From 8b6348df487b75be202de77064053f42d51f1b09 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Tue, 20 May 2014 06:07:50 +0200 Subject: [PATCH] fix corosync rules (restrict to cluster network) --- src/PVE/Firewall.pm | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 1fcb71c..49ea0c0 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1691,11 +1691,13 @@ sub enable_host_firewall { ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j ACCEPT"); # PVE VNC Console ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j ACCEPT"); # SPICE Proxy ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j ACCEPT"); # SSH + + # corosync + my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT" + ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule"); + ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule"); } - ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT"); - ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"); - # we use RETURN because we need to check also tap rules my $accept_action = 'RETURN'; @@ -1725,8 +1727,11 @@ sub enable_host_firewall { ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT'); - ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT"); - ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"); + if ($clusternet) { + my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"; + ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule"); + ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule"); + } # we use RETURN because we may want to check other thigs later $accept_action = 'RETURN'; -- 2.39.2