ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j ACCEPT"); # PVE VNC Console
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j ACCEPT"); # SPICE Proxy
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j ACCEPT"); # SSH
+
+ # corosync
+ my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
}
- ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
- ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
-
# we use RETURN because we need to check also tap rules
my $accept_action = 'RETURN';
ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
- ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
- ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
+ if ($clusternet) {
+ my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT";
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+ }
# we use RETURN because we may want to check other thigs later
$accept_action = 'RETURN';