X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=ea2abe27660de47c66f41dfc57b7e697c26a1db6;hp=73005ab7bced11f6d5bb37b4de3066e7fecc87ed;hb=dd009ced9c1831b58701c2a6924dbfef021a4930;hpb=56f313f75c4e204a687073079b5682ab4ab622f4 diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 73005ab..ea2abe2 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -438,8 +438,8 @@ my $pve_fw_macros = { { action => 'PARAM', proto => 'icmp', dport => 'echo-request' }, ], 'VNC' => [ - "VNC traffic for VNC display's 0 - 9", - { action => 'PARAM', proto => 'tcp', dport => '5900:5909' }, + "VNC traffic for VNC display's 0 - 99", + { action => 'PARAM', proto => 'tcp', dport => '5900:5999' }, ], 'VNCL' => [ "VNC traffic from Vncservers to Vncviewers in listen mode", @@ -687,6 +687,55 @@ sub get_etc_protocols { return $etc_protocols; } +my $ipv4_mask_hash_clusternet = { + '255.255.0.0' => 16, + '255.255.128.0' => 17, + '255.255.192.0' => 18, + '255.255.224.0' => 19, + '255.255.240.0' => 20, + '255.255.248.0' => 21, + '255.255.252.0' => 22, + '255.255.254.0' => 23, + '255.255.255.0' => 24, + '255.255.255.128' => 25, + '255.255.255.192' => 26, + '255.255.255.224' => 27, + '255.255.255.240' => 28, + '255.255.255.248' => 29, + '255.255.255.252' => 30, +}; + +my $cluster_network; + +sub get_cluster_network { + + return $cluster_network if defined($cluster_network); + + eval { + my $nodename = PVE::INotify::nodename(); + + my $ip = PVE::Cluster::remote_node_ip($nodename); + + my $testip = Net::IP->new($ip); + + my $routes = PVE::ProcFSTools::read_proc_net_route(); + foreach my $entry (@$routes) { + my $mask = $ipv4_mask_hash_clusternet->{$entry->{mask}}; + next if !defined($mask); + return if $mask eq '0.0.0.0'; + my $cidr = "$entry->{dest}/$mask"; + my $testnet = Net::IP->new($cidr); + if ($testnet->overlaps($testip)) { + $cluster_network = $cidr; + return; + } + } + }; + warn $@ if $@; + + return $cluster_network; +} + sub parse_address_list { my ($str) = @_; @@ -1635,10 +1684,6 @@ sub enable_host_firewall { ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT'); ruleset_chain_add_input_filters($ruleset, $chain, $options, $cluster_conf, $loglevel); - ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT"); - ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"); - ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync - # we use RETURN because we need to check also tap rules my $accept_action = 'RETURN'; @@ -1653,6 +1698,21 @@ sub enable_host_firewall { } delete $rule->{iface_in}; } + + my $clusternet = get_cluster_network(); + + # allow standard traffic on cluster network + if ($clusternet) { + ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API + ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console + ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy + ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j $accept_action"); # SSH + + # corosync + my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action" + ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule"); + ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule"); + } # implement input policy my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default @@ -1668,10 +1728,6 @@ sub enable_host_firewall { ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT'); - ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT"); - ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"); - ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync - # we use RETURN because we may want to check other thigs later $accept_action = 'RETURN'; @@ -1687,6 +1743,16 @@ sub enable_host_firewall { delete $rule->{iface_out}; } + # allow standard traffic on cluster network + if ($clusternet) { + ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API + ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 22 -j $accept_action"); # SSH + + my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action"; + ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule"); + ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule"); + } + # implement output policy $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action); @@ -2928,6 +2994,16 @@ sub remove_pvefw_chains { iptables_restore_cmdlist($cmdlist); } +sub init { + my $cluster_conf = load_clusterfw_conf(); + my $cluster_options = $cluster_conf->{options}; + my $enable = $cluster_options->{enable}; + + return if !$enable; + + # load required modules here +} + sub update { my ($verbose) = @_; @@ -2956,5 +3032,4 @@ sub update { run_locked($code); } - 1;