 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -214,7 +214,10 @@ my $pve_fw_macros = { ], 'Ceph' => [ "Ceph Storage Cluster traffic (Ceph Monitors, OSD & MDS Deamons)", + # Legacy port for protocol v1 { action => 'PARAM', proto => 'tcp', dport => '6789' }, + # New port for protocol v2 + { action => 'PARAM', proto => 'tcp', dport => '3300' }, { action => 'PARAM', proto => 'tcp', dport => '6800:7300' }, ], 'CVS' => [ @@ -1748,25 +1751,25 @@ sub enable_bridge_firewall { sub iptables_restore_cmdlist { my ($cmdlist) = @_; - run_command("/sbin/iptables-restore -n", input => $cmdlist, errmsg => "iptables_restore_cmdlist"); + run_command(['iptables-restore', '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist"); } sub ip6tables_restore_cmdlist { my ($cmdlist) = @_; - run_command("/sbin/ip6tables-restore -n", input => $cmdlist, errmsg => "iptables_restore_cmdlist"); + run_command(['ip6tables-restore', '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist"); } sub ipset_restore_cmdlist { my ($cmdlist) = @_; - run_command("/sbin/ipset restore", input => $cmdlist, errmsg => "ipset_restore_cmdlist"); + run_command(['ipset', 'restore'], input => $cmdlist, errmsg => "ipset_restore_cmdlist"); } sub ebtables_restore_cmdlist { my ($cmdlist) = @_; - run_command("/sbin/ebtables-restore", input => $cmdlist, errmsg => "ebtables_restore_cmdlist"); + run_command(['ebtables-restore'], input => $cmdlist, errmsg => "ebtables_restore_cmdlist"); } sub iptables_get_chains { @@ -1825,7 +1828,7 @@ sub iptables_get_chains { } }; - run_command("/sbin/$iptablescmd-save", outfunc => $parser); + run_command(["$iptablescmd-save"], outfunc => $parser); return wantarray ? ($res, $hooks) : $res; } @@ -1869,7 +1872,7 @@ sub ipset_get_chains { } }; - run_command("/sbin/ipset save", outfunc => $parser); + run_command(['ipset', 'save'], outfunc => $parser); # compute digest for each chain foreach my $chain (keys %$chains) { @@ -1900,7 +1903,7 @@ sub ebtables_get_chains { } }; - run_command("/sbin/ebtables-save", outfunc => $parser); + run_command(['ebtables-save'], outfunc => $parser); # compute digest for each chain and store rules as well foreach my $chain (keys %$chains) { $res->{$chain}->{rules} = $chains->{$chain}; @@ -2473,14 +2476,11 @@ sub enable_host_firewall { PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub { my ($node_name, $node_ip, $node_ipversion, $key) = @_; + my $destination = $corosync_local_addresses->{$key}; - if ($node_name ne $local_hostname) { - my $destination = $corosync_local_addresses->{$key}; - + if ($node_name ne $local_hostname && defined($destination)) { # accept only traffic on same ring - if (defined($destination)) { - ruleset_addrule($ruleset, $chain, "-d $destination -s $node_ip $corosync_rule", "-j $accept_action"); - } + ruleset_addrule($ruleset, $chain, "-d $destination -s $node_ip $corosync_rule", "-j $accept_action"); } }); } @@ -2542,14 +2542,11 @@ sub enable_host_firewall { PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub { my ($node_name, $node_ip, $node_ipversion, $key) = @_; + my $source = $corosync_local_addresses->{$key}; - if ($node_name ne $local_hostname) { - my $source = $corosync_local_addresses->{$key}; - + if ($node_name ne $local_hostname && defined($source)) { # accept only traffic on same ring - if (defined($source)) { - ruleset_addrule($ruleset, $chain, "-s $source -d $node_ip $corosync_rule", "-j $accept_action"); - } + ruleset_addrule($ruleset, $chain, "-s $source -d $node_ip $corosync_rule", "-j $accept_action"); } }); } @@ -3525,7 +3522,8 @@ sub compile { $hostfw_conf = load_hostfw_conf($cluster_conf, undef) if !$hostfw_conf; # cfs_update is handled by daemon or API - $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf") if !$corosync_conf; + $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf") + if !defined($corosync_conf) && PVE::Corosync::check_conf_exists(1); $vmdata = read_local_vm_config(); $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef); @@ -4038,8 +4036,8 @@ sub get_ebtables_cmdlist { foreach my $chain (sort keys %$statushash) { my $stat = $statushash->{$chain}; - next if ($stat->{action} eq 'delete'); $changes = 1 if ($stat->{action} !~ 'ignore|exists'); + next if ($stat->{action} eq 'delete'); foreach my $cmd (@{$statushash->{$chain}->{'rules'}}) { if ($chain eq 'FORWARD' && $cmd eq $append_pve_to_forward) { @@ -4264,7 +4262,7 @@ sub update_nf_conntrack_logging { my $tmpfile = "$pve_fw_status_dir/log_nf_conntrack"; PVE::Tools::file_set_contents($tmpfile, $value); - PVE::Tools::run_command([qw(systemctl try-reload-or-restart pvefw-logger.service)]); + run_command([qw(systemctl try-reload-or-restart pvefw-logger.service)]); $log_nf_conntrack_enabled = $value; } } @@ -4274,6 +4272,7 @@ sub remove_pvefw_chains { PVE::Firewall::remove_pvefw_chains_iptables("iptables"); PVE::Firewall::remove_pvefw_chains_iptables("ip6tables"); PVE::Firewall::remove_pvefw_chains_ipset(); + PVE::Firewall::remove_pvefw_chains_ebtables(); } @@ -4319,6 +4318,11 @@ sub remove_pvefw_chains_ipset { ipset_restore_cmdlist($cmdlist) if $cmdlist; } +sub remove_pvefw_chains_ebtables { + # apply empty ruleset = remove all our chains + ebtables_restore_cmdlist(get_ebtables_cmdlist({})); +} + sub init { my $cluster_conf = load_clusterfw_conf(); my $cluster_options = $cluster_conf->{options};