From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 20 May 2014 04:12:55 +0000 (+0200)
Subject: add standard rules after user rules
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=3bc79f879dc13af863f71cf2da32cdba7d423bd5

add standard rules after user rules

Ao that the users can overwrite behavior.
---

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 49ea0c0..82c5c95 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1684,20 +1684,6 @@ sub enable_host_firewall {
     ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
     ruleset_chain_add_input_filters($ruleset, $chain, $options, $cluster_conf, $loglevel);
 
-    my $clusternet = get_cluster_network();
-
-    if ($clusternet) {
-	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j ACCEPT");  # PVE API
-	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j ACCEPT");  # PVE VNC Console 
-	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j ACCEPT");  # SPICE Proxy
-	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j ACCEPT");  # SSH
- 
-	# corosync
-	my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"
-	ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
-	ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
-    }
-
     # we use RETURN because we need to check also tap rules
     my $accept_action = 'RETURN';
 
@@ -1712,6 +1698,21 @@ sub enable_host_firewall {
 	}
 	delete $rule->{iface_in};
     }
+   
+    my $clusternet = get_cluster_network();
+
+    # allow standard traffic on cluster network
+    if ($clusternet) {
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j ACCEPT");  # PVE API
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j ACCEPT");  # PVE VNC Console 
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j ACCEPT");  # SPICE Proxy
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j ACCEPT");  # SSH
+ 
+	# corosync
+	my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+    }
 
     # implement input policy
     my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default
@@ -1727,12 +1728,6 @@ sub enable_host_firewall {
 
     ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
 
-    if ($clusternet) {
-	my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT";
-	ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
-	ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
-    }
-
     # we use RETURN because we may want to check other thigs later
     $accept_action = 'RETURN';
 
@@ -1748,6 +1743,16 @@ sub enable_host_firewall {
 	delete $rule->{iface_out};
     }
 
+    # allow standard traffic on cluster network
+    if ($clusternet) {
+	ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 8006 -j ACCEPT");  # PVE API
+	ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 22 -j ACCEPT");  # SSH
+ 
+	my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT";
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+    }
+
     # implement output policy
     $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
     ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);