X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=9b24b5cefd0ccb21b7e62e954553099876137433;hp=246e7af88a32e437789cbfc9e45a8a3db2a2cbd5;hb=ac633d3003e1b2c6caad2a2e63d1c8421aec1a29;hpb=93be433387be21e7a26495065da3a32bb79b334a

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 246e7af..9b24b5c 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -705,11 +705,14 @@ my $ipv4_mask_hash_clusternet = {
     '255.255.255.252' => 30,
 };
 
-my $cluster_network;
+my $__cluster_network;
 
-sub get_cluster_network {
+sub cluster_network {
+    my ($new_value) = @_;
 
-    return $cluster_network if defined($cluster_network);
+    $__cluster_network = $new_value if defined($new_value);
+
+    return $__cluster_network if defined($__cluster_network);
 
     eval {
 	my $nodename = PVE::INotify::nodename();
@@ -726,14 +729,14 @@ sub get_cluster_network {
 	    my $cidr = "$entry->{dest}/$mask";
 	    my $testnet = Net::IP->new($cidr);
 	    if ($testnet->overlaps($testip)) {
-		$cluster_network = $cidr;
+		$__cluster_network = $cidr;
 		return;
 	    }
 	}
     };
     warn $@ if $@;
 
-    return $cluster_network;
+    return $__cluster_network;
 }
 
 sub parse_address_list {
@@ -1684,19 +1687,6 @@ sub enable_host_firewall {
     ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
     ruleset_chain_add_input_filters($ruleset, $chain, $options, $cluster_conf, $loglevel);
 
-    my $clusternet = get_cluster_network();
-
-    if ($clusternet) {
-	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j ACCEPT");  # PVE API
-	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j ACCEPT");  # PVE VNC Console 
-	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j ACCEPT");  # SPICE Proxy
-	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j ACCEPT");  # SSH
-    }
-
-    ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT");  #corosync
-
     # we use RETURN because we need to check also tap rules
     my $accept_action = 'RETURN';
 
@@ -1711,6 +1701,21 @@ sub enable_host_firewall {
 	}
 	delete $rule->{iface_in};
     }
+   
+    my $clusternet = cluster_network();
+
+    # allow standard traffic on cluster network
+    if ($clusternet) {
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j $accept_action");  # PVE API
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j $accept_action");  # PVE VNC Console 
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j $accept_action");  # SPICE Proxy
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j $accept_action");  # SSH
+ 
+	# corosync
+	my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action";
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+    }
 
     # implement input policy
     my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default
@@ -1726,10 +1731,6 @@ sub enable_host_firewall {
 
     ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
 
-    ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
-
     # we use RETURN because we may want to check other thigs later
     $accept_action = 'RETURN';
 
@@ -1745,6 +1746,16 @@ sub enable_host_firewall {
 	delete $rule->{iface_out};
     }
 
+    # allow standard traffic on cluster network
+    if ($clusternet) {
+	ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 8006 -j $accept_action");  # PVE API
+	ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 22 -j $accept_action");  # SSH
+ 
+	my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action";
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+    }
+
     # implement output policy
     $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
     ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);