From 780245b83c375e48160f5ab6b5bc1df911141df2 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Tue, 17 Jul 2018 15:36:19 +0200
Subject: [pvs2] Fix iptables rules even more

---
 core/modules/pvs2/data/opt/openslx/iptables/rules.d/10-pvs | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'core/modules/pvs2')

diff --git a/core/modules/pvs2/data/opt/openslx/iptables/rules.d/10-pvs b/core/modules/pvs2/data/opt/openslx/iptables/rules.d/10-pvs
index bfb9a391..8debd2cc 100755
--- a/core/modules/pvs2/data/opt/openslx/iptables/rules.d/10-pvs
+++ b/core/modules/pvs2/data/opt/openslx/iptables/rules.d/10-pvs
@@ -1,13 +1,18 @@
 #!/bin/ash
 
 # Allow PVS ports
-# Control connection - server and client perspective
+# Control connection: server incoming, client outgoing
 iptables -I ipt-helper-INPUT 1 -i br0 -p tcp --dport 5194 -j ACCEPT
 iptables -I ipt-helper-OUTPUT 1 -o br0 -p tcp --dport 5194 -j ACCEPT
-# UDP discovery - server and client perspective
+# UDP discovery
+# pvsmgr: allow incoming discovery (broadcast)
 iptables -I ipt-helper-INPUT 1 -i br0 -p udp --dport 3492 -j ACCEPT
-iptables -I ipt-helper-OUTPUT 1 -o br0 -p udp --dport 3492 -j ACCEPT
+# pvsmgr: allow outgoing discovery reply (unicast)
 iptables -I ipt-helper-OUTPUT 1 -o br0 -p udp --sport 3492 -j ACCEPT
+# pvsclient: allow outgoing discovery (broadcast)
+iptables -I ipt-helper-OUTPUT 1 -o br0 -p udp --dport 3492 -j ACCEPT
+# pvsclient: allow incoming discovery reply (unicast)
+iptables -I ipt-helper-INPUT 1 -i br0 -p udp --sport 3492 -j ACCEPT
 # VNC connection - incoming and outgoing - small range as we use -autoport
 iptables -I ipt-helper-INPUT 1 -i br0 -p tcp --dport 54112:54122 -j ACCEPT
 iptables -I ipt-helper-OUTPUT 1 -o br0 -p tcp --dport 54112:54122 -j ACCEPT
-- 
cgit v1.2.3-55-g7522