Correct some stuff
This commit is contained in:
parent
ceb7b6b5cd
commit
25df845769
|
@ -260,8 +260,11 @@ common.run_os_command(
|
|||
# Set up the basic features of the nftables firewall
|
||||
nftables_base_rules = """# Base rules
|
||||
flush ruleset
|
||||
# Add the filter table and chains
|
||||
add table inet filter
|
||||
add chain inet filter forward {{ type filter hook forward priority 0; }}
|
||||
add chain inet filter input {{ type filter hook input priority 0; }}
|
||||
# Include static rules and network rules
|
||||
include "{rulesdir}/static/*"
|
||||
include "{rulesdir}/networks/*"
|
||||
""".format(
|
||||
|
|
|
@ -247,15 +247,26 @@ class VXNetworkInstance():
|
|||
)
|
||||
|
||||
def createFirewall(self):
|
||||
nftables_network_rules = """# Rules for network {chainname}
|
||||
add chain inet filter {chainname}
|
||||
add rule inet filter {chainname} counter
|
||||
# Jump from forward chain to this chain when matching netaddr
|
||||
add rule inet filter forward ip saddr {netaddr} counter jump {chainname}
|
||||
add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
|
||||
nftables_network_rules = """# Rules for network {vxlannic}
|
||||
add chain inet filter {vxlannic}-in
|
||||
add chain inet filter {vxlannic}-out
|
||||
add rule inet filter {vxlannic}-in counter
|
||||
add rule inet filter {vxlannic}-out counter
|
||||
# Jump from forward chain to this chain when matching net
|
||||
add rule inet filter forward ip daddr {netaddr} counter jump {vxlannic}-in
|
||||
add rule inet filter forward ip saddr {netaddr} counter jump {vxlannic}-out
|
||||
# Allow ICMP traffic into the router from network
|
||||
add rule inet filter input ip protocol icmp meta iifname {bridgenic} counter accept
|
||||
# Allow DNS and DHCP traffic into the router from network
|
||||
add rule inet filter input tcp dport 53 meta iifname {bridgenic} counter accept
|
||||
add rule inet filter input udp dport 53 meta iifname {bridgenic} counter accept
|
||||
add rule inet filter input udp dport 67 meta iifname {bridgenic} counter accept
|
||||
# Block traffic into the router from network
|
||||
add rule inet filter input meta iifname {bridgenic} counter drop
|
||||
""".format(
|
||||
netaddr=self.ip_network,
|
||||
chainname=self.vxlan_nic
|
||||
vxlannic=self.vxlan_nic,
|
||||
bridgenic=self.bridge_nic
|
||||
)
|
||||
print(nftables_network_rules)
|
||||
with open(self.nftables_netconf_filename, 'w') as nfbasefile:
|
||||
|
@ -326,6 +337,9 @@ add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
|
|||
'--expand-hosts',
|
||||
'--domain={}'.format(self.domain),
|
||||
'--local=/{}/'.format(self.domain),
|
||||
'--auth-zone={}'.format(self.domain),
|
||||
# '--auth-peer=127.0.0.1,{}'.format(self.ip_gateway),
|
||||
'--auth-sec-servers=127.0.0.1,[::1],{}'.format(self.ip_gateway),
|
||||
'--listen-address={}'.format(self.ip_gateway),
|
||||
'--bind-interfaces',
|
||||
'--leasefile-ro',
|
||||
|
@ -333,6 +347,7 @@ add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
|
|||
'--dhcp-range={},{},4h'.format(self.dhcp_start, self.dhcp_end),
|
||||
'--dhcp-lease-max=99',
|
||||
'--dhcp-hostsdir={}'.format(self.dnsmasq_hostsdir),
|
||||
'--log-queries=extra',
|
||||
'--log-facility=DAEMON',
|
||||
'--keep-in-foreground'
|
||||
]
|
||||
|
|
|
@ -14,7 +14,10 @@ import re
|
|||
#
|
||||
def get_zookeeper_key():
|
||||
# Get the interface from environment (passed by dnsmasq)
|
||||
interface = os.environ['DNSMASQ_INTERFACE']
|
||||
try:
|
||||
interface = os.environ['DNSMASQ_INTERFACE']
|
||||
except:
|
||||
exit(1)
|
||||
# Get the ID of the interface (the digits)
|
||||
network_vni = re.findall('\d+', interface)[0]
|
||||
# Create the key
|
||||
|
|
Loading…
Reference in New Issue