kunsi/bundlewrap
1
0
Fork 0
Code Issues 1 Pull requests 2 Releases Activity

bundles/nftables: store rules in dedicated files instead of nftables.conf
All checks were successful
kunsi/bundlewrap/pipeline/pr-main This commit looks good
Details
kunsi/bundlewrap/pipeline/head This commit looks good
Details

Browse source
This commit is contained in:
Franzi 2021-12-14 14:03:13 +01:00
parent 1742f51778
commit 0101e0c92d
Signed by: kunsi
GPG key ID: 12E3D2136B818350
11 changed files with 77 additions and 102 deletions
Download patch file Download diff file Expand all files Collapse all files

44
bundles/nftables/metadata.py
View file

@ -9,12 +9,13 @@ defaults = {
'pacman': {
'packages': {
'nftables': {},
'iptables': {
'installed': False,
'needed_by': {
'pkg_pacman:iptables-nft',
},
},
# https://github.com/bundlewrap/bundlewrap/issues/688
# 'iptables': {
# 'installed': False,
# 'needed_by': {
# 'pkg_pacman:iptables-nft',
# },
# },
'iptables-nft': {
'needed_by': {
'pkg_pacman:nftables',
@ -34,7 +35,7 @@ if not node.has_bundle('vmhost'):
}
@metadata_reactor.provides(
'nftables/rules/input/port_rules',
'nftables/rules/99-port_rules',
)
def port_rules_to_nftables(metadata):
# Using this, bundles can simply set up port based rules. This
@ -63,36 +64,33 @@ def port_rules_to_nftables(metadata):
if port != '*':
if ':' in port:
parts = port.split(':')
port_str = f'dport {{ {parts[0]}-{parts[1]} }} '
port_str = f'{proto} dport {{ {parts[0]}-{parts[1]} }}'
else:
port_str = f'dport {port} '
prefix = ''
port_str = f'{proto} dport {port}'
else:
port_str = ''
prefix = 'meta l4proto '
port_str = f'meta l4proto {proto}'
if target == '*':
ruleset.add(f'{prefix}{proto} {port_str}accept {comment}')
elif target == 'ipv4':
ruleset.add(f'{prefix}{proto} {port_str}ip version 4 accept {comment}')
elif target == 'ipv6':
ruleset.add(f'{prefix}{proto} {port_str}ip6 version 6 accept {comment}')
if target in ('ipv4', 'ipv6'):
version_str = f'meta nfproto {target}'
else:
version_str = ''
if target in ('*', 'ipv4', 'ipv6'):
ruleset.add(f'inet filter input {version_str} {port_str} accept {comment}')
else:
resolved = repo.libs.tools.resolve_identifier(repo, target)
for address in resolved['ipv4']:
ruleset.add(f'{prefix}{proto} {port_str}ip saddr {address} accept {comment}')
ruleset.add(f'inet filter input meta nfproto ipv4 {port_str} ip saddr {address} accept {comment}')
for address in resolved['ipv6']:
ruleset.add(f'{prefix}{proto} {port_str}ip6 saddr {address} accept {comment}')
ruleset.add(f'inet filter input meta nfproto ipv6 {port_str} ip6 saddr {address} accept {comment}')
return {
'nftables': {
'rules': {
# order does not matter here.
'input': {
'port_rules': sorted(ruleset),
},
'99-port_rules': sorted(ruleset),
},
},
}