modify nodes and bundles for new nftables syntax

2021-06-03 13:59:15 +02:00 · 2021-06-03 13:59:15 +02:00 · d569b00960
commit d569b00960
parent ecb67d012b
30 changed files with 172 additions and 126 deletions
--- a/bundles/dhcpd/metadata.py
+++ b/bundles/dhcpd/metadata.py
@ -37,18 +37,20 @@ def get_static_allocations(metadata):


@metadata_reactor.provides(
-    'iptables/bundle_rules/dhcpd',
+    'nftables/rules/input/dhcpd',
 )
-def iptables(metadata):
+def nftables(metadata):
    rules = set()
-    for subnet in node.metadata.get('dhcpd/subnets', {}):
-        rules.add('iptables -A INPUT -i {} -p udp --dport 67:68 -j ACCEPT'.format(subnet))
+    for iface in node.metadata.get('dhcpd/subnets', {}):
+        rules.add(f'udp dport {{ 67, 68 }} iif {iface} accept')

    return {
-        'iptables': {
-            'bundle_rules': {
-                # can't use port_rules here, because we're generating interface based rules.
-                'dhcpd': sorted(list(rules)),
+        'nftables': {
+            'rules': {
+                'input': {
+                    # can't use port_rules here, because we're generating interface based rules.
+                    'dhcpd': sorted(rules),
+                },
            },
        }
    }
--- a/bundles/dovecot/metadata.py
+++ b/bundles/dovecot/metadata.py
@ -76,13 +76,13 @@ def import_database_settings_from_postfixadmin(metadata):


@metadata_reactor.provides(
-    'iptables/port_rules/143',
-    'iptables/port_rules/993',
-    'iptables/port_rules/4190',
+    'firewall/port_rules/143',
+    'firewall/port_rules/993',
+    'firewall/port_rules/4190',
 )
-def iptables(metadata):
+def firewall(metadata):
    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                # imap(s)
                '143': atomic(metadata.get('dovecot/restrict-to', {'*'})),
--- a/bundles/icinga2/metadata.py
+++ b/bundles/icinga2/metadata.py
@ -103,11 +103,11 @@ def add_users_from_json(metadata):


@metadata_reactor.provides(
-    'iptables/port_rules/5665',
+    'firewall/port_rules/5665',
 )
-def iptables(metadata):
+def firewall(metadata):
    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                '5665': atomic(metadata.get('icinga2/restrict-to', set())),
            },
--- a/bundles/kodi/metadata.py
+++ b/bundles/kodi/metadata.py
@ -44,11 +44,11 @@ defaults = {


@metadata_reactor.provides(
-    'iptables/port_rules/8080',
+    'firewall/port_rules/8080',
 )
-def iptables(metadata):
+def firewall(metadata):
    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                '8080': atomic(metadata.get('kodi/restrict-to', {'*'})),
            },
--- a/bundles/mosquitto/metadata.py
+++ b/bundles/mosquitto/metadata.py
@ -26,9 +26,9 @@ defaults = {


@metadata_reactor.provides(
-    'iptables/port_rules',
+    'firewall/port_rules',
 )
-def iptables(metadata):
+def firewall(metadata):
    sources = metadata.get('mosquitto/restrict-to', {'*'})
    result = {}

@ -36,7 +36,7 @@ def iptables(metadata):
        result[listener] = atomic(sources)

    return {
-        'iptables': {
+        'firewall': {
            'port_rules': result,
        },
    }
--- a/bundles/netdata/metadata.py
+++ b/bundles/netdata/metadata.py
@ -19,11 +19,11 @@ defaults = {


@metadata_reactor.provides(
-    'iptables/port_rules/19999',
+    'firewall/port_rules/19999',
 )
-def iptables(metadata):
+def firewall(metadata):
    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                '19999': atomic(metadata.get('netdata/restrict-to', set())),
            },
--- a/bundles/nfs-server/metadata.py
+++ b/bundles/nfs-server/metadata.py
@ -10,9 +10,9 @@ defaults = {


@metadata_reactor.provides(
-    'iptables/port_rules',
+    'firewall/port_rules',
 )
-def iptables(metadata):
+def firewall(metadata):
    ips = set()

    for share_items in metadata.get('nfs-server/shares', {}).values():
@ -20,7 +20,7 @@ def iptables(metadata):
            ips.add(share_target)

    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                '111': atomic(ips),
                '111/udp': atomic(ips),
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@ -169,12 +169,12 @@ def monitoring(metadata):


@metadata_reactor.provides(
-    'iptables/port_rules/80',
-    'iptables/port_rules/443',
+    'firewall/port_rules/80',
+    'firewall/port_rules/443',
 )
-def iptables(metadata):
+def firewall(metadata):
    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                '80': atomic(metadata.get('nginx/restrict-to', {'*'})),
                '443': atomic(metadata.get('nginx/restrict-to', {'*'})),
--- a/bundles/oidentd/metadata.py
+++ b/bundles/oidentd/metadata.py
@ -10,11 +10,11 @@ defaults = {


