Proxmox/pve-firewall
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-02-10 17:57:28 +03:00
Code Releases Activity

fix corosync rules (restrict to cluster network)

Browse Source
This commit is contained in:
Dietmar Maurer 2014-05-20 06:07:50 +02:00
parent 2da3a5c4a6
commit 8b6348df48
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/PVE/Firewall.pm
View File

@ -1691,10 +1691,12 @@ sub enable_host_firewall {
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j ACCEPT"); # PVE VNC Console
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j ACCEPT"); # SPICE Proxy
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j ACCEPT"); # SSH
}
ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
# corosync
my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"
ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
}
# we use RETURN because we need to check also tap rules
my $accept_action = 'RETURN';
@ -1725,8 +1727,11 @@ sub enable_host_firewall {
ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
if ($clusternet) {
my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT";
ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
}
# we use RETURN because we may want to check other thigs later
$accept_action = 'RETURN';