Only include multicast rules if transport is udp

Only applies to corosync 3.
Testing config is changed to allow simulation of multicast rules.

Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index c4971091c47e00301ad297fb94f1b59d7e7f318a..d300dc99b9e9fe98fe9ad2c7724372a46fe76cca 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2406,6 +2406,7 @@ sub enable_host_firewall {
     # corosync preparation
     my $corosync_rule = "-p udp --dport 5404:5405";
     my $corosync_local_addresses = {};
     # corosync preparation
     my $corosync_rule = "-p udp --dport 5404:5405";
     my $corosync_local_addresses = {};

+    my $multicast_enabled;

     my $local_hostname = PVE::INotify::nodename();
     if (defined($corosync_conf)) {
        PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
     my $local_hostname = PVE::INotify::nodename();
     if (defined($corosync_conf)) {
        PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {


@@ -2415,6 +2416,9 @@ sub enable_host_firewall {
                $corosync_local_addresses->{$key} = $node_ip;
            }
        });
                $corosync_local_addresses->{$key} = $node_ip;
            }
        });

+
+       # allow multicast only if enabled in config
+       $multicast_enabled = $corosync_conf->{main}->{totem}->{transport} // 0;

     }
 
     # host inbound firewall
     }
 
     # host inbound firewall


@@ -2463,8 +2467,8 @@ sub enable_host_firewall {
 
     # corosync inbound rules
     if (defined($corosync_conf)) {
 
     # corosync inbound rules
     if (defined($corosync_conf)) {

-       # always allow multicast
-       ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
+       ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action")
+           if $multicast_enabled;

 
        PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
            my ($node_name, $node_ip, $node_ipversion, $key) = @_;
 
        PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
            my ($node_name, $node_ip, $node_ipversion, $key) = @_;


@@ -2532,8 +2536,8 @@ sub enable_host_firewall {
 
     # corosync outbound rules
     if (defined($corosync_conf)) {
 
     # corosync outbound rules
     if (defined($corosync_conf)) {

-       # always allow multicast
-       ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
+       ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action")
+           if $multicast_enabled;

 
        PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
            my ($node_name, $node_ip, $node_ipversion, $key) = @_;
 
        PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
            my ($node_name, $node_ip, $node_ipversion, $key) = @_;

diff --git a/test/corosync.conf b/test/corosync.conf
index 75385ec4449b0e02fe806249c50abee30edd0363..27b63135d748f24cf7f9731ce0b6b2ca113a4a0f 100644 (file)
--- a/test/corosync.conf
+++ b/test/corosync.conf
@@ -47,6 +47,7 @@ totem {
   config_version: 1
   ip_version: ipv4
   secauth: on
   config_version: 1
   ip_version: ipv4
   secauth: on

+  transport: udp

   version: 2
 }
 
   version: 2
 }