@metadata_reactor.provides(
-    'iptables/port_rules/113',
+    'firewall/port_rules/113',
 )
-def iptables(metadata):
+def firewall(metadata):
    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                '113': atomic(metadata.get('oidentd/restrict-to', {'*'})),
            },
--- a/bundles/openssh/metadata.py
+++ b/bundles/openssh/metadata.py
@ -16,11 +16,11 @@ defaults = {
 }

@metadata_reactor.provides(
-    'iptables/port_rules/22',
+    'firewall/port_rules/22',
 )
-def iptables(metadata):
+def firewall(metadata):
    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                '22': atomic(metadata.get('openssh/restrict-to', {'*'})),
            },
--- a/bundles/postfix/files/main.cf
+++ b/bundles/postfix/files/main.cf
@ -18,7 +18,7 @@ alias_maps = hash:/etc/aliases
 relayhost = ${node.metadata['postfix']['relayhost']}
 % endif

-% if node.has_bundle('postfixadmin') or node.has_bundle('iptables'):
+% if node.has_bundle('postfixadmin') or node.has_bundle('nftables'):
 inet_interfaces = all
 % else:
 inet_interfaces = 127.0.0.1
--- a/bundles/postfix/metadata.py
+++ b/bundles/postfix/metadata.py
@ -100,11 +100,11 @@ def letsencrypt(metadata):


@metadata_reactor.provides(
-    'iptables/port_rules/25',
-    'iptables/port_rules/587',
-    'iptables/port_rules/2525',
+    'firewall/port_rules/25',
+    'firewall/port_rules/587',
+    'firewall/port_rules/2525',
 )
-def iptables(metadata):
+def firewall(metadata):
    if node.has_bundle('postfixadmin'):
        default = {'*'}
    else:
@ -119,7 +119,7 @@ def iptables(metadata):
        rules['2525'] = atomic(metadata.get('postfix/restrict-to', default))

    return {
-        'iptables': {
+        'firewall': {
            'port_rules': rules,
        },
    }
--- a/bundles/powerdns/metadata.py
+++ b/bundles/powerdns/metadata.py
@ -182,11 +182,11 @@ def hosts_entries_for_all_dns_servers(metadata):


@metadata_reactor.provides(
-    'iptables/port_rules',
+    'firewall/port_rules',
 )
-def iptables(metadata):
+def firewall(metadata):
    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                '53': atomic(metadata.get('powerdns/restrict-to', {'*'})),
                '53/udp': atomic(metadata.get('powerdns/restrict-to', {'*'})),
--- a/bundles/pppd/files/ip-down
+++ b/bundles/pppd/files/ip-down
@ -1,6 +1,6 @@
 #!/bin/bash

-rm /etc/iptables-rules.d/90-pppd
+rm /etc/nftables-rules.d/90-pppd
 rm /etc/sysctl.d/90-pppd.conf

-/usr/local/sbin/iptables-enforce
+systemctl reload nftables
--- a/bundles/pppd/files/ip-up
+++ b/bundles/pppd/files/ip-up
@ -2,9 +2,9 @@

 INTERFACE=$1

-echo "iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE" > /etc/iptables-rules.d/90-pppd
+echo "add rule nat postrouting oif $INTERFACE masquerade" > /etc/nftables-rules.d/90-pppd
 echo "net.ipv6.conf.$INTERFACE.accept_ra=2" > /etc/sysctl.d/90-pppd.conf

-/usr/local/sbin/iptables-enforce
+systemctl reload nftables

 rdisc6 $INTERFACE
--- a/bundles/pppd/items.py
+++ b/bundles/pppd/items.py
@ -32,7 +32,7 @@ directories = {
 }

 files = {
-    '/etc/iptables-rules.d/90-pppd': {
+    '/etc/nftables-rules.d/90-pppd': {
        'content_type': 'any',
    },
    '/etc/ppp/chap-secrets': {
@ -53,11 +53,11 @@ files = {
            'svc_systemd:pppoe:restart',
        },
    },
-    '/etc/ppp/ip-down.d/iptables': {
+    '/etc/ppp/ip-down.d/nftables': {
        'source': 'ip-down',
        'mode': '0755',
    },
-    '/etc/ppp/ip-up.d/iptables': {
+    '/etc/ppp/ip-up.d/nftables': {
        'source': 'ip-up',
        'mode': '0755',
    },
--- a/bundles/transmission/metadata.py
+++ b/bundles/transmission/metadata.py
@ -50,11 +50,11 @@ if node.has_bundle('telegraf'):


