allow API/SSH/SPICE/VNC traffic on local cluster network by default

2025-03-06 00:58:15 +03:00 · 2014-05-19 14:18:40 +02:00 · 2014-05-19 14:18:40 +02:00 · 93be433387
commit 93be433387
parent f9cd0ab6b9
2 changed files with 62 additions and 2 deletions
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@ -438,8 +438,8 @@ my $pve_fw_macros = {
 	{ action => 'PARAM', proto => 'icmp', dport => 'echo-request' },
    ],
    'VNC' => [
-	"VNC traffic for VNC display's 0 - 9",
-	{ action => 'PARAM', proto => 'tcp', dport => '5900:5909' },
+	"VNC traffic for VNC display's 0 - 99",
+	{ action => 'PARAM', proto => 'tcp', dport => '5900:5999' },
    ],
    'VNCL' => [
 	"VNC traffic from Vncservers to Vncviewers in listen mode",
@ -687,6 +687,55 @@ sub get_etc_protocols {
    return $etc_protocols;
 }

+my $ipv4_mask_hash_clusternet = {
+    '255.255.0.0' => 16,
+    '255.255.128.0' => 17,
+    '255.255.192.0' => 18,
+    '255.255.224.0' => 19,
+    '255.255.240.0' => 20,
+    '255.255.248.0' => 21,
+    '255.255.252.0' => 22,
+    '255.255.254.0' => 23,
+    '255.255.255.0' => 24,
+    '255.255.255.128' => 25,
+    '255.255.255.192' => 26,
+    '255.255.255.224' => 27,
+    '255.255.255.240' => 28,
+    '255.255.255.248' => 29,
+    '255.255.255.252' => 30,
+};
+
+my $cluster_network;
+
+sub get_cluster_network {
+
+    return $cluster_network if defined($cluster_network);
+
+    eval {
+	my $nodename = PVE::INotify::nodename();
+
+	my $ip = PVE::Cluster::remote_node_ip($nodename);
+
+	my $testip = Net::IP->new($ip);
+   
+	my $routes = PVE::ProcFSTools::read_proc_net_route();
+	foreach my $entry (@$routes) {
+	    my $mask = $ipv4_mask_hash_clusternet->{$entry->{mask}};
+	    next if !defined($mask);
+	    return if $mask eq '0.0.0.0';
+	    my $cidr = "$entry->{dest}/$mask";
+	    my $testnet = Net::IP->new($cidr);
+	    if ($testnet->overlaps($testip)) {
+		$cluster_network = $cidr;
+		return;
+	    }
+	}
+    };
+    warn $@ if $@;
+
+    return $cluster_network;
+}
+
 sub parse_address_list {
    my ($str) = @_;

@ -1635,6 +1684,15 @@ sub enable_host_firewall {
    ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
    ruleset_chain_add_input_filters($ruleset, $chain, $options, $cluster_conf, $loglevel);

+    my $clusternet = get_cluster_network();
+
+    if ($clusternet) {
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j ACCEPT");  # PVE API
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j ACCEPT");  # PVE VNC Console 
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j ACCEPT");  # SPICE Proxy
+	ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j ACCEPT");  # SSH
+    }
+
    ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
    ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT");  #corosync
--- a/test/fwtester.pl
+++ b/test/fwtester.pl
@ -529,6 +529,8 @@ sub simulate_firewall {
 	die "unable to parse \"from => '$from'\"\n";
    }

+    $pkg->{source} = '100.200.3.4' if !defined($pkg->{source});
+
    my $target;

    if ($to eq 'host') {