Correct some stuff

2018-10-09 22:38:40 -04:00 · 2018-10-09 22:38:40 -04:00 · 25df845769
parent ceb7b6b5cd
commit 25df845769
3 changed files with 29 additions and 8 deletions
--- a/router-daemon/pvcrd/Daemon.py
+++ b/router-daemon/pvcrd/Daemon.py
@ -260,8 +260,11 @@ common.run_os_command(
 # Set up the basic features of the nftables firewall
 nftables_base_rules = """# Base rules
 flush ruleset
+# Add the filter table and chains
 add table inet filter
 add chain inet filter forward {{ type filter hook forward priority 0; }}
+add chain inet filter input {{ type filter hook input priority 0; }}
+# Include static rules and network rules
 include "{rulesdir}/static/*"
 include "{rulesdir}/networks/*"
 """.format(
--- a/router-daemon/pvcrd/VXNetworkInstance.py
+++ b/router-daemon/pvcrd/VXNetworkInstance.py
@ -247,15 +247,26 @@ class VXNetworkInstance():
        )

    def createFirewall(self):
-        nftables_network_rules = """# Rules for network {chainname}
-add chain inet filter {chainname}
-add rule inet filter {chainname} counter
-# Jump from forward chain to this chain when matching netaddr
-add rule inet filter forward ip saddr {netaddr} counter jump {chainname}
-add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
+        nftables_network_rules = """# Rules for network {vxlannic}
+add chain inet filter {vxlannic}-in
+add chain inet filter {vxlannic}-out
+add rule inet filter {vxlannic}-in counter
+add rule inet filter {vxlannic}-out counter
+# Jump from forward chain to this chain when matching net
+add rule inet filter forward ip daddr {netaddr} counter jump {vxlannic}-in
+add rule inet filter forward ip saddr {netaddr} counter jump {vxlannic}-out
+# Allow ICMP traffic into the router from network
+add rule inet filter input ip protocol icmp meta iifname {bridgenic} counter accept
+# Allow DNS and DHCP traffic into the router from network
+add rule inet filter input tcp dport 53 meta iifname {bridgenic} counter accept
+add rule inet filter input udp dport 53 meta iifname {bridgenic} counter accept
+add rule inet filter input udp dport 67 meta iifname {bridgenic} counter accept
+# Block traffic into the router from network
+add rule inet filter input meta iifname {bridgenic} counter drop
 """.format(
            netaddr=self.ip_network,
-            chainname=self.vxlan_nic
+            vxlannic=self.vxlan_nic,
+            bridgenic=self.bridge_nic
        )
        print(nftables_network_rules)
        with open(self.nftables_netconf_filename, 'w') as nfbasefile:
@ -326,6 +337,9 @@ add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
                '--expand-hosts',
                '--domain={}'.format(self.domain),
                '--local=/{}/'.format(self.domain),
+                '--auth-zone={}'.format(self.domain),
+#                '--auth-peer=127.0.0.1,{}'.format(self.ip_gateway),
+                '--auth-sec-servers=127.0.0.1,[::1],{}'.format(self.ip_gateway),
                '--listen-address={}'.format(self.ip_gateway),
                '--bind-interfaces',
                '--leasefile-ro',
@ -333,6 +347,7 @@ add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
                '--dhcp-range={},{},4h'.format(self.dhcp_start, self.dhcp_end),
                '--dhcp-lease-max=99',
                '--dhcp-hostsdir={}'.format(self.dnsmasq_hostsdir),
+                '--log-queries=extra',
                '--log-facility=DAEMON',
                '--keep-in-foreground'
            ]
--- a/router-daemon/pvcrd/dnsmasq-zookeeper-leases.py
+++ b/router-daemon/pvcrd/dnsmasq-zookeeper-leases.py
@ -14,7 +14,10 @@ import re
 #
 def get_zookeeper_key():
    # Get the interface from environment (passed by dnsmasq)
-    interface = os.environ['DNSMASQ_INTERFACE']
+    try:
+        interface = os.environ['DNSMASQ_INTERFACE']
+    except:
+        exit(1)
    # Get the ID of the interface (the digits)
    network_vni = re.findall('\d+', interface)[0]
    # Create the key