Correct some stuff

router-daemon/pvcrd/Daemon.py

@@ -260,8 +260,11 @@ common.run_os_command(
 # Set up the basic features of the nftables firewall
 nftables_base_rules = """# Base rules
 flush ruleset
+# Add the filter table and chains
 add table inet filter
 add chain inet filter forward {{ type filter hook forward priority 0; }}
+add chain inet filter input {{ type filter hook input priority 0; }}
+# Include static rules and network rules
 include "{rulesdir}/static/*"
 include "{rulesdir}/networks/*"
 """.format(

router-daemon/pvcrd/VXNetworkInstance.py

@@ -247,15 +247,26 @@ class VXNetworkInstance():
         )
 
     def createFirewall(self):
-        nftables_network_rules = """# Rules for network {chainname}
+        nftables_network_rules = """# Rules for network {vxlannic}
-add chain inet filter {chainname}
+add chain inet filter {vxlannic}-in
-add rule inet filter {chainname} counter
+add chain inet filter {vxlannic}-out
-# Jump from forward chain to this chain when matching netaddr
+add rule inet filter {vxlannic}-in counter
-add rule inet filter forward ip saddr {netaddr} counter jump {chainname}
+add rule inet filter {vxlannic}-out counter
-add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
+# Jump from forward chain to this chain when matching net
+add rule inet filter forward ip daddr {netaddr} counter jump {vxlannic}-in
+add rule inet filter forward ip saddr {netaddr} counter jump {vxlannic}-out
+# Allow ICMP traffic into the router from network
+add rule inet filter input ip protocol icmp meta iifname {bridgenic} counter accept
+# Allow DNS and DHCP traffic into the router from network
+add rule inet filter input tcp dport 53 meta iifname {bridgenic} counter accept
+add rule inet filter input udp dport 53 meta iifname {bridgenic} counter accept
+add rule inet filter input udp dport 67 meta iifname {bridgenic} counter accept
+# Block traffic into the router from network
+add rule inet filter input meta iifname {bridgenic} counter drop
 """.format(
             netaddr=self.ip_network,
-            chainname=self.vxlan_nic
+            vxlannic=self.vxlan_nic,
+            bridgenic=self.bridge_nic
         )
         print(nftables_network_rules)
         with open(self.nftables_netconf_filename, 'w') as nfbasefile:
@@ -326,6 +337,9 @@ add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
                 '--expand-hosts',
                 '--domain={}'.format(self.domain),
                 '--local=/{}/'.format(self.domain),
+                '--auth-zone={}'.format(self.domain),
+#                '--auth-peer=127.0.0.1,{}'.format(self.ip_gateway),
+                '--auth-sec-servers=127.0.0.1,[::1],{}'.format(self.ip_gateway),
                 '--listen-address={}'.format(self.ip_gateway),
                 '--bind-interfaces',
                 '--leasefile-ro',
@@ -333,6 +347,7 @@ add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
                 '--dhcp-range={},{},4h'.format(self.dhcp_start, self.dhcp_end),
                 '--dhcp-lease-max=99',
                 '--dhcp-hostsdir={}'.format(self.dnsmasq_hostsdir),
+                '--log-queries=extra',
                 '--log-facility=DAEMON',
                 '--keep-in-foreground'
             ]

router-daemon/pvcrd/dnsmasq-zookeeper-leases.py

@@ -14,7 +14,10 @@ import re
 #
 def get_zookeeper_key():
     # Get the interface from environment (passed by dnsmasq)
+    try:
         interface = os.environ['DNSMASQ_INTERFACE']
+    except:
+        exit(1)
     # Get the ID of the interface (the digits)
     network_vni = re.findall('\d+', interface)[0]
     # Create the key