Correct some stuff

This commit is contained in:
Joshua Boniface 2018-10-09 22:38:40 -04:00
parent ceb7b6b5cd
commit 25df845769
3 changed files with 29 additions and 8 deletions

View File

@ -260,8 +260,11 @@ common.run_os_command(
# Set up the basic features of the nftables firewall
nftables_base_rules = """# Base rules
flush ruleset
# Add the filter table and chains
add table inet filter
add chain inet filter forward {{ type filter hook forward priority 0; }}
add chain inet filter input {{ type filter hook input priority 0; }}
# Include static rules and network rules
include "{rulesdir}/static/*"
include "{rulesdir}/networks/*"
""".format(

View File

@ -247,15 +247,26 @@ class VXNetworkInstance():
)
def createFirewall(self):
nftables_network_rules = """# Rules for network {chainname}
add chain inet filter {chainname}
add rule inet filter {chainname} counter
# Jump from forward chain to this chain when matching netaddr
add rule inet filter forward ip saddr {netaddr} counter jump {chainname}
add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
nftables_network_rules = """# Rules for network {vxlannic}
add chain inet filter {vxlannic}-in
add chain inet filter {vxlannic}-out
add rule inet filter {vxlannic}-in counter
add rule inet filter {vxlannic}-out counter
# Jump from forward chain to this chain when matching net
add rule inet filter forward ip daddr {netaddr} counter jump {vxlannic}-in
add rule inet filter forward ip saddr {netaddr} counter jump {vxlannic}-out
# Allow ICMP traffic into the router from network
add rule inet filter input ip protocol icmp meta iifname {bridgenic} counter accept
# Allow DNS and DHCP traffic into the router from network
add rule inet filter input tcp dport 53 meta iifname {bridgenic} counter accept
add rule inet filter input udp dport 53 meta iifname {bridgenic} counter accept
add rule inet filter input udp dport 67 meta iifname {bridgenic} counter accept
# Block traffic into the router from network
add rule inet filter input meta iifname {bridgenic} counter drop
""".format(
netaddr=self.ip_network,
chainname=self.vxlan_nic
vxlannic=self.vxlan_nic,
bridgenic=self.bridge_nic
)
print(nftables_network_rules)
with open(self.nftables_netconf_filename, 'w') as nfbasefile:
@ -326,6 +337,9 @@ add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
'--expand-hosts',
'--domain={}'.format(self.domain),
'--local=/{}/'.format(self.domain),
'--auth-zone={}'.format(self.domain),
# '--auth-peer=127.0.0.1,{}'.format(self.ip_gateway),
'--auth-sec-servers=127.0.0.1,[::1],{}'.format(self.ip_gateway),
'--listen-address={}'.format(self.ip_gateway),
'--bind-interfaces',
'--leasefile-ro',
@ -333,6 +347,7 @@ add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
'--dhcp-range={},{},4h'.format(self.dhcp_start, self.dhcp_end),
'--dhcp-lease-max=99',
'--dhcp-hostsdir={}'.format(self.dnsmasq_hostsdir),
'--log-queries=extra',
'--log-facility=DAEMON',
'--keep-in-foreground'
]

View File

@ -14,7 +14,10 @@ import re
#
def get_zookeeper_key():
# Get the interface from environment (passed by dnsmasq)
interface = os.environ['DNSMASQ_INTERFACE']
try:
interface = os.environ['DNSMASQ_INTERFACE']
except:
exit(1)
# Get the ID of the interface (the digits)
network_vni = re.findall('\d+', interface)[0]
# Create the key