X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=49ea0c0f49dc03e1767ae1b85c89aac7e5620a4d;hp=246e7af88a32e437789cbfc9e45a8a3db2a2cbd5;hb=8b6348df487b75be202de77064053f42d51f1b09;hpb=93be433387be21e7a26495065da3a32bb79b334a

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 246e7af..49ea0c0 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1691,12 +1691,13 @@ sub enable_host_firewall {
 	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j ACCEPT");  # PVE VNC Console 
 	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j ACCEPT");  # SPICE Proxy
 	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j ACCEPT");  # SSH
+ 
+	# corosync
+	my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
     }
 
-    ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT");  #corosync
-
     # we use RETURN because we need to check also tap rules
     my $accept_action = 'RETURN';
 
@@ -1726,9 +1727,11 @@ sub enable_host_firewall {
 
     ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
 
-    ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
+    if ($clusternet) {
+	my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT";
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+    }
 
     # we use RETURN because we may want to check other thigs later
     $accept_action = 'RETURN';