From 1c1dd52325aed2640576ffb1cc9b7e4e3949552b Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 4 Sep 2024 16:44:46 +0200
Subject: [PATCH] proxmox: support public services for firewall

If no allowed IPs are set for a service, allow connections from anywhere.
---
 roles/proxmox/templates/cluster.fw.j2 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/roles/proxmox/templates/cluster.fw.j2 b/roles/proxmox/templates/cluster.fw.j2
index a5981ba..41fd5ed 100644
--- a/roles/proxmox/templates/cluster.fw.j2
+++ b/roles/proxmox/templates/cluster.fw.j2
@@ -11,11 +11,15 @@ IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('famil
 {% for service in cluster_services %}
 {% set prefixes = service | allowed_prefixes %}
 {% set ports = service.ports | compact_numlist(range_delimiter=':') %}
+{% if prefixes %}
 {% if prefixes | ipv4 %}
 IN ACCEPT -source {{ prefixes | ipv4 | join(',') }} -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
 {% endif %}
 {% if prefixes | ipv6 %}
 IN ACCEPT -source {{ prefixes | ipv6 | join(',') }} -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
 {% endif %}
+{% else %}
+IN ACCEPT -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
+{% endif %}
 {% endfor %}