rework firewall setup

2023-09-24 20:59:58 +02:00 · 2023-09-24 20:59:58 +02:00 · cd48cf495d
commit cd48cf495d
parent be62c1270f
30 changed files with 145 additions and 122 deletions
--- a/bundles/nftables/metadata.py
+++ b/bundles/nftables/metadata.py
@ -35,7 +35,7 @@ if not node.has_bundle('vmhost'):
    }

@metadata_reactor.provides(
-    'nftables/rules/99-port_rules',
+    'nftables/input/99-port_rules',
 )
 def port_rules_to_nftables(metadata):
    # Using this, bundles can simply set up port based rules. This
@ -49,46 +49,47 @@ def port_rules_to_nftables(metadata):
        if '/' in portdef:
            port, proto = portdef.split('/', 2)

-            if proto not in {'udp'}:
+            if proto not in ('tcp', 'udp'):
                raise BundleError(f'firewall/port_rules: illegal identifier {portdef} in metadata for {node.name}')
        else:
            port = portdef
-            proto = 'tcp'
+            proto = None

        for target in targets:
-            if port == '*' and target == '*':
-                raise BundleError('firewall/port_rules: setting both port and target to * is unsupported')
+            if (
+                (port == '*' and target == '*')
+                or (target == '*' and proto is None)
+                or (port != '*' and proto is None)
+            ):
+                raise BundleError(f'firewall/port_rules: illegal combination of port, target and protocol: "{port}" "{target}" "{proto}"')

            comment = f'comment "port_rules {target}"'

            if port != '*':
                if ':' in port:
                    parts = port.split(':')
-                    port_str = f'{proto} dport {{ {parts[0]}-{parts[1]} }}'
+                    port_str = f'{proto} dport {{ {parts[0]}-{parts[1]} }} '
                else:
-                    port_str = f'{proto} dport {port}'
+                    port_str = f'{proto} dport {port} '
+            elif proto is not None:
+                port_str = f'meta l4proto {proto} '
            else:
-                port_str = f'meta l4proto {proto}'
+                port_str = ''

-            if target in ('ipv4', 'ipv6'):
-                version_str = f'meta nfproto {target}'
-            else:
-                version_str = ''
-
-            if target in ('*', 'ipv4', 'ipv6'):
-                ruleset.add(f'inet filter input {version_str} {port_str} accept {comment}')
+            if target == '*':
+                ruleset.add(f'{port_str}accept {comment}')
            else:
                resolved = repo.libs.tools.resolve_identifier(repo, target, linklocal=True)

                for address in resolved['ipv4']:
-                    ruleset.add(f'inet filter input meta nfproto ipv4 {port_str} ip saddr {address} accept {comment}')
+                    ruleset.add(f'{port_str}ip saddr {address} accept {comment}')

                for address in resolved['ipv6']:
-                    ruleset.add(f'inet filter input meta nfproto ipv6 {port_str} ip6 saddr {address} accept {comment}')
+                    ruleset.add(f'{port_str}ip6 saddr {address} accept {comment}')

    return {
        'nftables': {
-            'rules': {
+            'input': {
                # order does not matter here.
                '99-port_rules': sorted(ruleset),
            },