From eb399cef4838774a16964cc5d11e4bcbfb07fbd2 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Wed, 21 May 2014 06:33:55 +0200 Subject: [PATCH] Introduce new management ipset The uses can setup a 'management' IPSet to make sure he has access to the GUI from those IPs. --- src/PVE/Firewall.pm | 20 ++++++++++++-------- test/test-group1/tests | 2 +- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index c80664f..be81778 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1701,17 +1701,18 @@ sub enable_host_firewall { } delete $rule->{iface_in}; } + + # allow standard traffic for management ipset (includes cluster network) + my $mngmntsrc = "-m set --match-set PVEFW-management src"; + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006 -j $accept_action"); # PVE API + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action"); # SSH my $clusternet = cluster_network(); - # allow standard traffic on cluster network + # corosync if ($clusternet) { - ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API - ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console - ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy - ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j $accept_action"); # SSH - - # corosync my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action"; ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule"); ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule"); @@ -2636,7 +2637,10 @@ sub compile { $cluster_conf->{ipset}->{venet0} = []; - + + my $clusternet = cluster_network() || '127.0.0.0/8'; + push @{$cluster_conf->{ipset}->{management}}, { cidr => $clusternet }; + my $ruleset = {}; ruleset_create_chain($ruleset, "PVEFW-INPUT"); diff --git a/test/test-group1/tests b/test/test-group1/tests index 22c837a..6b2252d 100644 --- a/test/test-group1/tests +++ b/test/test-group1/tests @@ -6,7 +6,7 @@ { from => 'host', source => '192.168.2.1', dport => 80, action => 'REJECT' } { from => 'host', source => '127.0.0.1', dport => 80, action => 'ACCEPT' } -{ to => 'host', source => '127.0.0.1', dport => 22, action => 'DROP' } +{ to => 'host', source => '1.2.3.4', dport => 22, action => 'DROP' } { to => 'host', source => '192.168.2.1', dport => 22, action => 'ACCEPT' } { to => 'host', source => '192.168.2.1', dport => 80, action => 'REJECT' } -- 2.39.2