X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=be81778c97d8f5503c2dcca5421fe5055c6f6eba;hp=3affb2adfc80de2bad385982a44436b595473fdf;hb=eb399cef4838774a16964cc5d11e4bcbfb07fbd2;hpb=03940656731dcba00612dedbd21655a5b4767c1c diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 3affb2a..be81778 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1701,18 +1701,19 @@ sub enable_host_firewall { } delete $rule->{iface_in}; } + + # allow standard traffic for management ipset (includes cluster network) + my $mngmntsrc = "-m set --match-set PVEFW-management src"; + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006 -j $accept_action"); # PVE API + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action"); # SSH my $clusternet = cluster_network(); - # allow standard traffic on cluster network + # corosync if ($clusternet) { - ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API - ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console - ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy - ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j $accept_action"); # SSH - - # corosync - my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action"; + my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action"; ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule"); ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule"); } @@ -1753,7 +1754,7 @@ sub enable_host_firewall { ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy - my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action"; + my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action"; ruleset_addrule($ruleset, $chain, "-d $clusternet $corosync_rule"); ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule"); } @@ -1971,7 +1972,7 @@ sub parse_clusterfw_option { return ($opt, $value); } -sub parse_clusterfw_alias { +sub parse_alias { my ($line) = @_; # we can add single line comments to the end of the line @@ -1995,7 +1996,11 @@ sub parse_clusterfw_alias { sub parse_vm_fw_rules { my ($filename, $fh) = @_; - my $res = { rules => [], options => {}}; + my $res = { + rules => [], + options => {}, + aliases => {}, + }; my $section; @@ -2027,6 +2032,15 @@ sub parse_vm_fw_rules { next; } + if ($section eq 'aliases') { + eval { + my $data = parse_alias($line); + $res->{aliases}->{lc($data->{name})} = $data; + }; + warn "$prefix: $@" if $@; + next; + } + my $rule; eval { $rule = parse_fw_rule($line, 1, 1); }; if (my $err = $@) { @@ -2159,7 +2173,7 @@ sub parse_cluster_fw_rules { warn "$prefix: $@" if $@; } elsif ($section eq 'aliases') { eval { - my $data = parse_clusterfw_alias($line); + my $data = parse_alias($line); $res->{aliases}->{lc($data->{name})} = $data; }; warn "$prefix: $@" if $@; @@ -2370,6 +2384,9 @@ sub save_vmfw_conf { my $options = $vmfw_conf->{options}; $raw .= &$format_options($options) if scalar(keys %$options); + my $aliases = $vmfw_conf->{aliases}; + $raw .= &$format_aliases($aliases) if scalar(keys %$aliases); + my $rules = $vmfw_conf->{rules} || []; if (scalar(@$rules)) { $raw .= "[RULES]\n\n"; @@ -2620,7 +2637,10 @@ sub compile { $cluster_conf->{ipset}->{venet0} = []; - + + my $clusternet = cluster_network() || '127.0.0.0/8'; + push @{$cluster_conf->{ipset}->{management}}, { cidr => $clusternet }; + my $ruleset = {}; ruleset_create_chain($ruleset, "PVEFW-INPUT");