From: Stefan Reiter <s.reiter@proxmox.com>
Date: Mon, 1 Jul 2019 15:22:17 +0000 (+0200)
Subject: Only include multicast rules if transport is udp
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=eacd4748486c3938890e0c2a623ef46950077437

Only include multicast rules if transport is udp

Only applies to corosync 3.
Testing config is changed to allow simulation of multicast rules.

Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
---

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index c497109..d300dc9 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2406,6 +2406,7 @@ sub enable_host_firewall {
     # corosync preparation
     my $corosync_rule = "-p udp --dport 5404:5405";
     my $corosync_local_addresses = {};
+    my $multicast_enabled;
     my $local_hostname = PVE::INotify::nodename();
     if (defined($corosync_conf)) {
 	PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
@@ -2415,6 +2416,9 @@ sub enable_host_firewall {
 		$corosync_local_addresses->{$key} = $node_ip;
 	    }
 	});
+
+	# allow multicast only if enabled in config
+	$multicast_enabled = $corosync_conf->{main}->{totem}->{transport} // 0;
     }
 
     # host inbound firewall
@@ -2463,8 +2467,8 @@ sub enable_host_firewall {
 
     # corosync inbound rules
     if (defined($corosync_conf)) {
-	# always allow multicast
-	ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
+	ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action")
+	    if $multicast_enabled;
 
 	PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
 	    my ($node_name, $node_ip, $node_ipversion, $key) = @_;
@@ -2532,8 +2536,8 @@ sub enable_host_firewall {
 
     # corosync outbound rules
     if (defined($corosync_conf)) {
-	# always allow multicast
-	ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
+	ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action")
+	    if $multicast_enabled;
 
 	PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
 	    my ($node_name, $node_ip, $node_ipversion, $key) = @_;
diff --git a/test/corosync.conf b/test/corosync.conf
index 75385ec..27b6313 100644
--- a/test/corosync.conf
+++ b/test/corosync.conf
@@ -47,6 +47,7 @@ totem {
   config_version: 1
   ip_version: ipv4
   secauth: on
+  transport: udp
   version: 2
 }