[pve-devel] [PATCH 0/5] Read corosync.conf for firewall rules

[Stefan Reiter]

Related to issue #2245 (pve-firewall poorly detects 'localnet').
Doesn't actually fix the underlying issue (i.e. localnet is still
detected poorly), however, with this patchset corosync rules are
at least unaffected.

corosync.conf is read directly during firewall rule creation, allowing
much more fine-grained rules to be created. These are targeted directly
at ring/link addresses and thus bypass any network detection that could
go wrong. Supports hostname resolving, corosync style.

Tested on a 6.0 cluster, no change in behaviour with IPv4, IPv6 and
hostnames in corosync.conf, multiple links work fine two (tested with
two links, IPv4 and IPv6 simultaniously). 5.4 works fine too, patches
applied cleanly to commit dd7d737bcb (bump version to 3.0-21) and
behaviour of cluster was unaffected (as it should be). The bug mentioned
in #2245 and on the pve-user list is no longer reproducible (corosync
works fine, even with IPv6 address in /etc/hosts and firewall enabled).

Note that joining a new node to a cluster that has its firewall enabled
might be delayed up to 10 seconds, until the firewall daemon has a chance
to re-read the updated corosync.conf and adjust its rules.


pve-common:
Stefan Reiter (1):
  Export getaddrinfo helpers

 src/PVE/Tools.pm | 2 ++
 1 file changed, 2 insertions(+)

pve-firewall:
Stefan Reiter (4):
  Add function to iterate all ringX_addr for all nodes
  Create corosync firewall rules independant of localnet
  Update and add tests for corosync firewall changes
  Add hostname resolving to corosync firewall rule generation

 src/PVE/Firewall.pm            | 153 +++++++++++++++++++++++++++++----
 test/corosync.conf             |  52 +++++++++++
 test/fwtester.pl               |  11 ++-
 test/test-default-rules1/tests |   4 +
 4 files changed, 203 insertions(+), 17 deletions(-)
 create mode 100644 test/corosync.conf

-- 
2.20.1