@metadata_reactor.provides(
-    'iptables/port_rules',
+    'firewall/port_rules',
 )
-def iptables(metadata):
+def firewall(metadata):
    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                str(metadata.get('transmission/config/peer-port')): atomic({'*'}),
                str(metadata.get('transmission/config/peer-port')) + '/udp': atomic({'*'}),
--- a/bundles/unbound/files/unbound.conf
+++ b/bundles/unbound/files/unbound.conf
@ -10,8 +10,8 @@ server:

    num-threads: ${threads}

-% if node.has_bundle('iptables') and not node.has_bundle('vmhost'):
-    # Use iptables to manage access to this service
+% if node.has_bundle('nftables') and not node.has_bundle('vmhost'):
+    # Use nftables to manage access to this service
    interface: 0.0.0.0
    interface: ::0
    access-control: 0.0.0.0/0 allow
--- a/bundles/unbound/metadata.py
+++ b/bundles/unbound/metadata.py
@ -56,11 +56,11 @@ def cpu_cores_to_config_values(metadata):


@metadata_reactor.provides(
-    'iptables/port_rules',
+    'firewall/port_rules',
 )
-def iptables(metadata):
+def firewall(metadata):
    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                '53': atomic(metadata.get('unbound/restrict-to', set())),
                '53/udp': atomic(metadata.get('unbound/restrict-to', set())),
--- a/bundles/vmhost/items.py
+++ b/bundles/vmhost/items.py
@ -3,3 +3,24 @@ files = {
        'mode': '0755',
    },
 }
+
+if node.has_bundle('nftables'):
+    # libvirt on debian depends on either iptables or firewalld. Since
+    # we're managing firewall rules using bundlewrap, we don't want either
+    # of thos to interfere. So we install firewalld, then ensure it is
+    # never running. After that, we ensure the bundlewrap managed rules
+    # are active.
+    svc_systemd['firewalld'] = {
+        'running': False,
+        'enabled': False,
+        'masked': True,
+        'needs': {
+            'pkg_apt:firewalld',
+        },
+        'needed_by': {
+            'svc_systemd:nftables',
+        },
+        'triggers': {
+            'svc_systemd:nftables:reload',
+        },
+    }
--- a/bundles/vmhost/metadata.py
+++ b/bundles/vmhost/metadata.py
@ -28,3 +28,10 @@ if node.os == 'debian' and node.os_version[0] < 11:

 if node.has_bundle('zfs'):
    defaults['apt']['packages']['libvirt-daemon-driver-storage-zfs'] = {}
+
+if node.has_bundle('nftables'):
+    defaults['apt']['packages']['firewalld'] = {
+        'needed_by': {
+            'pkg_apt:libvirt-daemon-system',
+        },
+    }
--- a/bundles/webfs/metadata.py
+++ b/bundles/webfs/metadata.py
@ -16,11 +16,11 @@ defaults = {


@metadata_reactor.provides(
-    'iptables/port_rules',
+    'firewall/port_rules',
 )
-def iptables(metadata):
+def firewall(metadata):
    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                str(metadata.get('webfs/port')): atomic(metadata.get('webfs/restrict-to', {'*'})),
            },
--- a/bundles/wide-dhcp6c/metadata.py
+++ b/bundles/wide-dhcp6c/metadata.py
@ -4,12 +4,14 @@ defaults = {
            'wide-dhcpv6-client': {},
        },
    },
-    'iptables': {
-        'bundle_rules': {
-            'wide-dhcp6c': [
-                'ip6tables -A INPUT -p udp -s ff00::/12 -j ACCEPT',
-                'ip6tables -A INPUT -p udp -s fe80::/10 -j ACCEPT',
-            ],
+    'nftables': {
+        'rules': {
+            'input': {
+                'wide-dhcp6c': [
+                    'udp dport { 546, 547 } ip6 saddr ff00::/12 accept',
+                    'udp dport { 546, 547 } ip6 saddr fe80::/10 accept',
+                ],
+            },
        },
    },
    'icinga2_api': {
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -18,12 +18,14 @@ defaults = {
            },
        },
    },
-    'iptables': {
-        'bundle_rules': {
-            'wireguard': [
-                'iptables_both -A FORWARD -i wg0 -j ACCEPT',
-                'iptables_both -A FORWARD -o wg0 -j ACCEPT',
-            ],
+    'nftables': {
+        'rules': {
+            'forward': {
+                'wireguard': [
+                    'iif wg0 accept',
+                    'oif wg0 accept',
+                ],
+            },
        },
    },
    'wireguard': {
@ -149,9 +151,9 @@ def icinga2(metadata):


@metadata_reactor.provides(
-    'iptables/port_rules',
+    'firewall/port_rules',
 )
-def iptables(metadata):
+def firewall(metadata):
    sources = set(metadata.get('wireguard/restrict-to', set()))
    for peer_name in metadata.get('wireguard/peers'):
        try:
@ -162,7 +164,7 @@ def iptables(metadata):
            sources.add(peer_name)

    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                '51820/udp': atomic(sources),
            },