[pve-devel] [PATCH v2 firewall 4/4] Only include multicast rules if transport is udp

Stefan Reiter s.reiter at proxmox.com
Mon Jul 1 17:22:17 CEST 2019 

Only applies to corosync 3.
Testing config is changed to allow simulation of multicast rules.

Signed-off-by: Stefan Reiter <s.reiter at proxmox.com>
---

Only for master, stable-5 (with corosync 2) is not compatible, since
this change assumes that the default transport is knet (or anything else
unicast, really).

 src/PVE/Firewall.pm | 12 ++++++++----
 test/corosync.conf  |  1 +
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index c497109..d300dc9 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2406,6 +2406,7 @@ sub enable_host_firewall {
     # corosync preparation
     my $corosync_rule = "-p udp --dport 5404:5405";
     my $corosync_local_addresses = {};
+    my $multicast_enabled;
     my $local_hostname = PVE::INotify::nodename();
     if (defined($corosync_conf)) {
 	PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
@@ -2415,6 +2416,9 @@ sub enable_host_firewall {
 		$corosync_local_addresses->{$key} = $node_ip;
 	    }
 	});
+
+	# allow multicast only if enabled in config
+	$multicast_enabled = $corosync_conf->{main}->{totem}->{transport} // 0;
     }
 
     # host inbound firewall
@@ -2463,8 +2467,8 @@ sub enable_host_firewall {
 
     # corosync inbound rules
     if (defined($corosync_conf)) {
-	# always allow multicast
-	ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
+	ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action")
+	    if $multicast_enabled;
 
 	PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
 	    my ($node_name, $node_ip, $node_ipversion, $key) = @_;
@@ -2532,8 +2536,8 @@ sub enable_host_firewall {
 
     # corosync outbound rules
     if (defined($corosync_conf)) {
-	# always allow multicast
-	ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
+	ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action")
+	    if $multicast_enabled;
 
 	PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
 	    my ($node_name, $node_ip, $node_ipversion, $key) = @_;
diff --git a/test/corosync.conf b/test/corosync.conf
index 75385ec..27b6313 100644
--- a/test/corosync.conf
+++ b/test/corosync.conf
@@ -47,6 +47,7 @@ totem {
   config_version: 1
   ip_version: ipv4
   secauth: on
+  transport: udp
   version: 2
 }
 
-- 
2.20.1

More information about the pve-devel mailing list