Correct some stuff

This commit is contained in:
Joshua Boniface 2018-10-09 22:38:40 -04:00
parent ceb7b6b5cd
commit 25df845769
3 changed files with 29 additions and 8 deletions

View File

@ -260,8 +260,11 @@ common.run_os_command(
# Set up the basic features of the nftables firewall # Set up the basic features of the nftables firewall
nftables_base_rules = """# Base rules nftables_base_rules = """# Base rules
flush ruleset flush ruleset
# Add the filter table and chains
add table inet filter add table inet filter
add chain inet filter forward {{ type filter hook forward priority 0; }} add chain inet filter forward {{ type filter hook forward priority 0; }}
add chain inet filter input {{ type filter hook input priority 0; }}
# Include static rules and network rules
include "{rulesdir}/static/*" include "{rulesdir}/static/*"
include "{rulesdir}/networks/*" include "{rulesdir}/networks/*"
""".format( """.format(

View File

@ -247,15 +247,26 @@ class VXNetworkInstance():
) )
def createFirewall(self): def createFirewall(self):
nftables_network_rules = """# Rules for network {chainname} nftables_network_rules = """# Rules for network {vxlannic}
add chain inet filter {chainname} add chain inet filter {vxlannic}-in
add rule inet filter {chainname} counter add chain inet filter {vxlannic}-out
# Jump from forward chain to this chain when matching netaddr add rule inet filter {vxlannic}-in counter
add rule inet filter forward ip saddr {netaddr} counter jump {chainname} add rule inet filter {vxlannic}-out counter
add rule inet filter forward ip daddr {netaddr} counter jump {chainname} # Jump from forward chain to this chain when matching net
add rule inet filter forward ip daddr {netaddr} counter jump {vxlannic}-in
add rule inet filter forward ip saddr {netaddr} counter jump {vxlannic}-out
# Allow ICMP traffic into the router from network
add rule inet filter input ip protocol icmp meta iifname {bridgenic} counter accept
# Allow DNS and DHCP traffic into the router from network
add rule inet filter input tcp dport 53 meta iifname {bridgenic} counter accept
add rule inet filter input udp dport 53 meta iifname {bridgenic} counter accept
add rule inet filter input udp dport 67 meta iifname {bridgenic} counter accept
# Block traffic into the router from network
add rule inet filter input meta iifname {bridgenic} counter drop
""".format( """.format(
netaddr=self.ip_network, netaddr=self.ip_network,
chainname=self.vxlan_nic vxlannic=self.vxlan_nic,
bridgenic=self.bridge_nic
) )
print(nftables_network_rules) print(nftables_network_rules)
with open(self.nftables_netconf_filename, 'w') as nfbasefile: with open(self.nftables_netconf_filename, 'w') as nfbasefile:
@ -326,6 +337,9 @@ add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
'--expand-hosts', '--expand-hosts',
'--domain={}'.format(self.domain), '--domain={}'.format(self.domain),
'--local=/{}/'.format(self.domain), '--local=/{}/'.format(self.domain),
'--auth-zone={}'.format(self.domain),
# '--auth-peer=127.0.0.1,{}'.format(self.ip_gateway),
'--auth-sec-servers=127.0.0.1,[::1],{}'.format(self.ip_gateway),
'--listen-address={}'.format(self.ip_gateway), '--listen-address={}'.format(self.ip_gateway),
'--bind-interfaces', '--bind-interfaces',
'--leasefile-ro', '--leasefile-ro',
@ -333,6 +347,7 @@ add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
'--dhcp-range={},{},4h'.format(self.dhcp_start, self.dhcp_end), '--dhcp-range={},{},4h'.format(self.dhcp_start, self.dhcp_end),
'--dhcp-lease-max=99', '--dhcp-lease-max=99',
'--dhcp-hostsdir={}'.format(self.dnsmasq_hostsdir), '--dhcp-hostsdir={}'.format(self.dnsmasq_hostsdir),
'--log-queries=extra',
'--log-facility=DAEMON', '--log-facility=DAEMON',
'--keep-in-foreground' '--keep-in-foreground'
] ]

View File

@ -14,7 +14,10 @@ import re
# #
def get_zookeeper_key(): def get_zookeeper_key():
# Get the interface from environment (passed by dnsmasq) # Get the interface from environment (passed by dnsmasq)
try:
interface = os.environ['DNSMASQ_INTERFACE'] interface = os.environ['DNSMASQ_INTERFACE']
except:
exit(1)
# Get the ID of the interface (the digits) # Get the ID of the interface (the digits)
network_vni = re.findall('\d+', interface)[0] network_vni = re.findall('\d+', interface)[0]
# Create the key # Create the key